Openconnect replacement for Cisco AnyConnect on Linux (Ubuntu)

Your company decided to use Cisco AnyConnect. You are on Linux, and you are provided with Cisco AnyConnect Linux client, and you are happy: At last, they had Linux in mind… But your happiness lasts only for a half an hour, when you realize, that the client just does not work. Or you might be lucky and the client work as expected, but in that case you wouldn’t be here… 😉

But fear not, there is a better solution for your problem. And it is called Openconnect. What you will need:

  • Windows machine with configured AnyConnect — needed just to create an initial configuration; not needed for operation
  • any flavor of Linux, – but I’m using Ubuntu, so the there will be some Ubuntu specific parts, but you’ll know how to translate those to your flavor of Linux
  • about 1h
To set up just follow these steps…

1st step: setup Windows client

As the first step set up the Windows client and make sure it works properly: you can connect to the VPN, routing is fine, etc.

2nd step: steal the certs from the windows store

AFAIK there are two possibilities, but only one of them work on both 32-bit and 64-bit Windows, so we’ll use that one. (FYI: the other one is Jailbreak)


(Optional) I use Jailbreak to check which key is the one I need (by modification date), – as Mimikatz will export all the keys.

You can follow the video and skip to next section:

Now start mimikatz as Adminstartor (right click Run as adminsitrator…) and do:

  1. privilege::debug
  2. crypto::patchcng
Start Mimikaz as a user that uses the VPN, and do:
  1. crypto::patchcapi
  2. crypto::exportCertificates
Now you will have the certificates exported, most probably beside the Mimikatz executable. There should be a PFX and a DER file for each. You are going to need only the PFX file. Lets call this file exported.pfx. You should move this file to your Linux box.
Exit Windows. Wash your hands. 😉

3rd step: convert keys

In your Linux box…

To convert keys, you will need openssl package, but that’s most probably already installed.

Do this, from command line:

  1. openssl pkcs12 -in exported.pfx -out cert.pem -nokeys
  2. openssl pkcs12 -in exported.pfx -out key.pem -nocerts

When asked, the import password is: mimikatz

Now you have cert.pem and key.pem.

4th step: install openconnect

Install Openconnect Gnome client. I do it like this:

  • apt-get install network-manager-openconnect-gnome

You could use the command line client too, but in that case I assume you know what to do…

5th stop: setup the openconnect vpn

  1. Open Netwok Connections, go to VPN tab click new…
  2. select Cisco AnyConnect Compatible VPN (openconnect)
  3. Gateway: [you company vpn gateway] — usually something like this:
  4. CA Certificate: you could get this from the admins, or you could export this one from windows with Jailbreak, or you could use Firefox…
  5. User Certificate: cert.pem
  6. Private key: key.pem

That’s it. Now just connect.

Kudos goes to:


One thought on “Openconnect replacement for Cisco AnyConnect on Linux (Ubuntu)

Comments are closed.