openconnect

Connect to a server

$ openconnect [vpn.example.org]

$ openconnect --background [vpn.example.org]

$ killall -SIGINT openconnect

$ openconnect --config=[path/to/file] [vpn.example.org]

$ openconnect --certificate=[path/to/file] [vpn.example.org]

openconnect [OPTIONS] SERVER
openconnect --version

-b, --background
    Run openconnect in the background after connecting.

-c, --certificate=FILE
    Use the specified client certificate file for authentication.

-k, --privatekey=FILE
    Use the specified private key file for the client certificate.

-u, --user=NAME
    Specify the username to use for authentication.

-p, --passwd-on-stdin
    Read the password from standard input instead of prompting interactively.

--protocol=PROT
    Force the specified VPN protocol (e.g., anyconnect, nc, gp, fortinet, array).

--script=SCRIPT
    Use the specified script to configure network parameters after connection.

--servercert=SHA1
    Pin the server certificate to a specific SHA1 hash for security.

--no-dtls
    Disable the DTLS data tunnel, forcing all data over the TLS control channel.

--disable-ipv6
    Prevent the client from requesting or configuring IPv6 addresses.

openconnect is a powerful, open-source command-line client for SSL VPNs, primarily designed for compatibility with Cisco AnyConnect VPNs. It extends its support to various other SSL VPN types, including Juniper SSL VPN (via nc protocol), Palo Alto Networks GlobalProtect, Fortinet FortiGate, and Array Networks AG. This utility enables users to securely connect to corporate networks, facilitating remote access to internal resources.

openconnect establishes a secure tunnel over HTTPS, encrypting all traffic between the client and the VPN gateway. It is highly configurable, supporting a wide range of authentication methods like username/password, client certificates, and two-factor authentication. For network configuration, such as setting up DNS and routing, openconnect typically leverages external scripts, most commonly vpnc-script. It can operate in the foreground or background, making it suitable for both interactive and automated use cases. Its flexibility and open-source nature make it a popular choice for Linux users requiring robust VPN connectivity.

Proper functioning often relies on an external VPN script (like vpnc-script) for correct network configuration (DNS, routing). Without it, connectivity might not be fully established even if the tunnel is up. Certain authentication methods, especially those involving client certificates or complex multi-factor authentication, can require intricate configuration.

openconnect supports a wide range of authentication methods, including basic username and password, client certificates (PKCS#12, PEM), smart cards, and various forms of two-factor authentication (e.g., TOTP, YubiKey) often handled through interactive prompts or form entry options.

For openconnect to properly configure network settings such as DNS servers, IP addresses, and routing tables, it relies on an external script specified by the --script option. The most commonly used is vpnc-script, which handles the necessary ip and resolvconf commands to integrate the VPN tunnel into the system's network stack.

openconnect originated as a free, open-source alternative to Cisco's proprietary AnyConnect client for Linux and other Unix-like systems. Development began around 2008-2009, with significant contributions from key developers like Dan Luedtke and David Woodhouse. Over the years, its scope expanded beyond just AnyConnect compatibility, incorporating support for Juniper SSL VPN (nc protocol), Palo Alto GlobalProtect, Fortinet, and Array Networks. This evolution has made it a versatile tool for various SSL VPN environments, and its continued development ensures compatibility with newer VPN gateway versions and evolving security standards.

vpnc-script(8), ip(8), route(8)