Using CMU's CISCO VPN on headless Ubuntu

Stargazer ZJ
  2026-04-09 20:36:28 2026-04-09 20:36:28 Created   2026-04-09 21:55 2026-04-09 21:55 Updated    

CMU uses CISCO Anyconnect to provide VPN access to its network. The official user help page on the school website does not cover Linux, and the official CISCO Linux client (shows up upon a Linux UA) does not support the SSO login method that CMU uses.

The open source openconnect client does support CISCO’s Anyconnect protocol, but is does not support the SSO login method either.

Another project, openconnect-sso, is a wrapper around the openconnect client that implements the SSO login method. It’s quite an old project and the venv is hard to set up. Even its nix package is broken. After setting it up, I can authentiate successfully via X11 forwarding.

In order to use the browser on my own local machine, I wrote a small script to initiate the login process and start the browser, and then use a Tampermonkey script to extract the SSO token from the browser and send it back to the server.

I also manually overridden the routing table, so that although Full-mode VPN is allowed by the server, only traffic to CMU’s internal network is routed through the VPN by default.

  • Title: Using CMU's CISCO VPN on headless Ubuntu
  • Author: Stargazer ZJ
  • Created at : 2026-04-09 20:36:28
  • Updated at : 2026-04-09 21:00:55
  • Link: https://ji-z.net/2026/04/09/Using-CMU-s-CISCO-VPN-on-headless-Ubuntu/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Using CMU's CISCO VPN on headless Ubuntu