smook1980 · February 3, 2021 17:12 · Sep 10, 2015 · Jun 27, 2015 · Jun 12, 2015 · Jul 24, 2012
diff --git a/openconnect.md b/openconnect.md
@@ -30,9 +30,37 @@ Here's how to get it set up on Mac OS X:
         sudo openconnect --user=<VPN username> --cafile=<.pem file from step 4.3> <your vpn hostname>
 
     The only thing you should be prompted for is your VPN password.  I added the command to my aliases file.
+
+    If the verification of the cert fails try:
+
+        sudo openconnect --user=<VPN username> --no-cert-check --passwd-on-stdin --disable-ipv6 vpn.ncsasports.org
 
 6. To disconnect, just Ctrl-c in the window where you started the VPN connection.
 
 #### Note
 
-I had an incident after an unclean VPN exit where later the VPN hostname could not be found.  I guess the DNS resolver was messed up.  I was forced to reboot to fix it so I could reconnect to the VPN.
+I had an incident after an unclean VPN exit where later the VPN hostname could not be found.  I guess the DNS resolver was messed up.  I was forced to reboot to fix it so I could reconnect to the VPN. 
+
+#### Super elite IT pro tips:
+
+Take DNS issues out of the equation and make connecting more reliable by adding an entry to your hosts file.  If the IP were ever to change you would need to update this accordingly. 
+
+    65.214.243.220  vpn.ncsasports.org
+
+The following bash script will promtp you for your password once and use it to both sudo and connect the VPN.  This does assume you use the same password for both.  The script will then detach from the terminal session to stay running in the background and direct all stoud to ~/tmp/vpn.log.  You may have to create the ~/tmp directory.  Once the file is created ```chdmod a+x ~/file/path``` to make it executable.
+
+```
+#!/bin/bash
+set -e
+
+read -s -p "Passwd: " passwd
+LOG_PATH=${HOME}/tmp/vpn.log
+rm -f $LOG_PATH
+
+sudo -S nohup openconnect --user=smook --no-cert-check --passwd-on-stdin --disable-ipv6 vpn.ncsasports.org > $LOG_PATH 2>&1 <<SECRET &
+$passwd
+$passwd
+SECRET
+
+echo 'Started OpenConnect...'
+```
diff --git a/openconnect.md b/openconnect.md
@@ -1,4 +1,4 @@
-So the anyconnect clinet prevents forward of traffic from a VM to the VPN, which means virtual machines and docker containers which rely upon NAT won't work.  OpenConnect allows you to get around this as it doesn't enforce ipfw rules upon you.
+So the anyconnect client prevents forward of traffic from a VM to the VPN, which means virtual machines and docker containers which rely upon NAT won't work.  OpenConnect allows you to get around this as it doesn't enforce ipfw rules upon you.
 
 [OpenConnect](http://www.infradead.org/openconnect/) is a command-line client for Cisco's AnyConnect SSL VPN.
 

diff --git a/openconnect.md b/openconnect.md
@@ -1,6 +1,6 @@
-Unfortunately, the Cisco AnyConnect client for Mac conflicts with [Pow](http://pow.cx/). And by "conflicts", I mean it causes a grey-screen-of-death kernel panic anytime you connect to the VPN and Pow is installed.
+So the anyconnect clinet prevents forward of traffic from a VM to the VPN, which means virtual machines and docker containers which rely upon NAT won't work.  OpenConnect allows you to get around this as it doesn't enforce ipfw rules upon you.
 
-As an alternative, there is [OpenConnect](http://www.infradead.org/openconnect/), a command-line client for Cisco's AnyConnect SSL VPN.
+[OpenConnect](http://www.infradead.org/openconnect/) is a command-line client for Cisco's AnyConnect SSL VPN.
 
