(Last Updated On: July 7, 2018)

OpenConnect is an SSL VPN client initially created to support Cisco’s AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure. In this guide, we will look at the installation and usage of OpenConnect SSL VPN client to connect to both Cisco’s AnyConnect SSL VPN and Juniper Pulse Connect Secure.

Features of OpenConnect SSL Client

From the official website, OpenConnect SSL Client has the following features:

  • Connection through HTTP proxy, including libproxy support for automatic proxy configuration.
  • Connection through the SOCKS5 proxy.
  • Automatic detection of IPv4 and IPv6 address, routes.
  • Authentication via HTTP forms.
  • Authentication using SSL certificates — from a local file, Trusted Platform Module and PKCS#11 smartcards.
  • Authentication using SecurID software tokens (when built with libstoken)
  • Authentication using OATH TOTP or HOTP software tokens.
  • Authentication using Yubikey OATH tokens (when built with libpcsclite)
  • UserGroup support for selecting between multiple configurations on a single VPN server.
  • Data transport over TCP (HTTPS) or UDP (DTLS or ESP).
  • Keepalive and Dead Peer Detection on both HTTPS and DTLS.
  • Automatic update of VPN server list/configuration.
  • Roaming support, allowing reconnection when the local IP address changes.
  • Can run without root privileges
  • Support for “Cisco Secure Desktop” (see here) and “GlobalProtect HIP report”.

Installing OpenConnect SSL Client  on Linux

Let’s now look at different ways to install OpenConnect SSL Client  on your favorite Linux Distribution:

Install OpenConnect SSL Client  on Arch Linux

For Arch Linux users and its derivative distributions, you can install openconnect from official Pacman repositories.

$ sudo pacman -S openconnect

The same can also be done using yaourt:

$ yaourt -S openconnect

Install OpenConnect SSL Client on Debian / Ubuntu

For Debian and its derivatives, install openconnect package using the apt package manager.

$ sudo apt-get install openconnect

Install OpenConnect SSL Client on CentOS /  RHEL

For CentOS and RHEL, the openconnect package is available from epel repository. Add the repository, then install openconnect package:

$ sudo yum install epel-release
$ sudo yum install openconnect

Install OpenConnect SSL Client on Fedora

For Fedora, the package is also available from epel. It is only that the name of the package manager changes:

$ sudo dnf install epel-release
$ sudo yum install openconnect

Install OpenConnect SSL Client on macOS

For macOS  users, install openconnect package using brew

$ brew install openconnect

How to connect to SSL VPN Server with Openconnect (Manual)

Once openconnect package has been successfully installed on your operating system, you should be ready to connect to SSL VPN server, which can Cisco’s AnyConnect SSL VPN and Juniper Pulse Connect Secure.

Simple connection follows the syntax:

$ sudo openconnect -u user --passwd-on-stdin vpnserver

You will be prompted to enter a password, see example below:

$ sudo openconnect 192.168.1.1
POST https://192.168.1.1/
Connected to 192.168.1.1:443
SSL negotiation with 192.168.1.1

Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on 192.168.1.1
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://192.168.1.1/
Connected to 192.168.1.1:443
SSL negotiation with 192.168.1.1
Server certificate verify failed: signer not found
Connected to HTTPS on 192.168.1.1
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://192.168.1.1/+webvpn+/index.html
SSL negotiation with 192.168.1.1
Connected to HTTPS on 192.168.1.1
Please enter your username and password.
GROUP: [ANYCONNECT_PROFILE]
Please enter your username and password.
Username:jmutai
Password:
POST https://192.168.1.1/+webvpn+/index.html
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as 192.168.4.2, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(DHE-RSA-4294967237)-(AES-256-CBC)-(SHA1).

How to connect to SSL VPN Server with Openconnect using a Bash script

I wrote a bash script to simplify connecting to facilitate connecting to Cisco Autoconnect SSL VPN server. Put it to your ~/.zshrc or ~/.bashrc depending on your shell.

myvpn () {
    local vpn_server="vpnserver"
    local vpn_username="user"
    local vpn_password="password"
    # try connect
    while true; do
        retry_time=$(($(date +%s) + 30))
        sudo openconnect \
            -u $vpn_username $vpn_server --non-inter --passwd-on-stdin <<< "$vpn_password"
        current_time=`date +%s`
        if [ $current_time -lt retry_time ]; then
            sleep $(( $retry_time - $current_time ))
        fi
    done
}

Provide correct variables and save the file. Now every time you want to connect to the VPN, call the function by name:

$ myvpn

Juniper Pulse Client

In order to connect to a Pulse Connect Secure server, you need to know the SHA-1 of its certificate.

# openconnect --servercert=sha1:<HASH> \
--authgroup="single-Factor Pulse Clients" \
--protocol=nc <VPN_SERVER_ADDRESS>/dana-na/auth/url_6/welcome.cgi \
--pid-file="/var/run/work-vpn.pid" --user=<USERNAME>

In this guide, you have learned how to install and use OpenConnect SSL client on Linux and macOS. Let me know through the comment section if you encounter any error.