35

I use openconnect in Ubuntu 16.04 terminally, when I want to run it, I need to enter three phases:

  • "yes/no"
  • "username"
  • "password"

How can I bypass above phases using openconnect in a line (e.g. using openconnect options)?
Are there any options for that such as the following line?

sudo openconnect <server-name> --user=<'username'> --pass=<'password'>

I used openconnect --help and found out a way to filling username, but I haven't any idea to filling password and SSL verification.

Benyamin Jafari
  • 3,016
  • 3
  • 22
  • 31

7 Answers7

53

If you type man openconnect in a terminal you will get a manual page describing usage.

Relevant sections:

-u,--user=NAME
Set login username to NAME

--passwd-on-stdin
Read password from standard input

Additionally, you may need to disable certificate warnings:

--no-cert-check
Do not require server SSL certificate to be valid. Checks will still happen and failures will cause a warning message, but the connection will continue anyway. You should not need to use this option - if your servers have SSL certificates which are not signed by a trusted Certificate Authority, you can still add them (or your private CA) to a local file and use that file with the --cafile option.

Or you could add the certificate to a file.

All this can be combined:

echo "password" | sudo openconnect server --user=username --passwd-on-stdin --no-cert-check
Benyamin Jafari
  • 3,016
  • 3
  • 22
  • 31
vidarlo
  • 21,954
  • 8
  • 58
  • 84
  • 11
    The answer above is still correct except for `--no-cert-check` which has been removed due to security risks. This is the error message now when using it: The --no-cert-check option was insecure and has been removed. Fix your server's certificate or use --servercert to trust it. (can't comment above because not enough points; mods feel free to clear this up) – movAX13h Dec 18 '18 at 14:21
  • Seems like if they prompt for 2FA it goofs up the response code if you do --passwd-on-stdn – Mark Jan 05 '21 at 17:10
7

I was able to automate both sudo password, VPN user, VPN password and secondary challenge using the following command (tested on mac):

challange=<code> && sudo -S <<< "<sudo_password>" echo I am super user && { printf '<vpn_password>\n'; sleep 1; printf "$challange\n"; } | sudo openconnect <server_name> --user <vpn_username> --passwd-on-stdin
dux2
  • 281
  • 3
  • 4
  • What's the ? – Benyamin Jafari Nov 19 '20 at 08:10
  • 1
    `` is some code/number you get from a 2-Factor Authentication (2FA) service. In my case its a smartphone application with some rotating number. – dux2 Nov 19 '20 at 10:43
  • 1
    This worked perfectly fine with my MFA. One change that I made was, create a sh file and pass the MFA code as an arg to it Change in script: `challange="$1" ScriptName: vpn.sh terminal: ./vpn,sh – Sniper Dec 28 '20 at 05:50
  • I can't thank you enough for this. For me, nothing worked, including recording and modifying script through autoexpect, I even tried putting together a pexpect python script, nothing worked. This is was the only thing out of many worked. I automated to MFA challenge with a script, and now this is fully automated. Thank you. – R J Sep 06 '21 at 01:04
5

This works for me:

echo mypassword | openconnect --protocol=anyconnect --user=myusername --passwd-on-stdin
BeastOfCaerbannog
  • 12,964
  • 10
  • 49
  • 77
arbuzov
  • 159
  • 1
  • 2
  • yep, this works if the server does not require a certificate. You can also omit `--protocol=anyconnect` since it's the default value anyway. – Wlad Feb 01 '21 at 13:17
4

To skip the certificate check, The --no-cert-check parameter was removed in new versions. You can use --servercert instead.

--servercert sha256:sdflkdsjflsdjkfds

Amin Shojaei
  • 145
  • 5
  • 2
    Actually, I don't have any server certification, in this new version how can I bypass it? – Benyamin Jafari Jan 10 '21 at 11:46
  • 3
    @BenyaminJafari when you run that command, the openconnect gives you an error message that contains `Server SSL certificate didn't match: pin-sha256:76v/J0dQR44xdeBCxKUq/Slvtikc+0xTyRdjaZk/5fA=` the `pin-sha256:76v/J0dQR44xdeBCxKUq/Slvtikc+0xTyRdjaZk/5fA=` is your servercert. – SdSaati Aug 22 '21 at 23:55
  • 2
    @SdSaati Yes, that's right. – Benyamin Jafari Aug 25 '21 at 06:41
3

As I read the solutions, finally this is the script that is working for me:

echo "PASSWORD" | sudo openconnect --protocol=anyconnect SERVER --user=USERNAME --passwd-on-stdin --servercert SERVERCERT

When you run the above command without SERVERCERT(because you don't have it), it gives an error to you that contains the SERVERCERT inside it, something like: Server SSL certificate didn't match: pin-sha256:76v/J0dQR44xdeBCxKUq/Slvtikc+0xTyRdjaZk/5fA= and that's it, the string started with pin-sha256:...(the whole of it, include pin-sha256 itself) is your SERVERCERT

So? the final result in this case for example is:

echo "PASSWORD" | sudo openconnect --protocol=anyconnect SERVER --user=USERNAME --passwd-on-stdin --servercert pin-sha256:76v/J0dQR44xdeBCxKUq/Slvtikc+0xTyRdjaZk/5fA=
SdSaati
  • 191
  • 9
0

You can try this very easy to use shell script: https://github.com/sorinipate/vpn-up-for-openconnect

From the project's description:

vpn-up-for-openconnect

VPN Up for OpenConnect

Features

A shell script for openconnect which allows:

  • to define multiple VPN connections
  • to run openconnect without entering the username and password.

Sample configuration section

#Company VPN
export COM_NAME="My Company VPN"
export COM_HOST=vpn.mycompany.com
export COM_AUTHGROUP=developers
export COM_USER=sorin.ipate
export COM_PASSWD="MyPassword"

Run VPN Up

% alias vpn-up='~/bin/vpn-up.command'
% vpn-up
BeastOfCaerbannog
  • 12,964
  • 10
  • 49
  • 77
Sorin-Doru Ipate
  • 1
0
echo "YourPassword" | sudo openconnect vpn.yourserver.com --user=yourUseraname --passwd-on-stdin
  • For me password needs " "
  • In the latest version --no-cert-check is deprecated from the command argument by openconnect (my version: OpenConnect version v7.08-3ubuntu0.18.04.2)
Zanna
  • 69,223
  • 56
  • 216
  • 327
Bhagvat Lande
  • 101
  • 3