A safer OpenConnect workflow for Cisco AnyConnect VPNs on macOS and Linux
DEV Community Grade 8 5h ago

A safer OpenConnect workflow for Cisco AnyConnect VPNs on macOS and Linux

A safer OpenConnect workflow for Cisco AnyConnect VPNs on macOS and Linux If your organization uses Cisco AnyConnect, GlobalProtect, Pulse Secure, Juniper, or another SSL VPN, the official desktop client is often the default option. But for developers, consultants, DevOps engineers, and support teams working on macOS or Linux, a terminal-first workflow is often faster, clearer, and easier to automate. That is why many technical users rely on OpenConnect. OpenConnect is a powerful open-source VPN client, but raw usage can become repetitive when you work across multiple environments. A typical command might look like this: sudo openconnect --protocol = anyconnect \ --authgroup = Employees \ --user = your.username \ --servercert pin-sha256:... \ vpn.example.com It works, but it is not always a good daily workflow. No named profiles. No convenient way to manage multiple gateways. No structured secret storage. No simple status command. No guided certificate pinning. No easy auto-reconnect setup. No smoother handling of Duo 2FA. That is the gap VPN Up for OpenConnect is designed to fill. GitHub repo: https://github.com/sorinipate/vpn-up-for-openconnect What VPN Up is VPN Up is a secure, scriptable command-line VPN manager built on top of OpenConnect for macOS and Linux. It is not a replacement for OpenConnect. It is a safer and more convenient workflow around it. Instead of assembling long commands repeatedly, you define VPN profiles once and connect by name: vpn-up start "Frankfurt VPN" Example workflow: $ vpn-up start "Frankfurt VPN" Starting the Frankfurt VPN on frankfurt.example.com using Cisco AnyConnect ... Connecting with Two-Factor Authentication ( 2FA ) from Duo ( PUSH ) ... Connected to Frankfurt VPN $ vpn-up status VPN is running ( PID: 88933 ) Profile : Frankfurt VPN Gateway : frankfurt.example.com Uptime: 08:47 Features that matter VPN Up adds the things I wanted in my daily OpenConnect workflow: Named VPN profiles Cisco AnyConnect, GlobalProtect, Pulse Secure, Juniper, and ocserv support through OpenConnect Duo 2FA support from the terminal Secure password storage Certificate pinning with pin-sha256 Auto-reconnect at login using launchd on macOS or systemd on Linux Profile-aware status, logs, and stop commands Shell completion A doctor command for diagnostics Connect and disconnect hooks Secure secrets, not plaintext passwords A VPN helper should not make security worse in the name of convenience. VPN Up stores secrets using secure storage mechanisms where possible: macOS Keychain on macOS Linux Secret Service / keyring on Linux Encrypted OpenSSL vault as a fallback It avoids storing VPN passwords in plaintext configuration files and avoids passing secrets directly on the command line. That matters because command-line convenience often turns into unsafe credential handling over time. Certificate pinning VPN access depends not only on credentials, but also on server identity. VPN Up supports pin-sha256 certificate pinning: vpn-up pin --save "Frankfurt VPN" If no pin is configured, the gateway certificate must validate against the system trust store. The principle is simple: avoid silently accepting weak or unexpected trust conditions. Auto-reconnect Some VPN sessions need to stay alive during longer work: Remote support Integration troubleshooting System monitoring Data migration Deployment support VPN Up can install a user-level login service: vpn-up service install "Work VPN" On macOS this uses launchd . On Linux this uses systemd . Installation With Homebrew: brew tap sorinipate/vpn-up brew install vpn-up Then: vpn-up setup vpn-up add-profile vpn-up start After setup, daily usage becomes simple: vpn-up start "Client VPN" vpn-up status vpn-up logs -f vpn-up stop Who it is for VPN Up may be useful if you: Use OpenConnect instead of a vendor VPN client Connect to Cisco AnyConnect-compatible gateways Work with GlobalProtect, Pulse Secure, Juniper, or ocserv VPNs Manage multiple VPN profiles Need Duo 2FA from the command line Want VPN secrets stored securely Need certificate pinning Prefer terminal-first workflows Need auto-reconnect at login It is especially relevant for developers, consultants, DevOps engineers, implementation teams, and support teams working across multiple client networks. Try it VPN Up for OpenConnect is open source and available on GitHub: https://github.com/sorinipate/vpn-up-for-openconnect Stars, issues, and pull requests are welcome. If you already use OpenConnect but want better profile management, Duo 2FA handling, secure secrets, certificate pinning, diagnostics, and auto-reconnect, VPN Up may provide a safer and more structured workflow.

