Connecting to Cisco VPN with SmartCard on Linux

If your company uses a Cisco VPN they might told you to install Cisco AnyConnect, but you might know its a f*king privative software. There is another way, using OpenConnect. OpenConnect is a Free OpenSource software that can be used with Cisco VPN.

Image for post
Image for post

Most Linux distributions have openconnect available on theirs package repositories, see distribution status. I will focus on Ubuntu 16.04 which is the OS I use.

# apt install openconnect

For using our SmartCard we are going to use OpenSC, also an OpenSource project. PKCS11 is a cryptography standard which SmartCards implements.

# apt install opensc opensc-pkcs11 gnutls-bin

We need to create /usr/share/p11-kit/modules/opensc.module if doesn't exists with the location of opensc-pkcs11.so module, might be different on your OS.

$ sudo sh -c "echo 'module:/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so' > /usr/share/p11-kit/modules/opensc.module

Use pk11tool to list tokens and get the first Hardware Token URL

$ p11tool --list-tokens
Token 0:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 5:
URL: pkcs11:model=PKCS%2315;manufacturer=www.atos.net%2fcardos;serial=AABBCCDDEEF;token=NAME%20LASTNAME%20LST%20%28PIN%29
Type: Hardware token
Manufacturer: www.atos.net/cardos
Model: PKCS#15
Serial: 910E23C00901262F
Module: /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

We will use that URI to list the certificates

$ p11tool --list-all-certs 'pkcs11:model=PKCS%2315;manufacturer=www.atos.net%2fcardos;serial=AABBCCDDEEF;token=NAME%20LASTNAME%20LST%20%28PIN%29'Object 0:
URL: pkcs11:model=PKCS%2315;manufacturer=www.atos.net%2fcardos;serial=AABBCCDDEEF;token=NAME%20LASTNAME%20SAIZ%20%28PIN%29;id=%aa%bb%cc%ee%ff%44%55%aa%cc%ff%dd%44%22%bb%33%11%55%33%dd%04;object=le-SmartcardBME-mmee112-89801-bbb-12344;type=cert
Type: X.509 Certificate
Label: le-SmartcardBME-mmee112-89801-bbb-12344

Use the certificate URI to connect with OpenConnect

$ sudo openconnect -c 'pkcs11:model=PKCS%2315;manufacturer=www.atos.net%2fcardos;serial=AABBCCDDEEF;token=NAME%20LASTNAME%20SAIZ%20%28PIN%29;id=%aa%bb%cc%ee%ff%44%55%aa%cc%ff%dd%44%22%bb%33%11%55%33%dd%04;object=le-SmartcardBME-mmee112-89801-bbb-12344;type=cert' https://your.vpn/ --no-cert-check

It will ask for our PIN and maybe the group and we will be connected!


# ip route delete default dev tun0
# ip route add dev tun0

But it might encounter securities policies from your company.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store