Automatically log into VPN (Cisco) when connecting to certain wireless networks

Discussion in 'OS X' started by Wombert, Nov 20, 2005.

  1. macrumors regular

    Joined:
    Oct 31, 2005
    Location:
    Munich, Germany
    #1
    Hi,

    so my University uses the lovely Cisco VPN Client. Easy to get it working, not a big deal, but it annoys me that I need to start it manually every time I switch wifi networks and such. Is there a way to automate this? I want to connect to the VPN whenever the Airport logs into one of the University's wifi networks. The Cisco client also supports command-line mode, so I could write a script for that. But the big question is: is there a "connected to wifi network" event I can hook into using AppleScript or something. Sorry if this is a dumb question, I just switched from PC to Mac on Thursday ;)
     
  2. macrumors 601

    Joined:
    Aug 15, 2005
    #2
    I'm sure there is a way to write this in Applescript.

    However, if you are roaming across networks when connected, it makes perfect sense why the client is dropping you. If the university is using IKE, part of the initiation/configuration of the tunnel is to record the remote address. When your address changes, the tunnel is destroyed to remove any possibility of a hacking attempt.
     
  3. thread starter macrumors regular

    Joined:
    Oct 31, 2005
    Location:
    Munich, Germany
    #3
    True, and that's okay. What I don't want is to start the VPN Client manually and make it connect. It should happen automatically whenever I connect to one of the university's access points. That's why I was asking whether it would be possible to write an AppleScript or download a tool / daemon / whatever that can execute another script which establishes the VPN connection as soon as Airport logs into the wireless network.
     
  4. macrumors 68030

    superbovine

    Joined:
    Nov 7, 2003
    #4

    it probably possible, but the reason why it just doesn't do it is because of security the reason. They want to force you to go through the motion because that is a more method of access is more secure.
     
  5. thread starter macrumors regular

    Joined:
    Oct 31, 2005
    Location:
    Munich, Germany
    #5
    I found out I can add entries to /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/Kicker.xml which is called on every network change, so I'll just add a script in there that checks if I'm in university (dunno yet if I'll do this via access point detection or simply by querying the current location), and if so, start the vpn client. I'll let you guys know if this works ;)
     
  6. thread starter macrumors regular

    Joined:
    Oct 31, 2005
    Location:
    Munich, Germany
    #6
    Okay guys, I solved this one. This is how it works:

    1. A script, ~/vpnconnect.sh will connect to the VPN:
      Code:
      screen -d -m /opt/cisco-vpnclient/bin/vpnclient connect <YourProfileName> &
      As you can see, it requires a profile. The easiest way to create one is to use the GUI client and copy the profile file from /etc/CiscoSystemsVPNClient/Profiles/ to /etc/opt/cisco-vpnclient (there seems to be no way to use a config file in another directory). The second time you use the profile to connect via the GUI client you will have the option to remember the password. Do that.
    2. Another script, ~/autovpn.sh will read the Airport's SSID and use the script from 1) to connect to VPN:
      Code:
      #!/bin/sh
      
      ssid=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I | fgrep -i " ssid" | grep -Eo "[a-zA-Z0-9]+$"`
      
      if [ $ssid = "somenetwork" -o $ssid = "anotherSSID" ]
      then
      	/Users/<Yourusername>/vpnconnect.sh &
      fi
    3. Add the following segment to /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/Kicker.xml:
      Code:
              <dict>
                      <key>execCommand</key>
                      <string>/Users/<YourUserName>/autovpn.sh</string>
                      <key>execUID</key>
                      <integer><yourUID></integer>
                      <key>keys</key>
                      <array>
                              <string>Setup:/</string>
                              <string>State:/Network/Global/IPv4</string>
                      </array>
                      <key>name</key>
                      <string>AutoVPN</string>
              </dict>
      Use the id command to determine your UID and short username
    4. Restart the computer
    Now, whenever your Airport connection changes and connects to one of the networks of which you specified the SSID, the VPN connection will be created automatically. You can adapt this to setup SSH tunnels etc, too. I haven't gotten this to work 100% reliably right after system startup yet, but it works when changing networks, enabling and disabling Airport and waking up from sleep, so it shouldn't be a big deal since most people will have their PB in sleep usually.
     