 Here's how to get it set up on Mac OS X:
 
@@ -9,7 +9,6 @@ Here's how to get it set up on Mac OS X:
         brew update
         brew install openconnect
 
-2. Install the [Mac OS X TUN/TAP](http://tuntaposx.sourceforge.net/) driver
 3. (Optional) Running openconnect requires sudo, presumably because it affects resolution of DNS.  So, I added password-less sudo ability for the openconnect command.
 
         sudo visudo -f /etc/sudoers
@@ -19,7 +18,7 @@ Here's how to get it set up on Mac OS X:
         %admin  ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect
 
 4. (Optional) When connecting to your SSL VPN, openconnect may complain about a "self-signed certificate" being in the chain and force you to explicitly accept it every time.  The self-signed cert is actually the root certficate and (hopefully) is one with implicit trust (i.e. trusted by browsers), so we can safely trust it by specifying the CA file after exporting it from KeyChain:
-  1. Determine the name your root certificate (i.e. visit your SSL VPN in Chrome, click the green lock, click "Certificate Information")
+  1. Determine the name your root certificate (i.e. visit your SSL VPN in Chrome (https://vpn.ncsasports.org), click the green lock, click "Certificate Information")
      ![Find Certificate Information](https://img.skitch.com/20120724-a38g9sby9naw28m39j2nakcnt.jpg)
      ![Observe Root Certificate](https://img.skitch.com/20120724-fiehbr89muyhmyk1x7setjbt4b.jpg)
   2. Open the Keychain Access App

diff --git a/openconnect.md b/openconnect.md
@@ -0,0 +1,39 @@
+Unfortunately, the Cisco AnyConnect client for Mac conflicts with [Pow](http://pow.cx/). And by "conflicts", I mean it causes a grey-screen-of-death kernel panic anytime you connect to the VPN and Pow is installed.
+
+As an alternative, there is [OpenConnect](http://www.infradead.org/openconnect/), a command-line client for Cisco's AnyConnect SSL VPN.
+
+Here's how to get it set up on Mac OS X:
+
+1. OpenConnect can be installed via [homebrew](http://mxcl.github.com/homebrew/):
+
+        brew update
+        brew install openconnect
+
+2. Install the [Mac OS X TUN/TAP](http://tuntaposx.sourceforge.net/) driver
+3. (Optional) Running openconnect requires sudo, presumably because it affects resolution of DNS.  So, I added password-less sudo ability for the openconnect command.
+
+        sudo visudo -f /etc/sudoers
+
+  And added this line:
+
+        %admin  ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect
+
+4. (Optional) When connecting to your SSL VPN, openconnect may complain about a "self-signed certificate" being in the chain and force you to explicitly accept it every time.  The self-signed cert is actually the root certficate and (hopefully) is one with implicit trust (i.e. trusted by browsers), so we can safely trust it by specifying the CA file after exporting it from KeyChain:
+  1. Determine the name your root certificate (i.e. visit your SSL VPN in Chrome, click the green lock, click "Certificate Information")
+     ![Find Certificate Information](https://img.skitch.com/20120724-a38g9sby9naw28m39j2nakcnt.jpg)
+     ![Observe Root Certificate](https://img.skitch.com/20120724-fiehbr89muyhmyk1x7setjbt4b.jpg)
+  2. Open the Keychain Access App
+  3. Search the "System Roots" keychain to find your root certificate and select it
+     ![Keychain Access](https://img.skitch.com/20120724-8px6xhtbcpnhkkpr8ckx1rcp8.jpg)
+  4. `File` > `Export Items...` the certificate as a `.pem` file somewhere on your hard drive (I put it in `~/.ssh/<certificate name>.pem`
+5. Connect!
+
+        sudo openconnect --user=<VPN username> --cafile=<.pem file from step 4.3> <your vpn hostname>
+
+    The only thing you should be prompted for is your VPN password.  I added the command to my aliases file.
+
+6. To disconnect, just Ctrl-c in the window where you started the VPN connection.
+
+#### Note
+
+I had an incident after an unclean VPN exit where later the VPN hostname could not be found.  I guess the DNS resolver was messed up.  I was forced to reboot to fix it so I could reconnect to the VPN.
No results found