Introduction¶

OpenConnect is an SSL VPN client initially created to support Cisco’s AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure. In this guide, we will look at the installation and usage of OpenConnect SSL VPN client to connect to both Cisco’s AnyConnect SSL VPN and Juniper Pulse. OpenConnect OpenConnect is an SSL-based VPN client which is inter-operable with the commercial products Cisco AnyConnect, Juniper Pulse Connect Secure, and Palo Alto Networks GlobalProtect. GlobalProtect mode is new in OpenConnect 8.0 and is not yet fully integrated into OpenWrt. S 21:15 0:00 openconnect -u -passwd-on-stdin vpn.example.com ubuntu 29396 0.0 0.0 pts/1 S+ 22:14 0:00 grep -color=auto vpn I would kill PID's 10525 and 28445, like this: sudo kill 5. Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization.

Microsoft remote desktop slow on mac. OpenConnect is a SSL VPN client initially created to support Cisco’s AnyConnect SSL VPN.It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure.Palo Altos Global Protect will also be supported in future and of course the own OpenConnect Server.

Step 1 - Installation¶

Go to System ‣ Firmware ‣ Plugins and search for os-openconnect.Install the plugin as usual, refresh and page and the you’ll find the client viaVPN ‣ OpenConnect.

Step 2 - Setup¶

The setup of the client is very simple. Just tick Enable and fill out VPN Server,Username and Password. Be sure that the FQDN matches the name in the certificateor you will receive an error. Also wildcard certificates can produce errors.

Once enabled, a new interface will be available for specifying firewall rules;Firewall ‣ Rules ‣ OpenConnect will appear.

Step 3 - Troubleshoot problems¶

To troubleshoot connection problems it’s best to login via CLI and start OpenConnect manually:

# /usr/local/etc/rc.d/opnsense-openconnect start

Look out for errors like

Totrustthisserverinfuture,perhapsaddthistoyourcommandline:--servercertsha256:9f97a3395d18093a14f0d8e768dabee231af34d9ba35432dfe838d58dd633333

Now the field Certificate Hash comes into play, so please insert the string above withoutthe hash size and set this one in field Certificate Hash Type.

openconnect: Connect to Cisco AnyConnect VPN

Command to display openconnect manual in Linux: $ man 8 openconnect

NAME

openconnect - Connect to Cisco AnyConnect VPN

SYNOPSIS

[ --config configfile ][ -b,--background ][ --pid-file pidfile ][ -c,--certificate cert ][ -e,--cert-expire-warning days ][ -k,--sslkey key ][ -C,--cookie cookie ][ --cookie-on-stdin ][ --compression MODE ][ -d,--deflate ][ -D,--no-deflate ][ --force-dpd interval ][ -g,--usergroup group ][ -h,--help ][ --http-auth

Openconnect Cisco Anyconnect

methods ][ -i,--interface ifname ][ -l,--syslog ][ --timestamp ][ -U,--setuid user ][ --csd-user user ][ -m,--mtu mtu ][ --basemtu mtu ][ -p,--key-password pass ][ -P,--proxy proxyurl ][ --proxy-auth methods ][ --no-proxy ][ --libproxy ][ --key-password-from-fsid ][ -q,--quiet ][ -Q,--queue-len len ][ -s,--script vpnc-script ][ -S,--script-tun ][ -u,--user name ][ -V,--version ][ -v,--verbose ][ -x,--xmlconfig config ][ --authgroup group ][ --authenticate ][ --cookieonly ][ --printcookie ][ --cafile file ][ --disable-ipv6 ][ --dtls-ciphers list ][ --dtls-local-port port ][ --dump-http-traffic ][ --no-cert-check ][ --no-system-trust ][ --pfs ][ --no-dtls ][ --no-http-keepalive ][ --no-passwd ][ --no-xmlpost ][ --non-inter ][ --passwd-on-stdin ][ --token-mode mode ][ --token-secret {secret[,counter]|@file} ][ --reconnect-timeout ][ --servercert sha1 ][ --useragent string

Anyconnect Openconnect Software

][ --os string ][https://]server[:port][/group]

DESCRIPTION

The program

Anyconnect Vs Openconnect

openconnectconnects to Cisco 'AnyConnect' VPN servers, which use standard TLSand DTLS protocols for data transport.

The connection happens in two phases. First there is a simple HTTPSconnection over which the user authenticates somehow - by using acertificate, or password or SecurID, etc. Having authenticated, theuser is rewarded with an HTTP cookie which can be used to make thereal VPN connection.

The second phase uses that cookie in an HTTPSCONNECTrequest, and data packets can be passed over the resultingconnection. In auxiliary headers exchanged with theCONNECTrequest, a Session-ID and Master Secret for a DTLS connection are alsoexchanged, which allows data transport over UDP to occur.

OPTIONS

--config=CONFIGFILE

Read further options fromCONFIGFILEbefore continuing to process options from the command line. The fileshould contain long-format options as would be accepted on the command line,but without the two leading -- dashes. Empty lines, or lines where thefirst non-space character is a # character, are ignored.

Any option except theconfigoption may be specified in the file.

