Pages

Monday, 6 March 2017

OpenConnect vpn(cisco anyconnect vpn)在mac机器上的命令行客户端


there is OpenConnect, a command-line client for Cisco's AnyConnect SSL VPN.
Here's how to get it set up on Mac OS X:
  1. OpenConnect can be installed via homebrew:
    brew update
    brew install openconnect
    
  2. Install the Mac OS X TUN/TAP driver
  3. (Optional) Running openconnect requires sudo, presumably because it affects resolution of DNS. So, I added password-less sudo ability for the openconnect command.
    sudo visudo -f /etc/sudoers
    
    And added this line:
      %admin  ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect
    
  4. (Optional) When connecting to your SSL VPN, openconnect may complain about a "self-signed certificate" being in the chain and force you to explicitly accept it every time. The self-signed cert is actually the root certficate and (hopefully) is one with implicit trust (i.e. trusted by browsers), so we can safely trust it by specifying the CA file after exporting it from KeyChain:
    1. Determine the name your root certificate (i.e. visit your SSL VPN in Chrome, click the green lock, click "Certificate Information") Find Certificate Information Observe Root Certificate
    2. Open the Keychain Access App
    3. Search the "System Roots" keychain to find your root certificate and select it Keychain Access
    4. File > Export Items... the certificate as a .pem file somewhere on your hard drive (I put it in ~/.ssh/<certificate name>.pem
  5. Connect!
    sudo openconnect --user=<VPN username> --cafile=<.pem file from step 4.3> <your vpn hostname>
    
    The only thing you should be prompted for is your VPN password. I added the command to my aliases file.
  6. To disconnect, just Ctrl-c in the window where you started the VPN connection.

Note

I had an incident after an unclean VPN exit where later the VPN hostname could not be found. I guess the DNS resolver was messed up. I was forced to reboot to fix it so I could reconnect to the VPN.

@analyticsPierce
I am trying to get this working and I am getting the error when I try to connect via:
sudo openconnect --user=my_username --cafile=Users/pierce/my_pem_file.pem vpn-1.domain.com
And I get the following error message:
Failed to open CA file 'Users/pierce/my_pem_file.pem'
73628:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/bio/bss_file.c:126:fopen('Users/pierce/my_pem_file.pem','r')
Any suggestions to get this fixed?
@vbt101
vbt101 commented on 9 May 2013
You forgot the leading slash on the pem file location: sudo openconnect --user=my_username --cafile=/Users/pierce/my_pem_file.pem vpn-1.domain.com
@ugtar
ugtar commented on 1 Mar 2014
Have you tried this on Mavericks?
@cecil
cecil commented on 18 Mar 2014
Ugtar, I've been using this with Mavericks for a few months now.
@crhan
crhan commented on 28 Mar 2014
OpenConnect does not properly set DNS config, still using my local DNS but not VPN's dns. Does anybody meet this problem?
@johnutz-self
Hi crhan, i just fixed this myself this morning on mavericks by using the latest vpnc-script
add this to your open connect command line --script /opt/local/etc/vpnc/vpnc-script
@dlangille
Worked great in Mavericks. Upgraded to Yosemite:
Failed to open tun device: No such file or directory
Set up tun device failed
@BruceClark
@dlangille That's because TunTap (the kernel extention this is based on) is unsigned, and unsigned extentions are no longer allowed on Yosemite.
@leonsyc
leonsyc commented on 10 Nov 2014
@BruceClark Is there a way to fix this?
@anderskristo
@BruceClark@leonsyc found a fix for this?
@DrewAPicture
@leonsyc @anderskristo They've released a binary for installing tuntap via a package. http://sourceforge.net/projects/tuntaposx/files/tuntap/20141104/
@jnierodzik
Running on 10.10.3 I am able to connect, but then loose the ability to resolve hostnames. IP works fine however - any ideas?
@EdHurtig
EdHurtig commented on 5 May 2015
Thanks a ton! Worked like a charm... didn't even need tuntap. Possibly because I already have other VPN software (viscosity) installed
@njuaplusplus
On 10.10.3, it shows ''DTLS handshake failed: Resource temporarily unavailable, try again.''
@marcosscriven
I'm also getting an issue with reconnecting not resolving the domain name the second time. Rebooting clears out 'something', and it works again, but not sure what. I've tried dns cache flushing and route flushing to no avail.
@alfrescoo
Does this client support ios? I want to use this for iphone.
@kyze8439690
@alfrescoo anyconnect in appstore
@jholster
jholster commented on 2 Oct 2015
Is OS X El Capitan yet supported?
@ntelementary
This works on El Capitan for me (I previously had Homebrew installed before I upgraded, on a fresh computer you'll need to boot into Recovery Mode to disable the Rootless protection, I believe).
Rather than figuring out how to setup the TunTap extensions, I downloaded the Viscosity VPN application (free trial), which installed it for me. No need for the app after the initial setup.
@wyoung
wyoung commented on 14 Jan 2016
FYI, tuntap is now in Homebrew: brew install Caskroom/cask/tuntap
(It has to be a cask because modern OS X versions require signed kexts, so building from source will just yield a driver you can't load into your kernel.)
@wyoung
wyoung commented on 14 Jan 2016
I had to modify the example openconnect significantly because I'm using a password-based VPN instead of a certificate-based VPN, so I thought I'd share my alternative method:
echo 'P4s$w0rD' | sudo openconnect \
    --user=myusername \
    --authgroup=MY_GROUP \
    --passwd-on-stdin \
    vpn.mysite.example.com
The authgroup bit is another tricky part, because there are two other places to say "group" in the command, neither of which work. (-g and appended to the URL.)
@feldversuch
thx wyoung.
For me it works great with alias
echo P4s$w0rD > ~/.ocvpn_secret

