OpenConnect vpn(cisco anyconnect vpn)在mac机器上的命令行客户端

there is OpenConnect, a command-line client for Cisco's AnyConnect SSL VPN.

Here's how to get it set up on Mac OS X:

1. OpenConnect can be installed via homebrew:

   brew update
   brew install openconnect
   

2. Install the Mac OS X TUN/TAP driver
3. (Optional) Running openconnect requires sudo, presumably because it affects resolution of DNS. So, I added password-less sudo ability for the openconnect command.

   sudo visudo -f /etc/sudoers
   

   And added this line:

     %admin  ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect
   

4. (Optional) When connecting to your SSL VPN, openconnect may complain about a "self-signed certificate" being in the chain and force you to explicitly accept it every time. The self-signed cert is actually the root certficate and (hopefully) is one with implicit trust (i.e. trusted by browsers), so we can safely trust it by specifying the CA file after exporting it from KeyChain:
   1. Determine the name your root certificate (i.e. visit your SSL VPN in Chrome, click the green lock, click "Certificate Information")  
   2. Open the Keychain Access App
   3. Search the "System Roots" keychain to find your root certificate and select it 
   4. File > Export Items... the certificate as a .pem file somewhere on your hard drive (I put it in ~/.ssh/<certificate name>.pem
5. Connect!

   sudo openconnect --user=<VPN username> --cafile=<.pem file from step 4.3> <your vpn hostname>
   

   The only thing you should be prompted for is your VPN password. I added the command to my aliases file.
6. To disconnect, just Ctrl-c in the window where you started the VPN connection.

Note

I had an incident after an unclean VPN exit where later the VPN hostname could not be found. I guess the DNS resolver was messed up. I was forced to reboot to fix it so I could reconnect to the VPN.

analyticsPierce commented on 9 May 2013

I am trying to get this working and I am getting the error when I try to connect via: sudo openconnect --user=my_username --cafile=Users/pierce/my_pem_file.pem vpn-1.domain.com And I get the following error message: Failed to open CA file 'Users/pierce/my_pem_file.pem' 73628:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/bio/bss_file.c:126:fopen('Users/pierce/my_pem_file.pem','r') Any suggestions to get this fixed?

vbt101 commented on 9 May 2013

You forgot the leading slash on the pem file location: sudo openconnect --user=my_username --cafile=/Users/pierce/my_pem_file.pem vpn-1.domain.com

ugtar commented on 1 Mar 2014

Have you tried this on Mavericks?

cecil commented on 18 Mar 2014

Ugtar, I've been using this with Mavericks for a few months now.

crhan commented on 28 Mar 2014

OpenConnect does not properly set DNS config, still using my local DNS but not VPN's dns. Does anybody meet this problem?

johnutz-self commented on 7 Jun 2014

Hi crhan, i just fixed this myself this morning on mavericks by using the latest vpnc-script http://www.infradead.org/openconnect/vpnc-script.html add this to your open connect command line --script /opt/local/etc/vpnc/vpnc-script

dlangille commented on 28 Oct 2014

Worked great in Mavericks. Upgraded to Yosemite: Failed to open tun device: No such file or directory Set up tun device failed

BruceClark commented on 30 Oct 2014

@dlangille That's because TunTap (the kernel extention this is based on) is unsigned, and unsigned extentions are no longer allowed on Yosemite.

leonsyc commented on 10 Nov 2014

@BruceClark Is there a way to fix this?

anderskristo commented on 20 Nov 2014

@BruceClark, @leonsyc found a fix for this?

DrewAPicture commented on 26 Nov 2014

@leonsyc @anderskristo They've released a binary for installing tuntap via a package. http://sourceforge.net/projects/tuntaposx/files/tuntap/20141104/

jnierodzik commented on 24 Apr 2015

Running on 10.10.3 I am able to connect, but then loose the ability to resolve hostnames. IP works fine however - any ideas?