  7. macrumors newbie

    Joined:
    Dec 2, 2005
    #7
    One question though, when you connect to the server, does your university post a message? Something like Welcome to xyz, use this profile for this and that. This is at least something my universities do and I always have to either type "y" in the cli or hit return using the GUI. If I could get arount responding to this message, automation would be great. Because if I don't respond I get a time out and the connection gets cancelled.
     
  8. thread starter macrumors regular

    Joined:
    Oct 31, 2005
    Location:
    Munich, Germany
    #8
    No, they don't do that. I'm not sure if you could work around this either. Displaying the message is definitely impossible because I'm using "screen" to make it work as a background process...
     
  9. macrumors 68000

    GeeYouEye

    Joined:
    Dec 9, 2001
    Location:
    State of Denial
    #9
    Thanks a TON for figuring this out! I've been looking for a way to do this through AppleScript or Automator, but this looks like it should work just as well.

    EDIT: hmm... how do you connect to a VPN that has both group and individual authentication? In other words, when I use the GUI client, it connects using the stored profile, but then I have to enter my network username (usually filled in) and password. There doesn't seem to be any way to store this, AFAICT.
     
  10. thread starter macrumors regular

    Joined:
    Oct 31, 2005
    Location:
    Munich, Germany
    #10
    You can't do it through Automator or AppleScript, since you need to hook into Kicker to have the command executed whenever the network environment changes.

    Note that I'm using
    Code:
    if [ $ssid = "somenetwork" -o $ssid = "anotherSSID" ]
    to check if the SSID is either "somenetwork" or "anotherSSID". If you want to check for only one SSID, remove the second part, including the "-o". If you want to check more networks, add more -o $ssid = "..." chunks to the end.

    There's a caveat, though: you can't really disconnect from VPN because disconnecting will result in a network configuration change, which again starts the script and establishes a connection. So if you want to get out of the network, you have to disable Airport or log out from the wireless network altogether. Should not be a big deal, though, since you usually have to be on VPN to use the network at all. I don't have figured out yet how to be notified only on Airport connection changes.

    And, as I said, it doesn't always work right after system startup. It should not be a problem since usually, you don't boot your computer but just wake it up from sleep, where it always works like a charm.

    I'm soooooo glad I found out how this works. I'm really sorry for all those Linux guys sitting around me in front of their ugly, uncool laptops, entering 20+ lines on the console to log in to wireless and VPN ;)
     
  11. thread starter macrumors regular

    Joined:
    Oct 31, 2005
    Location:
    Munich, Germany
    #11
    Mine also needs a group auth, plus a username and password. I can save this in the GUI client after I connect for the second time. The Group authentication for the connection is always saved, and at the bottom, there's a "Erase User Password" button which I could use to remove the saved user and password data. Maybe you have to switch to advanced mode to make this work? Or upgrade to the latest version... I'm using Cisco Systems VPN Client Version 4.7.00 (0510)
     
  12. macrumors newbie

    newtonick

    Joined:
    Dec 2, 2005
    Location:
    Illinois
    #12
    My Ongoing Solution to Cisco VPN

    About a year ago I asked that very question (along with others regarding Cisco VPN). I started creating apple scripts and tried bash scripts, all sucked. So I moved on to creating a full App. A new interface to Cisco's VPN Client. I was still in the learning process of Cocoa, so I shared my idea with a hard core programmer (Gorman) and he did the coding in cocoa.

    The "VPNMenu" is a app that computicates with the VPN Driver (through Cisco API's) that installs when you install the Cisco VPN Client, version 4.7 of the client is required to use this app. This app is a Status Item (in Menu bar) that allows you to store your username and password in prefferences (keychain). VPNMenu also has a feature to Auto-connect, to a particular domain, or to all connections. It detects the Domain IP or name from the DHCP server and decides if it should connect to the VPN. There is even a few more features. Now this client is still in very early stages. It has flaws, but don't complain about them, download the source and fix them. Then post the fix.

    You can download the VPNMenu here at:
    http://niumug.org/projects/vpnmenu

    This is the first time I think the client has been made "public" so comment on it, tell me what you think. The download is currently being hosted through NIU Mac User Group, which is in the process of becoming an offical Mac User Group.
     