-b,--background

Continue in background after startup

--pid-file=PIDFILE

Save the pid toPIDFILEwhen backgrounding

-c,--certificate=CERT

Use SSL client certificateCERTwhich may be either a file name or, if OpenConnect has been built with an appropriateversion of GnuTLS, a PKCS#11 URL.

-e,--cert-expire-warning=DAYS

Give a warning when SSL client certificate hasDAYSleft before expiry

-k,--sslkey=KEY

Use SSL private keyKEYwhich may be either a file name or, if OpenConnect has been built with an appropriateversion of GnuTLS, a PKCS#11 URL.

-C,--cookie=COOKIE

Use WebVPN cookie.COOKIE

--cookie-on-stdin

Read cookie from standard input.

-d,--deflate

Enable all compression, including stateful modes. By default, only statelesscompression algorithms are enabled.

-D,--no-deflate

Disable all compression.

--compression=MODE

Set compression mode, whereMODEis one ofstateless,none, orall.

By default, only stateless compression algorithms which do not maintain statefrom one packet to the next (and which can be used on UDP transports) areenabled. By setting the mode toallstateful algorithms (currently only zlib deflate) can be enabled. Or allcompression can be disabled by setting the mode tonone.

--force-dpd=INTERVALUseINTERVALas minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.

-g,--usergroup=GROUP

UseGROUPas login UserGroup

-h,--help

Display help text

--http-auth=METHODS

Use only the specified methods for HTTP authentication to a server. By default,only Negotiate, NTLM and Digest authentication are enabled. Basic authenticationis also supported but because it is insecure it must be explicitly enabled. Theargument is a comma-separated list of methods to be enabled. Note that the orderdoes not matter: OpenConnect will use Negotiate, NTLM, Digest and Basicauthentication in that order, if each is enabled, regardless of the orderspecified in the METHODS string.

-i,--interface=IFNAME

UseIFNAMEfor tunnel interface

-l,--syslog

Use syslog for progress messages

--timestamp

Prepend a timestamp to each progress message

-U,--setuid=USER

Drop privileges after connecting, to become userUSER

--csd-user=USER

Drop privileges during CSD (Cisco Secure Desktop) script execution.

--csd-wrapper=SCRIPT

RunSCRIPTinstead of the CSD (Cisco Secure Desktop) script.

-m,--mtu=MTU

RequestMTUfrom server as the MTU of the tunnel.

--basemtu=MTU

IndicateMTUas the path MTU between client and server on the unencrypted network. Newerservers will automatically calculate the MTU to be used on the tunnel fromthis value.

-p,--key-password=PASS

Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM

-P,--proxy=PROXYURL

Use HTTP or SOCKS proxy for connection. A username and password can be providedin the given URL, and will be used for authentication. If authentication isrequired but no credentials are given, GSSAPI and automatic NTLM authenticationusing Samba's ntlm_auth helper tool may be attempted.

--proxy-auth=METHODS

Use only the specified methods for HTTP authentication to a proxy. By default,only Negotiate, NTLM and Digest authentication are enabled. Basic authenticationis also supported but because it is insecure it must be explicitly enabled. Theargument is a comma-separated list of methods to be enabled. Note that the orderdoes not matter: OpenConnect will use Negotiate, NTLM, Digest and Basicauthentication in that order, if each is enabled, regardless of the orderspecified in the METHODS string.

--no-proxy

Disable use of proxy

--libproxy

Use libproxy to configure proxy automatically (when built with libproxy support)

--key-password-from-fsid

Passphrase for certificate file is automatically generated from thefsidof the file system on which it is stored. Thefsidis obtained from the statvfs(2)orstatfs(2)system call, depending on the operating system. On a Linux or similar systemwith GNU coreutils, thefsidused by this option should be equal to the output of the command:stat --file-system --printf=%in $CERTIFICATEIt is not the same as the 128-bit UUID of the file system.

-q,--quiet

Less output

-Q,--queue-len=LEN

Set packet queue limit toLENpkts

-s,--script=SCRIPT

InvokeSCRIPTto configure the network after connection. Without this, routing and nameservice are unlikely to work correctly. The script is expected to becompatible with thevpnc-scriptwhich is shipped with the 'vpnc' VPN client. Seehttp://www.infradead.org/openconnect/vpnc-script.htmlfor more information. This version of OpenConnect is configured touse /etc/vpnc/vpnc-script by default.

On Windows, a relative directory for the default script will be handled asstarting from the directory that the openconnect executable is running from,rather than the current directory. The script will be invoked with thecommand-based script host cscript.exe.

-S,--script-tun

Pass traffic to 'script' program over a UNIX socket, instead of to a kerneltun/tap device. This allows the VPN IP traffic to be handled entirely inuserspace, for example by a program which uses lwIP to provide SOCKS accessinto the VPN.

