Connecting to the VPN
Once you have installed OpenConnect and checked that you have a vpnc-script which will set up the routing and DNS for it, using OpenConnect is very simple. As root, run the following command for an AnyConnect/ocserv VPN:
- openconnect https://vpn.mycompany.com/
- openconnect --protocol=gp https://vpn.mycompany.com/
That should be it, if you have a password-based login. If your VPN uses TLS/SSL client certificates for authentication, you'll need to tell OpenConnect where to find the certificate with the -c option.
You can provide the certificate either as the file name of a PKCS#12 or PEM file, or if OpenConnect is built against a suitable version of GnuTLS you can provide the certificate in the form of a PKCS#11 URI. If the private key is in a separate file from the certificate, this must be specified with -k:
- openconnect -c cert_and_private_key.pem https://vpn.mycompany.com/
- openconnect -c certificate.pem -k private_key.pem https://vpn.mycompany.com/
- openconnect -c pkcs11:id=X_%b04%c3%85%d4u%e7%0b%10v%08%c9%0dA%8f%3bl%df https://vpn.mycompany.com/
- openconnect -c system:win:id=37835fdcdfe2817ee22d6b161e54812fe95867fe https://vpn.mycompany.com/
See the manual for additional options which can be used to tune OpenConnect's connections, and automate various aspects of the authentication process (e.g. populating multi-factor authentication codes using RSA- or OATH-based soft tokens).
Windows certificate store
If your certificate is in the system certificate store, OpenConnect should be able to use it when built against GnuTLS, as a "system key".
To find the system:win:… URI to use for your key with the list-system-keys.exe tool included with OpenConnect. Its output might look something like the following:
Label: (null) Cert URI: system:win:id=37835fdcdfe2817ee22d6b161e54812fe95867fe;type=cert Key URI: system:win:id=37835fdcdfe2817ee22d6b161e54812fe95867fe;type=privkey Cert info: subject `CN=d1ab215ccab521bc', issuer `CN=Token Signing Public Key', serial 0x2ce0193a3ecf4da9f0591cee9158e48ec53a8e54, RSA key 1024 bits, signed using DSA-SHA1 (broken!), activated `2020-05-07 06:48:59 UTC', expires `2020-05-14 06:48:59 UTC', pin-sha256="2XOidBPfppXj4REiuj9fIE3UYQK6TTQIODQajIOiLFi=" |
Note that as of the time of writing (2022-05-22; GnuTLS v3.7.5), GnuTLS is only able to use keys from the CERT_SYSTEM_STORE_CURRENT_USER store in Windows, not the CERT_SYSTEM_STORE_LOCAL_MACHINE or other locations. This is reported as GnuTLS issue #1365.
Even where the certificate is marked as "non-exportable", some have succeeded in stealing certificates from their Windows certificate store using tools like Jailbreak and mimikatz.