Connecting to the VPN

Once you have installed OpenConnect and checked that you have a vpnc-script which will set up the routing and DNS for it, using OpenConnect is very simple. As root, run the following command for an AnyConnect/ocserv VPN:

For one of the other supported protocols, you'll need to add --protocol. For example, for a PAN GlobalProtect VPN:

That should be it, if you have a password-based login. If your VPN uses TLS/SSL client certificates for authentication, you'll need to tell OpenConnect where to find the certificate with the -c option.

You can provide the certificate either as the file name of a PKCS#12 or PEM file, or if OpenConnect is built against a suitable version of GnuTLS you can provide the certificate in the form of a PKCS#11 URL. If the private key is in a separate file from the certificate, this must be specified with -k:

See the manual for additional options which can be used to tune OpenConnect's connections, and automate various aspects of the authentication process (e.g. populating multi-factor authentication codes using RSA- or OATH-based soft tokens).

Extracting certificates from Windows

If your certificate is stored on a Windows system, and marked as "non-exportable", you might need to steal the certificate from your Windows certificate store using a tool like Jailbreak.