-u,--user=NAME

Set login username toNAME

-V,--version

Report version number

-v,--verbose

More output (may be specified multiple times for additional output)

-x,--xmlconfig=CONFIG

XML config file

--authgroup=GROUP

Choose authentication login selection

--authenticate

Authenticate only, and output the information needed to make the connectiona form which can be used to set shell environment variables. When invoked withthis option, openconnect will not make the connection, but if successful willoutput something like the following to stdout:Thus, you can invoke openconnect as a non-privileged user(with access to the user's PKCS#11 tokens, etc.)for authentication, and then invoke openconnect separately to make the actualconnection as root:

--cookieonly

Fetch webvpn cookie only; don't connect

--printcookie

Print webvpn cookie before connecting

--cafile=FILE

Cert file for server verification

--disable-ipv6

Do not advertise IPv6 capability to server

--dtls-ciphers=LIST

Set OpenSSL ciphers to support for DTLS

--dtls-local-port=PORT

UsePORTas the local port for DTLS datagrams

--dump-http-traffic

Enable verbose output of all HTTP requests and the bodies of all responsesreceived from the server.

--no-cert-check

Do not require server SSL certificate to be valid. Checks will still happenand failures will cause a warning message, but the connection will continueanyway. You should not need to use this option - if your servers have SSLcertificates which are not signed by a trusted Certificate Authority, you canstill add them (or your private CA) to a local file and use that file with the--cafileoption.

--no-system-trust

Do not trust the system default certificate authorities. If this option isgiven, only certificate authorities given with the--cafileoption, if any, will be trusted automatically.

--pfs

Enforces Perfect Forward Secrecy (PFS). That ensures that if the server'slong-term key is compromised, any session keys established before the compromisewill be unaffected. If this option is provided and the server does not support PFSin the TLS channel the connection will fail.

PFS is available in Cisco ASA releases 9.1(2) and higher; a suitable ciphersuite may need to be manually enabled by the administrator using thessl encryptionsetting.

--no-dtls

Disable DTLS

--no-http-keepalive

Version 8.2.2.5 of the Cisco ASA software has a bug where it will forgetthe client's SSL certificate when HTTP connections are being re-used formultiple requests. So far, this has only been seen on the initial connection,where the server gives an HTTP/1.0 redirect response with an explicitConnection: Keep-Alivedirective. OpenConnect as of v2.22 has an unconditional workaround for this,which is never to obey that directive after an HTTP/1.0 response.

However, Cisco's support team has failed to give any competentresponse to the bug report and we don't know under what othercircumstances their bug might manifest itself. So this option existsto disable ALL re-use of HTTP sessions and cause a new connection to bemade for each request. If your server seems not to be recognising yourcertificate, try this option. If it makes a difference, please reportthis information to theopenconnect-devel [at] lists.infradead.orgmailing list.

--no-passwd

Never attempt password (or SecurID) authentication.

--no-xmlpost

Do not attempt to post an XML authentication/configuration request to theserver; use the old style GET method which was used by older clients andservers instead.

This option is a temporary safety net, to work around potentialcompatibility issues with the code which falls back to the old methodautomatically. It causes OpenConnect to behave more like olderversions (4.08 and below) did. If you find that you need to use thisoption, then you have found a bug in OpenConnect. Please seehttp://www.infradead.org/openconnect/mail.html and report this to thedevelopers.

--non-inter

Do not expect user input; exit if it is required.

--passwd-on-stdin

Read password from standard input

--token-mode=MODE

Enable one-time password generation using theMODEalgorithm.--token-mode=rsawill call libstoken to generate an RSA SecurID tokencode,--token-mode=totpwill call liboath to generate an RFC 6238 time-based password, and--token-mode=hotpwill call liboath to generate an RFC 4226 HMAC-based password. Yubikeytokens which generate OATH codes in hardware are supported with--token-mode=yubioath

--token-secret={ SECRET[,COUNTER] | @FILENAME }

The secret to use when generating one-time passwords/verification codes.Base 32-encoded TOTP/HOTP secrets can be used by specifying 'base32:' at thebeginning of the secret, and for HOTP secrets the token counter can bespecified following a comma.

RSA SecurID secrets can be specified as an Android/iPhone URI or a raw numericCTF string (with or without dashes).

For Yubikey OATH the token secret specifies the name of the credential to beused. If not provided, the first OATH credential found on the device will beused.

FILENAME,if specified, can contain any of the above strings. Or, it can contain aSecurID XML (SDTID) seed.

If this option is omitted, and --token-mode is'rsa', libstoken will try to use the software token seed saved in~/.stokenrcby the 'stoken import' command.

--reconnect-timeout

Keep reconnect attempts until so much seconds are elapsed. The defaulttimeout is 300 seconds, which means that openconnect can recoverVPN connection after a temporary network down time of 300 seconds.

--servercert=SHA1

Accept server's SSL certificate only if its fingerprint matchesSHA1.

--useragent=STRING

UseSTRINGas 'User-Agent:' field value in HTTP header.(e.g. --useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')

--os=STRING

OS type to report to gateway. Recognized values are:linux,linux-64,win,mac-intel,android,apple-ios.Reporting a different OS type may affect the dynamic access policy (DAP)applied to the VPN session. If the gateway requires CSD, it will also causethe corresponding CSD trojan binary to be downloaded, so you may need to use--csd-wrapperif this code is not executable on the local machine.

SIGNALS

In the data phase of the connection, the following signals are handled: