How to run openconnect with username and password in a line in the terminal?

Question

I use openconnect in Ubuntu 16.04 terminally, when I want to run it, I need to enter three phases:

"yes/no"
"username"
"password"

How can I bypass above phases using openconnect in a line (e.g. using openconnect options)?
Are there any options for that such as the following line?

sudo openconnect <server-name> --user=<'username'> --pass=<'password'>

I used openconnect --help and found out a way to filling username, but I haven't any idea to filling password and SSL verification.

score 56 · Accepted Answer · edited Jun 02 '18 at 20:59

56

If you type man openconnect in a terminal you will get a manual page describing usage.

Relevant sections:

-u,--user=NAME
Set login username to NAME

--passwd-on-stdin
Read password from standard input

Additionally, you may need to disable certificate warnings:

--no-cert-check
Do not require server SSL certificate to be valid. Checks will still happen and failures will cause a warning message, but the connection will continue anyway. You should not need to use this option - if your servers have SSL certificates which are not signed by a trusted Certificate Authority, you can still add them (or your private CA) to a local file and use that file with the --cafile option.

Or you could add the certificate to a file.

All this can be combined:

echo "password" | sudo openconnect server --user=username --passwd-on-stdin --no-cert-check

edited Jun 02 '18 at 20:59

Benyamin Jafari

4,284

answered Jun 02 '18 at 20:39

vidarlo

23,571

11

The answer above is still correct except for --no-cert-check which has been removed due to security risks. This is the error message now when using it: The --no-cert-check option was insecure and has been removed. Fix your server's certificate or use --servercert to trust it. (can't comment above because not enough points; mods feel free to clear this up) – movAX13h Dec 18 '18 at 14:21
Seems like if they prompt for 2FA it goofs up the response code if you do --passwd-on-stdn – Mark Jan 05 '21 at 17:10
You can pass both the password and the 2FA pin on stdin (on separate lines). – larsks Apr 30 '24 at 19:06

score 10 · Answer 2 · answered Nov 19 '20 at 08:03

10

I was able to automate both sudo password, VPN user, VPN password and secondary challenge using the following command (tested on mac):

challange=<code> && sudo -S <<< "<sudo_password>" echo I am super user && { printf '<vpn_password>\n'; sleep 1; printf "$challange\n"; } | sudo openconnect <server_name> --user <vpn_username> --passwd-on-stdin

answered Nov 19 '20 at 08:03

dux2

361

What's the ? – Benyamin Jafari Nov 19 '20 at 08:10
1

<code> is some code/number you get from a 2-Factor Authentication (2FA) service. In my case its a smartphone application with some rotating number. – dux2 Nov 19 '20 at 10:43
1

This worked perfectly fine with my MFA. One change that I made was, create a sh file and pass the MFA code as an arg to it Change in script: `challange="$1" ScriptName: vpn.sh terminal: ./vpn,sh – r-sniper Dec 28 '20 at 05:50
I can't thank you enough for this. For me, nothing worked, including recording and modifying script through autoexpect, I even tried putting together a pexpect python script, nothing worked. This is was the only thing out of many worked. I automated to MFA challenge with a script, and now this is fully automated. Thank you. – R J Sep 06 '21 at 01:04

score 5 · Answer 3 · edited Nov 04 '19 at 11:53

5

This works for me:

echo mypassword | openconnect --protocol=anyconnect --user=myusername --passwd-on-stdin

edited Nov 04 '19 at 11:53

BeastOfCaerbannog

16,936

answered Oct 27 '19 at 15:02

arbuzov

159

yep, this works if the server does not require a certificate. You can also omit --protocol=anyconnect since it's the default value anyway. – Wlad Feb 01 '21 at 13:17

score 4 · Answer 4 · answered May 30 '20 at 04:24

4

To skip the certificate check, The --no-cert-check parameter was removed in new versions. You can use --servercert instead.

--servercert sha256:sdflkdsjflsdjkfds

answered May 30 '20 at 04:24

Amin Shojaei

145

2

Actually, I don't have any server certification, in this new version how can I bypass it? – Benyamin Jafari Jan 10 '21 at 11:46
3

@BenyaminJafari when you run that command, the openconnect gives you an error message that contains Server SSL certificate didn't match: pin-sha256:76v/J0dQR44xdeBCxKUq/Slvtikc+0xTyRdjaZk/5fA= the pin-sha256:76v/J0dQR44xdeBCxKUq/Slvtikc+0xTyRdjaZk/5fA= is your servercert. – SdSaati Aug 22 '21 at 23:55
2

@SdSaati Yes, that's right. – Benyamin Jafari Aug 25 '21 at 06:41

score 4 · Answer 5 · answered Aug 23 '21 at 00:07

As I read the solutions, finally this is the script that is working for me:

echo "PASSWORD" | sudo openconnect --protocol=anyconnect SERVER --user=USERNAME --passwd-on-stdin --servercert SERVERCERT

When you run the above command without SERVERCERT(because you don't have it), it gives an error to you that contains the SERVERCERT inside it, something like: Server SSL certificate didn't match: pin-sha256:76v/J0dQR44xdeBCxKUq/Slvtikc+0xTyRdjaZk/5fA= and that's it, the string started with pin-sha256:...(the whole of it, include pin-sha256 itself) is your SERVERCERT

So? the final result in this case for example is:

echo "PASSWORD" | sudo openconnect --protocol=anyconnect SERVER --user=USERNAME --passwd-on-stdin --servercert pin-sha256:76v/J0dQR44xdeBCxKUq/Slvtikc+0xTyRdjaZk/5fA=

score 0 · Answer 6 · edited May 11 '21 at 09:53

You can try this very easy to use shell script: https://github.com/sorinipate/vpn-up-for-openconnect

From the project's description:

vpn-up-for-openconnect

VPN Up for OpenConnect

Features

A shell script for openconnect which allows:

to define multiple VPN connections

to run openconnect without entering the username and password.

Sample configuration section
#Company VPN
export COM_NAME="My Company VPN"
export COM_HOST=vpn.mycompany.com
export COM_AUTHGROUP=developers
export COM_USER=sorin.ipate
export COM_PASSWD="MyPassword"
Run VPN Up
% alias vpn-up='~/bin/vpn-up.command'
% vpn-up

score 0 · Answer 7 · edited Jun 12 '21 at 18:22

0

echo "YourPassword" | sudo openconnect vpn.yourserver.com --user=yourUseraname --passwd-on-stdin

For me password needs " "
In the latest version --no-cert-check is deprecated from the command argument by openconnect (my version: OpenConnect version v7.08-3ubuntu0.18.04.2)

edited Jun 12 '21 at 18:22

Zanna

72,471

answered Jun 10 '21 at 06:41

Bhagvat Lande

101

score 0 · Answer 8 · answered Sep 16 '25 at 20:16

I highly suggest against putting your password into your command history or in your scripts. Instead, use a password vault. Here's how to do it with GNOME's libsecret:

First, install the command-line interface: sudo apt install libsecret-tools

Set your password: secret-tool store --label="AnyConnect to Fillory" vpn fillory
You will be prompted for the password. This uses key vpn and value fillory, which are used in the lookup (you can't use the label).

Now you're good to go:

secret-tool lookup vpn fillory |sudo openconnect --user=$USER --passwd-on-stdin \
  --cafile="$HOME/.vpn-ca.pem" https://vpn.fillory.example.com

How to run openconnect with username and password in a line in the terminal?

8 Answers8

vpn-up-for-openconnect

Features

Sample configuration section

Run VPN Up