OPENCONNECT(8)OPENCONNECT(8)NAME
openconnect - Connect to Cisco AnyConnect VPN
SYNOPSIS
openconnect [--config configfile] [-b,--background]
[--pid-file pidfile] [-c,--certificate cert]
[-e,--cert-expire-warning days] [-k,--sslkey key]
[-C,--cookie cookie] [--cookie-on-stdin]
[--compression MODE] [-d,--deflate] [-D,--no-deflate]
[--force-dpd interval] [-g,--usergroup group] [-h,--help]
[--http-auth methods] [-i,--interface ifname] [-l,--syslog]
[--timestamp] [-U,--setuid user] [--csd-user user]
[-m,--mtu mtu] [--basemtu mtu] [-p,--key-password pass]
[-P,--proxy proxyurl] [--proxy-auth methods] [--no-proxy]
[--libproxy] [--key-password-from-fsid] [-q,--quiet]
[-Q,--queue-len len] [-s,--script vpnc-script]
[-S,--script-tun] [-u,--user name] [-V,--version]
[-v,--verbose] [-x,--xmlconfig config] [--authgroup group]
[--authenticate] [--cookieonly] [--printcookie]
[--cafile file] [--disable-ipv6] [--dtls-ciphers list]
[--dtls-local-port port] [--dump-http-traffic]
[--no-cert-check] [--no-system-trust] [--pfs] [--no-dtls]
[--no-http-keepalive] [--no-passwd] [--no-xmlpost]
[--non-inter] [--passwd-on-stdin] [--token-mode mode]
[--token-secret {secret[,counter]|@file}]
[--reconnect-timeout] [--servercert sha1]
[--useragent string] [--os string]
[https://]server[:port][/group]
DESCRIPTION
The program openconnect connects to Cisco "AnyConnect" VPN servers,
which use standard TLS and DTLS protocols for data transport.
The connection happens in two phases. First there is a simple HTTPS
connection over which the user authenticates somehow - by using a cer‐
tificate, or password or SecurID, etc. Having authenticated, the user
is rewarded with an HTTP cookie which can be used to make the real VPN
connection.
The second phase uses that cookie in an HTTPS CONNECT request, and data
packets can be passed over the resulting connection. In auxiliary head‐
ers exchanged with the CONNECT request, a Session-ID and Master Secret
for a DTLS connection are also exchanged, which allows data transport
over UDP to occur.
OPTIONS
--config=CONFIGFILE
Read further options from CONFIGFILE before continuing to
process options from the command line. The file should contain
long-format options as would be accepted on the command line,
but without the two leading -- dashes. Empty lines, or lines
where the first non-space character is a # character, are
ignored.
Any option except the config option may be specified in the
file.
-b,--background
Continue in background after startup
--pid-file=PIDFILE
Save the pid to PIDFILE when backgrounding
-c,--certificate=CERT
Use SSL client certificate CERT which may be either a file name
or, if OpenConnect has been built with an appropriate version of
GnuTLS, a PKCS#11 URL.
-e,--cert-expire-warning=DAYS
Give a warning when SSL client certificate has DAYS left before
expiry
-k,--sslkey=KEY
Use SSL private key KEY which may be either a file name or, if
OpenConnect has been built with an appropriate version of
GnuTLS, a PKCS#11 URL.
-C,--cookie=COOKIE
Use WebVPN cookie. COOKIE
--cookie-on-stdin
Read cookie from standard input.
-d,--deflate
Enable all compression, including stateful modes. By default,
only stateless compression algorithms are enabled.
-D,--no-deflate
Disable all compression.
--compression=MODE
Set compression mode, where MODE is one of stateless , none , or
all .
By default, only stateless compression algorithms which do not
maintain state from one packet to the next (and which can be
used on UDP transports) are enabled. By setting the mode to all
stateful algorithms (currently only zlib deflate) can be
enabled. Or all compression can be disabled by setting the mode
to none .
--force-dpd=INTERVAL Use INTERVAL as minimum Dead Peer Detection
interval for CSTP and DTLS, forcing use of DPD even when the
server doesn't request it.
-g,--usergroup=GROUP
Use GROUP as login UserGroup
-h,--help
Display help text
--http-auth=METHODS
Use only the specified methods for HTTP authentication to a
server. By default, only Negotiate, NTLM and Digest authentica‐
tion are enabled. Basic authentication is also supported but
because it is insecure it must be explicitly enabled. The argu‐
ment is a comma-separated list of methods to be enabled. Note
that the order does not matter: OpenConnect will use Negotiate,
NTLM, Digest and Basic authentication in that order, if each is
enabled, regardless of the order specified in the METHODS
string.
-i,--interface=IFNAME
Use IFNAME for tunnel interface
-l,--syslog
Use syslog for progress messages
--timestamp
Prepend a timestamp to each progress message
-U,--setuid=USER
Drop privileges after connecting, to become user USER
--csd-user=USER
Drop privileges during CSD (Cisco Secure Desktop) script execu‐
tion.