  13. macrumors member

    Joined:
    Sep 14, 2003
    Location:
    Los Angeles, CA / Seattle, WA
    #13
    1) For those of you who require a user login/password there are command line options for that:

    vpnclient connect profilename user username password password

    Of course the password will be easily visible to anyone who has access to the script, so keep that in mind...

    2) I can't get the VPNMenu to work for some reason. It gives me errors -10 and -17. I'll try again later, our VPN server is really flakey.
     
  14. macrumors newbie

    newtonick

    Joined:
    Dec 2, 2005
    Location:
    Illinois
    #14
    VPNMenu requires 4.7

    OK, a few things to check. For some reason (haven't figured out yet), in the testing I have done, You MUST have Cisco VPN Client 4.7 (which I think is a good thing). If you have that version installed (or higher) and provide the right username and passwd with the right profile, this client should work. Test the Cisco supplied interface, or the command line client, if it works, the VPNMenu client should work. After doing all that, and it still does not work, post the errors you get and the clients reaction (animation effects and such).
     
  15. macrumors newbie

    Joined:
    Dec 3, 2005
    #15
    Thank you for the kicker code. I had something like this running in an brute force infinite loop. :)

    As for typing "y", you can do that with "yes | vpnclient connect ..."
     
  16. macrumors newbie

    Joined:
    Dec 11, 2005
    #16
    VPNMenu is extremely slick

    It's really very nice. Stores your domain credentials and lets you connect instantly. The Cisco GUI is quite easy, but this is really, really easy. Thanks for this.
     
  17. macrumors newbie

    Joined:
    Jan 24, 2007
    Location:
    Boston, Ma
    #17
    Using Kicker

    I'm trying to adapt this technique to adjust my default printer as I move between office and home. I have a shell script, called set_default_printer, which does the right thing when called, but I haven't been able to get it invoked when my powerbook wakes up. I added the following to Kicker.xml:

    <dict>
    <key>execCommand</key>
    <string>/Users/leonard/Source/bin/set_default_printer</string>
    <key>execUID</key>
    <integer>501</integer>
    <key>keys</key>
    <array>
    <string>Setup:</string>
    <string>State:/Network/Global/IPv4</string>
    </array>
    <key>name</key>
    <string>SelectPrinter</string>
    </dict>

    But it doesn't seem to be invoked when I wake the machine. And unfortunately, I don't understand what these various strings are supposed to do.

    Any suggestions what to try, or where to look? Thanks.
     
  18. macrumors newbie

    Joined:
    Dec 3, 2005
  19. macrumors newbie

    Joined:
    Dec 3, 2005
    #19
    Has anyone figured this out for Leopard, yet? The Kicker bundle appears to be gone.
     
  20. macrumors newbie

    Joined:
    Jun 26, 2010
    #20
    hi,

    kind of a long-term thread.. is there a better way known after that long time?
    maybe a tool which can auto-connect to a VPN?

    greetings..
     
  21. macrumors member

    Joined:
    Oct 20, 2008
    #21
    This doesn't handle the automation part on network change, but the magic incantation with Cisco VPN Client 4.9 to eliminate pwd prompt is:

    open /Applications/VPNClient.app --args -c -user YourUsername -pwd YourPassword ProfileNameToConnect

    I haven't figured out yet how I can make it disconnect or quit cleanly (I can ask it to quit via Applescript, but it pops a "Connection active/do you wish to terminate alert".
     
  22. macrumors newbie

    Joined:
    Nov 8, 2010
    #22
    How can I do this on my new iPhone4 OS 4.1 which is jailbroken already?

    How can I do this on my new iPhone4 OS 4.1 which is jail-broken already? I have to log in to a VPN at my work to check my email. but as soon as my phone locks, the wifi goes to sleep and VPN disconnects. this really bugs me as i have to reconnect the VPN every time i have to unlock my iPhone. Any idea if I can do this exact thing on my iPhone? Right now I have a toggle for VPN in my SBSettings and I have to do it manually.

    Any suggestions?

    Thanks!
     

Share This Page