EdHurtig commented on 5 May 2015

Thanks a ton! Worked like a charm... didn't even need tuntap. Possibly because I already have other VPN software (viscosity) installed

njuaplusplus commented on 7 May 2015

On 10.10.3, it shows ''DTLS handshake failed: Resource temporarily unavailable, try again.''

marcosscriven commented on 26 May 2015

I'm also getting an issue with reconnecting not resolving the domain name the second time. Rebooting clears out 'something', and it works again, but not sure what. I've tried dns cache flushing and route flushing to no avail.

alfrescoo commented on 3 Jun 2015

Does this client support ios? I want to use this for iphone.

kyze8439690 commented on 9 Sep 2015

@alfrescoo anyconnect in appstore

jholster commented on 2 Oct 2015

Is OS X El Capitan yet supported?

ntelementary commented on 23 Oct 2015

This works on El Capitan for me (I previously had Homebrew installed before I upgraded, on a fresh computer you'll need to boot into Recovery Mode to disable the Rootless protection, I believe). Rather than figuring out how to setup the TunTap extensions, I downloaded the Viscosity VPN application (free trial), which installed it for me. No need for the app after the initial setup.

wyoung commented on 14 Jan 2016

FYI, tuntap is now in Homebrew: brew install Caskroom/cask/tuntap (It has to be a cask because modern OS X versions require signed kexts, so building from source will just yield a driver you can't load into your kernel.)

wyoung commented on 14 Jan 2016

I had to modify the example openconnect significantly because I'm using a password-based VPN instead of a certificate-based VPN, so I thought I'd share my alternative method: echo 'P4s$w0rD' | sudo openconnect \ --user=myusername \ --authgroup=MY_GROUP \ --passwd-on-stdin \ vpn.mysite.example.com The authgroup bit is another tricky part, because there are two other places to say "group" in the command, neither of which work. (-g and appended to the URL.)

feldversuch commented on 22 Jan 2016

thx wyoung. For me it works great with alias echo P4s$w0rD > ~/.ocvpn_secret alias ocvpn='cat ~/.ocvpn_secret | sudo openconnect -u myusername --passwd-on-stdin https://webvpn.mysite.de'

dingus9 commented on 5 Feb 2016

If openconnect bails after making the connection to the vpn it won't run it's cleanup scripts to reset routes and resolv.conf... Instead of rebooting I figured out you can just run sudo route delete default sudo route add default $(cat /usr/local/run/vpnc/defaultroute) sudo cp /var/run/vpnc/resolv.conf-backup /etc/resolv.conf

andreabedini commented on 2 Apr 2016

http://www.infradead.org/openconnect/building.html says openconnect doesn't require tuntap anymore on recent OSXs Mac OS X users with OS X 10.6 or older, or using OpenConnect 6.00 or older, will also need to install the Mac OS X tun/tap driver. Newer versions of OpenConnect will use the utun device on OS X which does not require additional kernel modules to be installed. Tested on OSX 10.11.4 and it works indeed.

southfox commented on 3 Jun 2016

Works very well, and used combined with stoken.

badcrocodile commented on 7 Jun 2016

Mac 10.11.5 here and all I needed was to install openconnect (via homebrew) and run sudo openconnect https://urlto.vpn.

BioQwer commented on 28 Sep 2016

This FAQ doesn't solve my problem. Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 30, Keepalive 20 Connected as IP , using SSL Continuing in background; pid 5707 tv-n00708-01:Downloads bioqwer$ mkdir: /var/run/vpnc: Permission denied Failed to connect utun unit: Operation not permitted Failed to open tun device: Operation not permitted Set up tun device failed Unknown error; exiting.

alkos333 commented on 29 Sep 2016

@marcosscriven, That's because OSX is relying on its own system configuration tool which doesn't rely on resolv.conf, etc: scuilt Here's an excellent blog post describing how to fix an unclean shutdown of openconnect: http://diaryproducts.net/about/operating_systems/mac_os_x/overriding_dhcp_or_vpn_assigned_dns_servers_in_mac_os_x_leopard from https://gist.github.com/moklett/3170636