Developing software in the Real World

OpenConnect on Mac

One of my clients has recently moved to AnyConnect VPN and I’ve been having routing problems with the official Mac client. As my colleagues on Linux on the project have not had these issues, I investigated and installed the OpenConnect client.

These are my notes after scouring the Internet to set it up how I want it.

Installation

I used Homebrew:

OpenConnect is a CLI tool. If you want a GUI in your menu bar, then also install openconnect-gui. I an not using the GUI as command line works for me.

Starting and stopping

To start the VPN:

(Replace {username} & {VPN URL} with the relevant details, of course.)

You can then use ctrl+C to stop it.

To avoid having to type your password for the sudo call each time, we can add a new file to /etc/sudoers.d/ to allow no password for openconnect binary.

This one-liner will do it:

This creates /etc/sudoers.d/openconnect with the relevant config.

Run in the background

Alternatively, you can put openconnect into the background with the --background flag. To stop the VPN, we need to find the pid so that we can kill the process:

This will be useful for scripting it.

Avoiding typing the password

The --passwd-on-stdin flag allows us to pipe the password to openconnect like this:

Clearly we don’t want the password in our history or in our scripts, so we put it in a file such as ~/.vpn_password.

This file needs to contain the plain text password and be readable only by the current user:

We can now pipe the output of this file:

We now have a working connection.

Scripting to make it easier

At this point we have enough to write a couple of functions to start and stop the VPN connection.

Place the following into ~/.bashrc:

Replace {VPN URL} with the correct URL for your VPN and {username} with your VPN username.

We can now start the VPN:

and then stop it:

Nice and simple to remember!

DNS resolution

On Big Sur, I found that the VPN’s DNS server wasn’t registered, so I had add scripts to do that. OpenConnect will any script in /etc/vpnc/post-connect.d when the VPN connects and any script in /etc/vpnc/post-disconnect.d when the VPN disconnects, so we can create two files to handle DNS. The directories don’t exist do you’ll need to create them:

This is the “on connect” script:

/etc/vpnc/post-connect.d/use-vpn-dns:

Replace {VPN DNS IP1}, {VPN DNS IP2}, {Usual DNS IP1} and {Usual DNS IP2} with the correct IP addresses for your setup.

When the VPN is disconnected, we need to reset. I use DHCP, so this worked for me:

/etc/vpnc/post-disconnect.d/use-default-dns:

This clears the DNS entries and the DHCP defaults are then used. Be aware that if you use multiple VPNs, you will probably need more complicated logic.

DNS for a specific domain

If you need to use a particular DNS server for a specific domain you can use this in use-vpn-dns:

1.2.3.4 and 5.6.7.8 are the DNS servers and specific-searchdomain.com is the domain in question.

and to remove:

That’s it

With this in place, I can now connect and disconnect from my client’s VPN with minimal fuss and, so far, everything works as I expect.

3 thoughts on “OpenConnect on Mac

  1. Hi,
    Thanks for sharing your valuable notes. I installed openconnect using homebrew on Big Sur, but when I'm trying to enter this command "sudo openconnect –user=test https://test.com" I just get this error:
    Sorry, try again.

    I used to connect to my office VPN using openconnect on Linux many times without any problem.
    Can you please share your comment?

  2. The doc works like a charm. However, I do notice that the connection drops every couple hours during inactivity and then I have to redo it again. Not a terrible experience but would rather avoid it if I can. Any suggestion there?

Thoughts? Leave a reply

Your email address will not be published. Required fields are marked *