there is OpenConnect, a command-line client for Cisco's AnyConnect SSL VPN.
Here's how to get it set up on Mac OS X:
- OpenConnect can be installed via homebrew:
brew update brew install openconnect
- Install the Mac OS X TUN/TAP driver
- (Optional) Running openconnect requires sudo, presumably because it affects resolution of DNS. So, I added password-less sudo ability for the openconnect command.
sudo visudo -f /etc/sudoers
And added this line:%admin ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect
- (Optional) When connecting to your SSL VPN, openconnect may complain about a "self-signed certificate" being in the chain and force you to explicitly accept it every time. The self-signed cert is actually the root certficate and (hopefully) is one with implicit trust (i.e. trusted by browsers), so we can safely trust it by specifying the CA file after exporting it from KeyChain:
- Determine the name your root certificate (i.e. visit your SSL VPN in Chrome, click the green lock, click "Certificate Information")
- Open the Keychain Access App
- Search the "System Roots" keychain to find your root certificate and select it
File
>Export Items...
the certificate as a.pem
file somewhere on your hard drive (I put it in~/.ssh/<certificate name>.pem
- Connect!
sudo openconnect --user=<VPN username> --cafile=<.pem file from step 4.3> <your vpn hostname>
The only thing you should be prompted for is your VPN password. I added the command to my aliases file. - To disconnect, just Ctrl-c in the window where you started the VPN connection.
Note
I had an incident after an unclean VPN exit where later the VPN hostname could not be found. I guess the DNS resolver was messed up. I was forced to reboot to fix it so I could reconnect to the VPN.
analyticsPierce commented on 9 May 2013
I am trying to get this working and I am getting the error when I try to connect via:
And I get the following error message:
Any suggestions to get this fixed?
|
vbt101 commented on 9 May 2013
You forgot the leading slash on the pem file location: sudo openconnect --user=my_username --cafile=/Users/pierce/my_pem_file.pem vpn-1.domain.com
|
crhan commented on 28 Mar 2014
OpenConnect does not properly set DNS config, still using my local DNS but not VPN's dns. Does anybody meet this problem?
|
johnutz-self commented on 7 Jun 2014
Hi crhan, i just fixed this myself this morning on mavericks by using the latest vpnc-script
add this to your open connect command line --script /opt/local/etc/vpnc/vpnc-script
|
dlangille commented on 28 Oct 2014
Worked great in Mavericks. Upgraded to Yosemite:
Failed to open tun device: No such file or directory
Set up tun device failed |
BruceClark commented on 30 Oct 2014
@dlangille That's because TunTap (the kernel extention this is based on) is unsigned, and unsigned extentions are no longer allowed on Yosemite.
|
DrewAPicture commented on 26 Nov 2014
@leonsyc @anderskristo They've released a binary for installing tuntap via a package. http://sourceforge.net/projects/tuntaposx/files/tuntap/20141104/
|
jnierodzik commented on 24 Apr 2015
Running on 10.10.3 I am able to connect, but then loose the ability to resolve hostnames. IP works fine however - any ideas?
|
EdHurtig commented on 5 May 2015
Thanks a ton! Worked like a charm... didn't even need tuntap. Possibly because I already have other VPN software (viscosity) installed
|
njuaplusplus commented on 7 May 2015
On 10.10.3, it shows ''DTLS handshake failed: Resource temporarily unavailable, try again.''
|
marcosscriven commented on 26 May 2015
I'm also getting an issue with reconnecting not resolving the domain name the second time. Rebooting clears out 'something', and it works again, but not sure what. I've tried dns cache flushing and route flushing to no avail.
|
ntelementary commented on 23 Oct 2015
This works on El Capitan for me (I previously had Homebrew installed before I upgraded, on a fresh computer you'll need to boot into Recovery Mode to disable the Rootless protection, I believe).
Rather than figuring out how to setup the TunTap extensions, I downloaded the Viscosity VPN application (free trial), which installed it for me. No need for the app after the initial setup.
|
wyoung commented on 14 Jan 2016
FYI, tuntap is now in Homebrew:
brew install Caskroom/cask/tuntap
(It has to be a cask because modern OS X versions require signed kexts, so building from source will just yield a driver you can't load into your kernel.)
|
wyoung commented on 14 Jan 2016
I had to modify the example
openconnect significantly because I'm using a password-based VPN instead of a certificate-based VPN, so I thought I'd share my alternative method:
The
authgroup bit is another tricky part, because there are two other places to say "group" in the command, neither of which work. (-g and appended to the URL.) |
feldversuch commented on 22 Jan 2016
thx wyoung.
For me it works great with alias
|
dingus9 commented on 5 Feb 2016
If openconnect bails after making the connection to the vpn it won't run it's cleanup scripts to reset routes and resolv.conf... Instead of rebooting I figured out you can just run
|
andreabedini commented on 2 Apr 2016
http://www.infradead.org/openconnect/building.html says openconnect doesn't require tuntap anymore on recent OSXs
Tested on OSX 10.11.4 and it works indeed.
|
badcrocodile commented on 7 Jun 2016
Mac 10.11.5 here and all I needed was to install openconnect (via homebrew) and run
sudo openconnect https://urlto.vpn . |
BioQwer commented on 28 Sep 2016
This FAQ doesn't solve my problem.
|
alkos333 commented on 29 Sep 2016
That's because OSX is relying on its own system configuration tool which doesn't rely on resolv.conf, etc: scuilt
Here's an excellent blog post describing how to fix an unclean shutdown of openconnect: http://diaryproducts.net/about/operating_systems/mac_os_x/overriding_dhcp_or_vpn_assigned_dns_servers_in_mac_os_x_leopard
from https://gist.github.com/moklett/3170636
|
No comments:
Post a Comment