A safer OpenConnect workflow for Cisco AnyConnect VPNs on macOS and Linux

Sorin-Doru Ipate — Sat, 13 Jun 2026 20:53:43 +0000

A safer OpenConnect workflow for Cisco AnyConnect VPNs on macOS and Linux

If your organization uses Cisco AnyConnect, GlobalProtect, Pulse Secure, Juniper, or another SSL VPN, the official desktop client is often the default option.

But for developers, consultants, DevOps engineers, and support teams working on macOS or Linux, a terminal-first workflow is often faster, clearer, and easier to automate.

That is why many technical users rely on OpenConnect.

OpenConnect is a powerful open-source VPN client, but raw usage can become repetitive when you work across multiple environments.

A typical command might look like this:

sudo openconnect --protocol=anyconnect \
  --authgroup=Employees \
  --user=your.username \
  --servercert pin-sha256:... \
  vpn.example.com

It works, but it is not always a good daily workflow.

No named profiles.
No convenient way to manage multiple gateways.
No structured secret storage.
No simple status command.
No guided certificate pinning.
No easy auto-reconnect setup.
No smoother handling of Duo 2FA.

That is the gap VPN Up for OpenConnect is designed to fill.

GitHub repo:
https://github.com/sorinipate/vpn-up-for-openconnect

What VPN Up is

VPN Up is a secure, scriptable command-line VPN manager built on top of OpenConnect for macOS and Linux.

It is not a replacement for OpenConnect. It is a safer and more convenient workflow around it.

Instead of assembling long commands repeatedly, you define VPN profiles once and connect by name:

vpn-up start "Frankfurt VPN"

Example workflow:

$ vpn-up start "Frankfurt VPN"
Starting the Frankfurt VPN on frankfurt.example.com using Cisco AnyConnect ...
Connecting with Two-Factor Authentication (2FA) from Duo (PUSH) ...
Connected to Frankfurt VPN

$ vpn-up status
VPN is running (PID: 88933)
  Profile : Frankfurt VPN
  Gateway : frankfurt.example.com
  Uptime  : 08:47

Features that matter

VPN Up adds the things I wanted in my daily OpenConnect workflow:

Named VPN profiles
Cisco AnyConnect, GlobalProtect, Pulse Secure, Juniper, and ocserv support through OpenConnect
Duo 2FA support from the terminal
Secure password storage
Certificate pinning with pin-sha256
Auto-reconnect at login using launchd on macOS or systemd on Linux
Profile-aware status, logs, and stop commands
Shell completion
A doctor command for diagnostics
Connect and disconnect hooks

Secure secrets, not plaintext passwords

A VPN helper should not make security worse in the name of convenience.

VPN Up stores secrets using secure storage mechanisms where possible:

macOS Keychain on macOS
Linux Secret Service / keyring on Linux
Encrypted OpenSSL vault as a fallback

It avoids storing VPN passwords in plaintext configuration files and avoids passing secrets directly on the command line.

That matters because command-line convenience often turns into unsafe credential handling over time.

Certificate pinning

VPN access depends not only on credentials, but also on server identity.

VPN Up supports pin-sha256 certificate pinning:

vpn-up pin --save "Frankfurt VPN"

If no pin is configured, the gateway certificate must validate against the system trust store.

The principle is simple: avoid silently accepting weak or unexpected trust conditions.

Auto-reconnect

Some VPN sessions need to stay alive during longer work:

Remote support
Integration troubleshooting
System monitoring
Data migration
Deployment support

VPN Up can install a user-level login service:

vpn-up service install "Work VPN"

On macOS this uses launchd.
On Linux this uses systemd.

Installation

With Homebrew:

brew tap sorinipate/vpn-up
brew install vpn-up

Then:

vpn-up setup
vpn-up add-profile
vpn-up start

After setup, daily usage becomes simple:

vpn-up start "Client VPN"
vpn-up status
vpn-up logs -f
vpn-up stop

Who it is for

VPN Up may be useful if you:

Use OpenConnect instead of a vendor VPN client
Connect to Cisco AnyConnect-compatible gateways
Work with GlobalProtect, Pulse Secure, Juniper, or ocserv VPNs
Manage multiple VPN profiles
Need Duo 2FA from the command line
Want VPN secrets stored securely
Need certificate pinning
Prefer terminal-first workflows
Need auto-reconnect at login

It is especially relevant for developers, consultants, DevOps engineers, implementation teams, and support teams working across multiple client networks.

Try it

VPN Up for OpenConnect is open source and available on GitHub:

https://github.com/sorinipate/vpn-up-for-openconnect

Stars, issues, and pull requests are welcome.

If you already use OpenConnect but want better profile management, Duo 2FA handling, secure secrets, certificate pinning, diagnostics, and auto-reconnect, VPN Up may provide a safer and more structured workflow.

DEV Community: Sorin-Doru Ipate

A safer OpenConnect workflow for Cisco AnyConnect VPNs on macOS and Linux

A safer OpenConnect workflow for Cisco AnyConnect VPNs on macOS and Linux

What VPN Up is

Features that matter

Secure secrets, not plaintext passwords

Certificate pinning

Auto-reconnect

Installation

Who it is for

Try it