--csd-wrapper=SCRIPT
Run SCRIPT instead of the CSD (Cisco Secure Desktop) script.
-m,--mtu=MTU
Request MTU from server as the MTU of the tunnel.
--basemtu=MTU
Indicate MTU as the path MTU between client and server on the
unencrypted network. Newer servers will automatically calculate
the MTU to be used on the tunnel from this value.
-p,--key-password=PASS
Provide passphrase for certificate file, or SRK (System Root
Key) PIN for TPM
-P,--proxy=PROXYURL
Use HTTP or SOCKS proxy for connection. A username and password
can be provided in the given URL, and will be used for authenti‐
cation. If authentication is required but no credentials are
given, GSSAPI and automatic NTLM authentication using Samba's
ntlm_auth helper tool may be attempted.
--proxy-auth=METHODS
Use only the specified methods for HTTP authentication to a
proxy. By default, only Negotiate, NTLM and Digest authentica‐
tion are enabled. Basic authentication is also supported but
because it is insecure it must be explicitly enabled. The argu‐
ment is a comma-separated list of methods to be enabled. Note
that the order does not matter: OpenConnect will use Negotiate,
NTLM, Digest and Basic authentication in that order, if each is
enabled, regardless of the order specified in the METHODS
string.
--no-proxy
Disable use of proxy
--libproxy
Use libproxy to configure proxy automatically (when built with
libproxy support)
--key-password-from-fsid
Passphrase for certificate file is automatically generated from
the fsid of the file system on which it is stored. The fsid is
obtained from the statvfs(2) or statfs(2) system call, depending
on the operating system. On a Linux or similar system with GNU
coreutils, the fsid used by this option should be equal to the
output of the command:
stat --file-system --printf=%i\\n $CERTIFICATE
It is not the same as the 128-bit UUID of the file system.
-q,--quiet
Less output
-Q,--queue-len=LEN
Set packet queue limit to LEN pkts
-s,--script=SCRIPT
Invoke SCRIPT to configure the network after connection. Without
this, routing and name service are unlikely to work correctly.
The script is expected to be compatible with the vpnc-script
which is shipped with the "vpnc" VPN client. See
http://www.infradead.org/openconnect/vpnc-script.html for more
information. This version of OpenConnect is configured to use
/usr/local/sbin/vpnc-script by default.
On Windows, a relative directory for the default script will be
handled as starting from the directory that the openconnect exe‐
cutable is running from, rather than the current directory. The
script will be invoked with the command-based script host
cscript.exe.
-S,--script-tun
Pass traffic to 'script' program over a UNIX socket, instead of
to a kernel tun/tap device. This allows the VPN IP traffic to be
handled entirely in userspace, for example by a program which
uses lwIP to provide SOCKS access into the VPN.
-u,--user=NAME
Set login username to NAME
-V,--version
Report version number
-v,--verbose
More output (may be specified multiple times for additional out‐
put)
-x,--xmlconfig=CONFIG
XML config file
--authgroup=GROUP
Choose authentication login selection
--authenticate
Authenticate only, and output the information needed to make the
connection a form which can be used to set shell environment
variables. When invoked with this option, openconnect will not
make the connection, but if successful will output something
like the following to stdout:
COOKIE=3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...
HOST=10.0.0.1
FINGERPRINT=469bb424ec8835944d30bc77c77e8fc1d8e23a42
Thus, you can invoke openconnect as a non-privileged user (with
access to the user's PKCS#11 tokens, etc.) for authentication,
and then invoke openconnect separately to make the actual con‐
nection as root:
eval `openconnect --authenticate https://vpnserver.example.com`;
[ -n $COOKIE ] && echo $COOKIE |
sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT
--cookieonly
Fetch webvpn cookie only; don't connect
--printcookie
Print webvpn cookie before connecting
--cafile=FILE
Cert file for server verification
--disable-ipv6
Do not advertise IPv6 capability to server
--dtls-ciphers=LIST
Set OpenSSL ciphers to support for DTLS
--dtls-local-port=PORT
Use PORT as the local port for DTLS datagrams
--dump-http-traffic
Enable verbose output of all HTTP requests and the bodies of all
responses received from the server.
--no-cert-check
Do not require server SSL certificate to be valid. Checks will
still happen and failures will cause a warning message, but the
connection will continue anyway. You should not need to use this
option - if your servers have SSL certificates which are not
signed by a trusted Certificate Authority, you can still add
them (or your private CA) to a local file and use that file with
the --cafile option.
--no-system-trust
Do not trust the system default certificate authorities. If this
option is given, only certificate authorities given with the
--cafile option, if any, will be trusted automatically.