A safer OpenConnect workflow for Cisco AnyConnect VPNs on macOS and Linux If your organization uses Cisco AnyConnect, GlobalProtect, Pulse Secure, Juniper, or another SSL VPN, the official desktop client is often the default option. But for developers, consultants, DevOps engineers, and support teams working on macOS or Linux, a terminal-first workflow is often faster, clearer, and easier to automate. That is why many technical users rely on OpenConnect. OpenConnect is a powerful open-source VPN client, but raw usage can become repetitive when you work across multiple environments. A typical command might look like this: sudo openconnect --protocol=anyconnect \ --authgroup=Employees \ --user=your.username \ --servercert pin-sha256:... \ vpn.example.com It works, but it is not always a good daily workflow. No named profiles. No convenient way to manage multiple gateways. No structured secret storage. No simple status command. No guided certificate pinning. No easy auto-reconnect setup. No smoother handling of Duo 2FA. That is the gap VPN Up for OpenConnect is designed to fill. GitHub repo: https://github.com/sorinipate/vpn-up-for-openconnect What VPN Up is VPN Up is a secure, scriptable command-line VPN manager built on top of OpenConnect for macOS and Linux. It is not a replacement for OpenConnect. It is a safer and more convenient workflow around it. Instead of assembling long commands repeatedly, you define VPN profiles once and connect by name: vpn-up start "Frankfurt VPN" Example workflow: $ vpn-up start "Frankfurt VPN" Starting the Frankfurt VPN on frankfurt.example.com using Cisco AnyConnect ... Connecting with Two-Factor Authentication (2FA) from Duo (PUSH) ... Connected to Frankfurt VPN $ vpn-up status VPN is running (PID: 88933) Profile : Frankfurt VPN Gateway : frankfurt.example.com Uptime : 08:47 Features that matter VPN Up adds the things I wanted in my daily OpenConnect workflow: - Named VPN profiles - Cisco AnyConnect, GlobalProtect, Pulse Secure, Juniper, and ocserv support through OpenConnect - Duo 2FA support from the terminal - Secure password storage - Certificate pinning with pin-sha256 - Auto-reconnect at login using launchd on macOS orsystemd on Linux - Profile-aware status, logs, and stop commands - Shell completion - A doctor command for diagnostics - Connect and disconnect hooks Secure secrets, not plaintext passwords A VPN helper should not make security worse in the name of convenience. VPN Up stores secrets using secure storage mechanisms where possible: - macOS Keychain on macOS - Linux Secret Service / keyring on Linux - Encrypted OpenSSL vault as a fallback It avoids storing VPN passwords in plaintext configuration files and avoids passing secrets directly on the command line. That matters because command-line convenience often turns into unsafe credential handling over time. Certificate pinning VPN access depends not only on credentials, but also on server identity. VPN Up supports pin-sha256 certificate pinning: vpn-up pin --save "Frankfurt VPN" If no pin is configured, the gateway certificate must validate against the system trust store. The principle is simple: avoid silently accepting weak or unexpected trust conditions. Auto-reconnect Some VPN sessions need to stay alive during longer work: - Remote support - Integration troubleshooting - System monitoring - Data migration - Deployment support VPN Up can install a user-level login service: vpn-up service install "Work VPN" On macOS this uses launchd . On Linux this uses systemd . Installation With Homebrew: brew tap sorinipate/vpn-up brew install vpn-up Then: vpn-up setup vpn-up add-profile vpn-up start After setup, daily usage becomes simple: vpn-up start "Client VPN" vpn-up status vpn-up logs -f vpn-up stop Who it is for VPN Up may be useful if you: - Use OpenConnect instead of a vendor VPN client - Connect to Cisco AnyConnect-compatible gateways - Work with GlobalProtect, Pulse Secure, Juniper, or ocserv VPNs - Manage multiple VPN profiles - Need Duo 2FA from the command line - Want VPN secrets stored securely - Need certificate pinning - Prefer terminal-first workflows - Need auto-reconnect at login It is especially relevant for developers, consultants, DevOps engineers, implementation teams, and support teams working across multiple client networks. Try it VPN Up for OpenConnect is open source and available on GitHub: https://github.com/sorinipate/vpn-up-for-openconnect Stars, issues, and pull requests are welcome. If you already use OpenConnect but want better profile management, Duo 2FA handling, secure secrets, certificate pinning, diagnostics, and auto-reconnect, VPN Up may provide a safer and more structured workflow. Top comments (0)
Read on DEV Community ↗ ← Back to News

Comments

No comments yet. Start the discussion.