alias ocvpn='cat ~/.ocvpn_secret | sudo openconnect -u myusername --passwd-on-stdin https://webvpn.mysite.de'
@dingus9
dingus9 commented on 5 Feb 2016
If openconnect bails after making the connection to the vpn it won't run it's cleanup scripts to reset routes and resolv.conf... Instead of rebooting I figured out you can just run
sudo route delete default
sudo route add default $(cat /usr/local/run/vpnc/defaultroute)
sudo cp /var/run/vpnc/resolv.conf-backup /etc/resolv.conf
@andreabedini
http://www.infradead.org/openconnect/building.html says openconnect doesn't require tuntap anymore on recent OSXs
Mac OS X users with OS X 10.6 or older, or using OpenConnect 6.00 or older, will also need to install the Mac OS X tun/tap driver. Newer versions of OpenConnect will use the utun device on OS X which does not require additional kernel modules to be installed.
Tested on OSX 10.11.4 and it works indeed.
@southfox
southfox commented on 3 Jun 2016
Works very well, and used combined with stoken.
@badcrocodile
Mac 10.11.5 here and all I needed was to install openconnect (via homebrew) and run sudo openconnect https://urlto.vpn.
@BioQwer
BioQwer commented on 28 Sep 2016
This FAQ doesn't solve my problem.
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as  IP , using SSL
Continuing in background; pid 5707
tv-n00708-01:Downloads bioqwer$ mkdir: /var/run/vpnc: Permission denied
Failed to connect utun unit: Operation not permitted
Failed to open tun device: Operation not permitted
Set up tun device failed
Unknown error; exiting.
@alkos333
That's because OSX is relying on its own system configuration tool which doesn't rely on resolv.conf, etc: scuilt
Here's an excellent blog post describing how to fix an unclean shutdown of openconnect: http://diaryproducts.net/about/operating_systems/mac_os_x/overriding_dhcp_or_vpn_assigned_dns_servers_in_mac_os_x_leopard

from https://gist.github.com/moklett/3170636

No comments:

Post a Comment