OpenConnect is an SSL VPN client initially created to support Cisco’s AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure. In this guide, we will look at the installation and usage of OpenConnect SSL VPN client to connect to both Cisco’s AnyConnect SSL VPN and Juniper Pulse Connect Secure.

Features of OpenConnect SSL Client

From the official website, OpenConnect SSL Client has the following features:

  • Connection through HTTP proxy, including libproxy support for automatic proxy configuration.
  • Connection through the SOCKS5 proxy.
  • Automatic detection of IPv4 and IPv6 address, routes.
  • Authentication via HTTP forms.
  • Authentication using SSL certificates — from a local file, Trusted Platform Module and PKCS#11 smartcards.
  • Authentication using SecurID software tokens (when built with libstoken)
  • Authentication using OATH TOTP or HOTP software tokens.
  • Authentication using Yubikey OATH tokens (when built with libpcsclite)
  • UserGroup support for selecting between multiple configurations on a single VPN server.
  • Data transport over TCP (HTTPS) or UDP (DTLS or ESP).
  • Keepalive and Dead Peer Detection on both HTTPS and DTLS.
  • Automatic update of VPN server list/configuration.
  • Roaming support, allowing reconnection when the local IP address changes.
  • Can run without root privileges
  • Support for “Cisco Secure Desktop” (see here) and “GlobalProtect HIP report”.

Installing OpenConnect SSL Client  on Linux

Let’s now look at different ways to install OpenConnect SSL Client  on your favorite Linux Distribution:

Install OpenConnect SSL Client  on Arch Linux

For Arch Linux users and its derivative distributions, you can install openconnect from official Pacman repositories.

sudo pacman -S openconnect

The same can also be done using yaourt:

$ yaourt -S openconnect

Install OpenConnect SSL Client on Debian / Ubuntu

For Debian and its derivatives, install openconnect package using the apt package manager.

sudo apt update
sudo apt-get install openconnect

Install OpenConnect SSL Client on CentOS /  RHEL

For CentOS and RHEL, the openconnect package is available from epel repository. Add the repository, then install openconnect package:

sudo yum install epel-release
sudo yum install openconnect

Install OpenConnect SSL Client on Fedora

For Fedora, the package is also available from epel. It is only that the name of the package manager changes:

sudo dnf install openconnect

Install OpenConnect SSL Client on macOS

For macOS  users, install openconnect package using brew

$ brew install openconnect

How to connect to SSL VPN Server with Openconnect (Manual)

Once openconnect package has been successfully installed on your operating system, you should be ready to connect to SSL VPN server, which can Cisco’s AnyConnect SSL VPN and Juniper Pulse Connect Secure.

Simple connection follows the syntax:

$ sudo openconnect -u user --passwd-on-stdin vpnserver

You will be prompted to enter a password, see example below:

$ sudo openconnect
Connected to
SSL negotiation with

Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on
Got HTTP response: HTTP/1.0 302 Object Moved
Connected to
SSL negotiation with
Server certificate verify failed: signer not found
Connected to HTTPS on
Got HTTP response: HTTP/1.0 302 Object Moved
SSL negotiation with
Connected to HTTPS on
Please enter your username and password.
Please enter your username and password.
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(DHE-RSA-4294967237)-(AES-256-CBC)-(SHA1).

How to connect to SSL VPN Server with Openconnect using a Bash script

I wrote a bash script to simplify connecting to facilitate connecting to Cisco Autoconnect SSL VPN server. Put it to your ~/.zshrc or ~/.bashrc depending on your shell.

myvpn () {
    local vpn_server="vpnserver"
    local vpn_username="user"
    local vpn_password="password"
    # try connect
    while true; do
        retry_time=$(($(date +%s) + 30))
        sudo openconnect \
            -u $vpn_username $vpn_server --non-inter --passwd-on-stdin <<< "$vpn_password"
        current_time=`date +%s`
        if [ $current_time -lt retry_time ]; then
            sleep $(( $retry_time - $current_time ))

Provide correct variables and save the file. Now every time you want to connect to the VPN, call the function by name:

$ myvpn

Juniper Pulse Client

In order to connect to a Pulse Connect Secure server, you need to know the SHA-1 of its certificate.

openconnect --servercert=sha1:<HASH> \
--authgroup="single-Factor Pulse Clients" \
--protocol=nc <VPN_SERVER_ADDRESS>/dana-na/auth/url_6/welcome.cgi \
--pid-file="/var/run/" --user=<USERNAME>

In this guide, you have learned how to install and use OpenConnect SSL client on Linux and macOS. Let me know through the comment section if you encounter any error.

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


Please enter your comment!
Please enter your name here