I've use an RSA key fob to generate tokens for VPN for as long as I can remember using VPN. Today, my key fob "expired" and I was forced to switch to an application based token generator. Along with this came an "upgrade" to Cisco AnyConnect, which I have heard nothing but negative things about from my coworkers. I knew that I did not want to install the client because it destroys routing to all local networks, including those running in local docker instances.

So, I decided to give the open source openconnect a shot. I was able to install openconnect and the required TUNTAP via Homebrew very easily:

brew install openconnect
brew install Caskroom/cask/tuntap

I was immediately able to connect to the VPN using:

sudo openconnect -u username vpn.example.com

But, connecting in this way requires a number of extra interactions with the script from the command line and it would be tedious to use like this multiple times a day. I was encouraged that I had a working VPN client allows me to connect to remote resources as well as systems on my local network.

I wanted to be able to execute a single command, enter the RSA token and have the VPN up and running. I then tested a number of different option, and I was able to get it working as I wanted, but I was hesitant to type all the command line options necessary. I moved all the command line options I could to a config file and created start and stop scripts that I put on GitHub. Mission accomplished.

If you clone these scripts, create a config file, and edit the start_vpn script to contain both the path to your config and the address of your VPN server you should have a very easy to use VPN.

I added one thing to my start_vpn script that is not on GitHub. My script looks like this:

sudo openconnect -b --config /Users/doby/path/to/vpn.conf vpn.example.com > vpn.log 2>&1

This puts all output to the log file, but also eats the prompt for the RSA token in the process. It doesn't bother me because I know what's happening, but I didn't want to try to explain it on GitHub.