ventz / openconnect-gui-menu-bar Goto Github PK

OpenConnect Menu Bar - Connect/Disconnect/Status - for MacOS (supports Duo push/sms/phone, or Yubikey, Google Authenticator, Duo, or any TOTP) and SAML

License: Apache License 2.0

Shell 100.00%

openconnect openconnect-gui openconnect-vpn-client vpn vpn-client vpn-manager gui osx mac anyconnect

openconnect-gui-menu-bar's Introduction

OpenConnect - OS X/Mac OS GUI Menu Bar for connecting/disconnecting

What is this?

An easy way to get OpenConnect VPN to have an OS X/Mac OS Menu Bar GUI for:

quick connecting
quick disconnect
status changes (icon)

Full support for multi-factor authentication (especially Duo)!

How to run it:

1. Get the latest BitBar release:

https://github.com/matryer/bitbar/releases

BitBar provides an easy way to put "things" (for output and input) in your OS X/Mac OS Menu Bar.

Just unzip the release in your /Application folder and launch BitBar. It will ask you to create (or select) a folder to use for your scripts.

Obviously make sure you have installed openconnect too :) brew install openconnect

2. Edit the "openconnect.sh" and follow the steps inside to customize:

Start by just getting the file itself: https://raw.githubusercontent.com/ventz/openconnect-gui-menu-bar/master/openconnect.sh

Make sure you make it executable: chmod 755 openconnect.sh once you download it.

This file is the "script" that interacts with BitBar. Place it in your bitbar scripts folder (I have chosen: ~/Documents/bitbar-plugins/), and edit it/follow these steps:

First - Update your sudoers file with:

You can create a /etc/sudoers.d/openconnect file which contains:

mac-username ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect
mac-username ALL=(ALL) NOPASSWD: /usr/bin/killall -2 openconnect

Please note that mac-username is not a literal, but the actually the 'whoami' username for OS X/Mac OS.

Second - Make sure your openconnect binary is here:

VPN_EXECUTABLE=/usr/local/bin/openconnect

Third - add your VPN domain and VPN username and set Auth for "push" or "pin"

VPN_HOST="vpn.domain.tld"
# NOTE: If you are using a VPN_GROUP (ex: domain.tld/group) -- use this, instead of "#VPN_TUNNEL" within VPN_USERNAME
VPN_GROUP="VPN_GROUP_TUNNEL"
VPN_USERNAME="[email protected]#VPN_TUNNEL_OPTIONALLY"

# Duo options include "push", "sms", or "phone"
PUSH_OR_PIN="push"
* or * 
# To be prompted for TOTP input, use product name:
PUSH_OR_PIN="Yubikey"
or
PUSH_OR_PIN="Google Authenticator"
or
PUSH_OR_PIN="Duo"

Finally, create your KeyChain password (to store your VPN password securely):

a.) Open "Keychain Access" and
b.) Click on "login" keychain (top left corner)
c.) Click on "Passwords" category (bottom left corner)
d.) From the "File" menu, select -> "New Password Item..."
e.) For "Keychain Item Name" and "Account Name" use the "VPN_HOST" and "VPN_USERNAME" values respectively from the "Third" step above.
f.) For "Password" enter your VPN AnyConnect password.

That's it! Now you can use the GUI to connect and disconnect! (and if you are using Duo - get the 2nd factor push to your phone)

Problems Connecting?

If you have another VPN (ex: OpenVPN), you might already have an 'utun0' interface. Please check with '/sbin/ifconfig'. If that's the case, in step #2 above you need to add:

VPN_INTERFACE="utun1"

If you already have an utun0 and an utun1, then you need to change it to the next available, ex: utun2.

In order to make sure this doesn't happen - I've chosen 'utun99'

Help/Questions/Comments:

For help or more info, feel free to contact me or open an issue here!

openconnect-gui-menu-bar's People

Contributors

Stargazers

Watchers

Forkers

travisll berombau felixmueller w796933 mannytoledo plessbd troetz imandel ebewo youngchu noisycomputation

openconnect-gui-menu-bar's Issues

Unable to add keychain password manually

I tried to add password in keychain manually but got security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain. when trying to retrieve it.
I guess it could be caused by "https://xxx" in VPN_HOST (even if it seems useless to add https://)

So I use command line to set password and it works like a charm:

security add-generic-password -s openconnect -a $VPN_HOST -w

I also updated the GET_VPN_PASSWORD like that:

GET_VPN_PASSWORD="security find-generic-password -s openconnect -a $VPN_HOST -w"

That's said, thank you a lot for your plugin! 👍

Error: parse error in openconnect file

I'm going mad trying to figure this out. So connecting from the menu bar wasn't doing anything for me. I typed this into the Terminal substituting all the variables to try to debug my issue:

sudo "$VPN_EXECUTABLE" -u "$VPN_USERNAME" -i "$VPN_INTERFACE" "$VPN_HOST"

I get this error:

>>> /private/etc/sudoers.d/openconnect: syntax error near line 2 <<<
sudo: parse error in /private/etc/sudoers.d/openconnect near line 2
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

Not sure why, because this is my openconnect file:

sn0w ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect
sn0w ALL=(ALL) NOPASSWD: /usr/bin/killall -2 openconnect

where sn0w is the result of the whoami.

SMS 2FA

Hi.

Found your script and worked great but only when I have already used my 2FA. I.e. if I need to input the pin code received on SMS, I do not see anywhere to input this pin code.
Tried to look at the script but unsure how this input is suppose to work. Does the script not support inputing pin code after "connected" to the the vpn or am I missing something?

Openconnect 'Failed to obtain WebVPN cookie' over sms authentication

I tried the script in MacOS Monterey, even though it requires tons of changes( e.g. security find-generic-password should be changed to security find-internet-password as new keychain entries are saved under Interned Passwords).

But on top of this, openconnect still doesn't wait for you to receive the 2fa sms (in my case, from DUO) and throws a Failed to obtain WebVPN cookie error before shutting down.

Has anyone found a way to bypass this problem caused by openconnect? Interesting enough using push allows openconnect to way for your push authentication before connection.

Question about authentification

First I want to thank you for nice tool for openconnect.
I have question about connection password and PINs.
To connect to my VPN I need to provide username, password and then PIN and after that second PIN that I recieve via SMS.
It's possible to store first PIN also in keychain, so when I want to connect, I only wait for SMS with second PIN?

debugging

I echo the following openconnect command and run it in terminal find it run ok.
sudo "$VPN_EXECUTABLE" -u "$VPN_USERNAME" -i "$VPN_INTERFACE" "$VPN_HOST"
But echo password, it accept, but when i add VIP response code it fail
------Extract from command line ------------
SSL negotiation with xxx.xxx.com
Connected to HTTPS on xxx.xxx.com
XML POST enabled
Please enter your username and password.
Password:
POST https://xxxx.xxxx.com/
Enter Your VIP Security Code:
Response:
fgets (stdin): Inappropriate ioctl for device

what is the parameter for push/pin or other item?

Documentation: openconnect.sh needs to be marked executable

Most everything works great, however the openconnect.sh script needs to be marked executable. That's not specifically in the docs, but a few people got hung up at that part. Otherwise perfect!

add route

I have two VPN (one cisco anynet + openconnect) online in the sametimes. The issue is when openconnect successfully connect to VPN host, route may not add success to route table. Ping will success for few second, then will be overwrite/refreshed by cisco anynet, and pind cannot connect to VPN host.
Is it possible to check the connection to an VPN host for few second, if it is not cannot connect to a specific address, then retry?