--pfs Enforces Perfect Forward Secrecy (PFS). That ensures that if the
server's long-term key is compromised, any session keys estab‐
lished before the compromise will be unaffected. If this option
is provided and the server does not support PFS in the TLS chan‐
nel the connection will fail.
PFS is available in Cisco ASA releases 9.1(2) and higher; a
suitable cipher suite may need to be manually enabled by the
administrator using the ssl encryption setting.
--no-dtls
Disable DTLS
--no-http-keepalive
Version 8.2.2.5 of the Cisco ASA software has a bug where it
will forget the client's SSL certificate when HTTP connections
are being re-used for multiple requests. So far, this has only
been seen on the initial connection, where the server gives an
HTTP/1.0 redirect response with an explicit Connection:
Keep-Alive directive. OpenConnect as of v2.22 has an uncondi‐
tional workaround for this, which is never to obey that direc‐
tive after an HTTP/1.0 response.
However, Cisco's support team has failed to give any competent
response to the bug report and we don't know under what other
circumstances their bug might manifest itself. So this option
exists to disable ALL re-use of HTTP sessions and cause a new
connection to be made for each request. If your server seems not
to be recognising your certificate, try this option. If it makes
a difference, please report this information to the opencon‐
nect-devel@lists.infradead.org mailing list.
--no-passwd
Never attempt password (or SecurID) authentication.
--no-xmlpost
Do not attempt to post an XML authentication/configuration
request to the server; use the old style GET method which was
used by older clients and servers instead.
This option is a temporary safety net, to work around potential
compatibility issues with the code which falls back to the old
method automatically. It causes OpenConnect to behave more like
older versions (4.08 and below) did. If you find that you need
to use this option, then you have found a bug in OpenConnect.
Please see http://www.infradead.org/openconnect/mail.html and
report this to the developers.
--non-inter
Do not expect user input; exit if it is required.
--passwd-on-stdin
Read password from standard input
--token-mode=MODE
Enable one-time password generation using the MODE algorithm.
--token-mode=rsa will call libstoken to generate an RSA SecurID
tokencode, --token-mode=totp will call liboath to generate an
RFC 6238 time-based password, and --token-mode=hotp will call
liboath to generate an RFC 4226 HMAC-based password. Yubikey
tokens which generate OATH codes in hardware are supported with
--token-mode=yubioath
--token-secret={ SECRET[,COUNTER] | @FILENAME }
The secret to use when generating one-time passwords/verifica‐
tion codes. Base 32-encoded TOTP/HOTP secrets can be used by
specifying "base32:" at the beginning of the secret, and for
HOTP secrets the token counter can be specified following a
comma.
RSA SecurID secrets can be specified as an Android/iPhone URI or
a raw numeric CTF string (with or without dashes).
For Yubikey OATH the token secret specifies the name of the cre‐
dential to be used. If not provided, the first OATH credential
found on the device will be used.
FILENAME, if specified, can contain any of the above strings.
Or, it can contain a SecurID XML (SDTID) seed.
If this option is omitted, and --token-mode is "rsa", libstoken
will try to use the software token seed saved in ~/.stokenrc by
the "stoken import" command.
--reconnect-timeout
Keep reconnect attempts until so much seconds are elapsed. The
default timeout is 300 seconds, which means that openconnect can
recover VPN connection after a temporary network down time of
300 seconds.
--servercert=SHA1
Accept server's SSL certificate only if its fingerprint matches
SHA1.
--useragent=STRING
Use STRING as 'User-Agent:' field value in HTTP header. (e.g.
--useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
--os=STRING
OS type to report to gateway. Recognized values are: linux,
linux-64, win, mac-intel, android, apple-ios. Reporting a dif‐
ferent OS type may affect the dynamic access policy (DAP)
applied to the VPN session. If the gateway requires CSD, it
will also cause the corresponding CSD trojan binary to be down‐
loaded, so you may need to use --csd-wrapper if this code is not
executable on the local machine.
SIGNALS
In the data phase of the connection, the following signals are handled:
SIGINT performs a clean shutdown by logging the session off, discon‐
necting from the gateway, and running the vpnc-script to restore
the network configuration.
SIGHUP disconnects from the gateway and runs the vpnc-script, but does
not log the session off; this allows for reconnection later
using --cookie.
SIGUSR2
forces an immediate disconnection and reconnection; this can be
used to quickly recover from LAN IP address changes.
SIGTERM
exits immediately without logging off or running vpnc-script.
LIMITATIONS
Note that although IPv6 has been tested on all platforms on which open‐
connect is known to run, it depends on a suitable vpnc-script to con‐
figure the network. The standard vpnc-script shipped with vpnc 0.5.3 is
not capable of setting up IPv6 routes; the one from
git://git.infradead.org/users/dwmw2/vpnc-scripts.git will be required.
AUTHORS
David Woodhouse <dwmw2@infradead.org>
OPENCONNECT(8)