DEV Community

Cover image for A safer OpenConnect workflow for Cisco AnyConnect VPNs on macOS and Linux
Sorin-Doru Ipate
Sorin-Doru Ipate

Posted on • Originally published at architegrity.com

A safer OpenConnect workflow for Cisco AnyConnect VPNs on macOS and Linux

#vpn #openconnect #cli #security

A safer OpenConnect workflow for Cisco AnyConnect VPNs on macOS and Linux

If your organization uses Cisco AnyConnect, GlobalProtect, Pulse Secure, Juniper, or another SSL VPN, the official desktop client is often the default option.

But for developers, consultants, DevOps engineers, and support teams working on macOS or Linux, a terminal-first workflow is often faster, clearer, and easier to automate.

That is why many technical users rely on OpenConnect.

OpenConnect is a powerful open-source VPN client, but raw usage can become repetitive when you work across multiple environments.

A typical command might look like this:

sudo openconnect --protocol=anyconnect \
  --authgroup=Employees \
  --user=your.username \
  --servercert pin-sha256:... \
  vpn.example.com
Enter fullscreen mode Exit fullscreen mode

It works, but it is not always a good daily workflow.

No named profiles.
No convenient way to manage multiple gateways.
No structured secret storage.
No simple status command.
No guided certificate pinning.
No easy auto-reconnect setup.
No smoother handling of Duo 2FA.

That is the gap VPN Up for OpenConnect is designed to fill.

GitHub repo:
https://github.com/sorinipate/vpn-up-for-openconnect

What VPN Up is

VPN Up is a secure, scriptable command-line VPN manager built on top of OpenConnect for macOS and Linux.

It is not a replacement for OpenConnect. It is a safer and more convenient workflow around it.

Instead of assembling long commands repeatedly, you define VPN profiles once and connect by name:

vpn-up start "Frankfurt VPN"
Enter fullscreen mode Exit fullscreen mode

Example workflow:

$ vpn-up start "Frankfurt VPN"
Starting the Frankfurt VPN on frankfurt.example.com using Cisco AnyConnect ...
Connecting with Two-Factor Authentication (2FA) from Duo (PUSH) ...
Connected to Frankfurt VPN

$ vpn-up status
VPN is running (PID: 88933)
  Profile : Frankfurt VPN
  Gateway : frankfurt.example.com
  Uptime  : 08:47
Enter fullscreen mode Exit fullscreen mode

Features that matter

VPN Up adds the things I wanted in my daily OpenConnect workflow:

  • Named VPN profiles
  • Cisco AnyConnect, GlobalProtect, Pulse Secure, Juniper, and ocserv support through OpenConnect
  • Duo 2FA support from the terminal
  • Secure password storage
  • Certificate pinning with pin-sha256
  • Auto-reconnect at login using launchd on macOS or systemd on Linux
  • Profile-aware status, logs, and stop commands
  • Shell completion
  • A doctor command for diagnostics
  • Connect and disconnect hooks

Secure secrets, not plaintext passwords

A VPN helper should not make security worse in the name of convenience.

VPN Up stores secrets using secure storage mechanisms where possible:

  • macOS Keychain on macOS
  • Linux Secret Service / keyring on Linux
  • Encrypted OpenSSL vault as a fallback

It avoids storing VPN passwords in plaintext configuration files and avoids passing secrets directly on the command line.

That matters because command-line convenience often turns into unsafe credential handling over time.

Certificate pinning

VPN access depends not only on credentials, but also on server identity.

VPN Up supports pin-sha256 certificate pinning:

vpn-up pin --save "Frankfurt VPN"
Enter fullscreen mode Exit fullscreen mode

If no pin is configured, the gateway certificate must validate against the system trust store.

The principle is simple: avoid silently accepting weak or unexpected trust conditions.

Auto-reconnect

Some VPN sessions need to stay alive during longer work:

  • Remote support
  • Integration troubleshooting
  • System monitoring
  • Data migration
  • Deployment support

VPN Up can install a user-level login service:

vpn-up service install "Work VPN"
Enter fullscreen mode Exit fullscreen mode

On macOS this uses launchd.
On Linux this uses systemd.

Installation

With Homebrew:

brew tap sorinipate/vpn-up
brew install vpn-up
Enter fullscreen mode Exit fullscreen mode

Then:

vpn-up setup
vpn-up add-profile
vpn-up start
Enter fullscreen mode Exit fullscreen mode

After setup, daily usage becomes simple:

vpn-up start "Client VPN"
vpn-up status
vpn-up logs -f
vpn-up stop
Enter fullscreen mode Exit fullscreen mode

Who it is for

VPN Up may be useful if you:

  • Use OpenConnect instead of a vendor VPN client
  • Connect to Cisco AnyConnect-compatible gateways
  • Work with GlobalProtect, Pulse Secure, Juniper, or ocserv VPNs
  • Manage multiple VPN profiles
  • Need Duo 2FA from the command line
  • Want VPN secrets stored securely
  • Need certificate pinning
  • Prefer terminal-first workflows
  • Need auto-reconnect at login

It is especially relevant for developers, consultants, DevOps engineers, implementation teams, and support teams working across multiple client networks.

Try it

VPN Up for OpenConnect is open source and available on GitHub:

https://github.com/sorinipate/vpn-up-for-openconnect

Stars, issues, and pull requests are welcome.

If you already use OpenConnect but want better profile management, Duo 2FA handling, secure secrets, certificate pinning, diagnostics, and auto-reconnect, VPN Up may provide a safer and more structured workflow.

Top comments (0)