OpenConnect is an SSL VPN client initially created to support Cisco’s AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure. In this guide, we will look at the installation and usage of OpenConnect SSL VPN client to connect to both Cisco’s AnyConnect SSL VPN and Juniper Pulse Connect Secure.
Features of OpenConnect SSL Client
From the official website, OpenConnect SSL Client has the following features:
- Connection through HTTP proxy, including libproxy support for automatic proxy configuration.
- Connection through the SOCKS5 proxy.
- Automatic detection of IPv4 and IPv6 address, routes.
- Authentication via HTTP forms.
- Authentication using SSL certificates — from a local file, Trusted Platform Module and PKCS#11 smartcards.
- Authentication using SecurID software tokens (when built with libstoken)
- Authentication using OATH TOTP or HOTP software tokens.
- Authentication using Yubikey OATH tokens (when built with libpcsclite)
- UserGroup support for selecting between multiple configurations on a single VPN server.
- Data transport over TCP (HTTPS) or UDP (DTLS or ESP).
- Keepalive and Dead Peer Detection on both HTTPS and DTLS.
- Automatic update of VPN server list/configuration.
- Roaming support, allowing reconnection when the local IP address changes.
- Can run without root privileges
- Support for “Cisco Secure Desktop” (see here) and “GlobalProtect HIP report”.
Installing OpenConnect SSL Client on Linux
Let’s now look at different ways to install OpenConnect SSL Client on your favorite Linux Distribution:
Install OpenConnect SSL Client on Arch Linux
For Arch Linux users and its derivative distributions, you can install openconnect from official Pacman repositories.
sudo pacman -S openconnect
The same can also be done using yaourt:
syaourt -S openconnect
Install OpenConnect SSL Client on Debian / Ubuntu
For Debian and its derivatives, install openconnect package using the apt package manager.
sudo apt-get install openconnect
Install OpenConnect SSL Client on CentOS / RHEL
For CentOS and RHEL, the
openconnect package is available from
epel repository. Add the repository, then install openconnect package:
sudo yum install epel-release sudo yum install openconnect
Install OpenConnect SSL Client on Fedora
For Fedora, the package is also available from epel. It is only that the name of the package manager changes:
sudo dns install openconnect
Install OpenConnect SSL Client on macOS
For macOS users, install openconnect package using
$ brew install openconnect
How to connect to SSL VPN Server with Openconnect (Manual)
Once openconnect package has been successfully installed on your operating system, you should be ready to connect to SSL VPN server, which can Cisco’s AnyConnect SSL VPN and Juniper Pulse Connect Secure.
Simple connection follows the syntax:
$ sudo openconnect -u user --passwd-on-stdin vpnserver
You will be prompted to enter a password, see example below:
How to connect to SSL VPN Server with Openconnect using a Bash script
I wrote a bash script to simplify connecting to facilitate connecting to Cisco Autoconnect SSL VPN server. Put it to your
~/.bashrc depending on your shell.
Provide correct variables and save the file. Now every time you want to connect to the VPN, call the function by name:
Juniper Pulse Client
In order to connect to a Pulse Connect Secure server, you need to know the SHA-1 of its certificate.
# openconnect --servercert=sha1:<HASH> \ --authgroup="single-Factor Pulse Clients" \ --protocol=nc <VPN_SERVER_ADDRESS>/dana-na/auth/url_6/welcome.cgi \ --pid-file="/var/run/work-vpn.pid" --user=<USERNAME>
In this guide, you have learned how to install and use OpenConnect SSL client on Linux and macOS. Let me know through the comment section if you encounter any error.