Connecting to the VPN

Once you have installed OpenConnect and checked that you have a vpnc-script which will set up the routing and DNS for it, using OpenConnect is very simple. As root, run the following command for an AnyConnect/ocserv VPN:

  • openconnect https://vpn.mycompany.com/
For one of the other supported protocols, you'll need to add --protocol. For example, for a Palo Alto Networks GlobalProtect VPN:
  • openconnect --protocol=gp https://vpn.mycompany.com/

That should be it, if you have a password-based login. If your VPN uses TLS/SSL client certificates for authentication, you'll need to tell OpenConnect where to find the certificate with the -c option.

You can provide the certificate either as the file name of a PKCS#12 or PEM file, or if OpenConnect is built against a suitable version of GnuTLS you can provide the certificate in the form of a PKCS#11 URI. If the private key is in a separate file from the certificate, this must be specified with -k:

  • openconnect -c cert_and_private_key.pem https://vpn.mycompany.com/
  • openconnect -c certificate.pem -k private_key.pem https://vpn.mycompany.com/
  • openconnect -c pkcs11:id=X_%b04%c3%85%d4u%e7%0b%10v%08%c9%0dA%8f%3bl%df https://vpn.mycompany.com/
  • openconnect -c system:win:id=37835fdcdfe2817ee22d6b161e54812fe95867fe https://vpn.mycompany.com/

See the manual for additional options which can be used to tune OpenConnect's connections, and automate various aspects of the authentication process (e.g. populating multi-factor authentication codes using RSA- or OATH-based soft tokens).

Windows certificate store

If your certificate is in the system certificate store, OpenConnect should be able to use it when built against GnuTLS, as a "system key".

To find the system:win:… URI to use for your key with the list-system-keys.exe tool included with OpenConnect. Its output might look something like the following: 
Label: (null)
Cert URI: system:win:id=37835fdcdfe2817ee22d6b161e54812fe95867fe;type=cert
Key URI: system:win:id=37835fdcdfe2817ee22d6b161e54812fe95867fe;type=privkey
Cert info: subject `CN=d1ab215ccab521bc', issuer `CN=Token Signing Public Key', serial 0x2ce0193a3ecf4da9f0591cee9158e48ec53a8e54, RSA key 1024 bits, signed using DSA-SHA1 (broken!), activated `2020-05-07 06:48:59 UTC', expires `2020-05-14 06:48:59 UTC', pin-sha256="2XOidBPfppXj4REiuj9fIE3UYQK6TTQIODQajIOiLFi="
You can choose the certificate you need to use, and provide it to OpenConnect with the -c argument as shown in the last example above; omitting the ;type= part.

Note that as of the time of writing (2022-05-22; GnuTLS v3.7.5), GnuTLS is only able to use keys from the CERT_SYSTEM_STORE_CURRENT_USER store in Windows, not the CERT_SYSTEM_STORE_LOCAL_MACHINE or other locations. This is reported as GnuTLS issue #1365.

Even where the certificate is marked as "non-exportable", some have succeeded in stealing certificates from their Windows certificate store using tools like Jailbreak and mimikatz.