OpenConnect Client
Since sing-box 1.14.0
Client only
Build tags
OpenConnect endpoints require the with_openconnect build tag.
When system is disabled, the internal network stack also requires the with_gvisor build tag.
Structure
{
"type": "openconnect",
"tag": "oc-client",
"system": false,
"name": "",
"server": "vpn.example.com",
"flavor": "anyconnect",
"username": "",
"password": "",
"auth_group": "",
"token": {
"mode": "",
"secret": "",
"pin": "",
"password": "",
"device_id": "",
"counter": 0
},
"reported_os": "",
"user_agent": "",
"csd": {
"wrapper_path": ""
},
"hip": {
"wrapper_path": ""
},
"tncc": {
"wrapper_path": "",
"device_id": "",
"user_agent": "",
"machine_identification_enabled": false,
"certificates": [
{
"certificate": [],
"certificate_path": ""
}
]
},
"no_udp": false,
"allow_insecure_crypto": false,
"tls": {
"certificate_authority": [],
"certificate_authority_path": "",
"client_certificate": [],
"client_certificate_path": "",
"client_key": [],
"client_key_path": "",
"client_key_password": "",
"mca_certificate": [],
"mca_certificate_path": "",
"mca_key": [],
"mca_key_path": "",
"mca_key_password": ""
},
"form_entries": [
{
"form_id": "",
"submission_key": "",
"name": "",
"value": "",
"promote": false
}
],
... // Dial Fields
}
You can ignore the JSON Array [] tag when the content is only one item.
Fields
system
Use a system interface.
Requires privilege and cannot conflict with existing system interfaces.
If disabled, sing-box uses the internal network stack.
Requires the with_gvisor build tag when disabled.
name
Custom interface name for the system interface.
An automatically generated oc interface name is used by default.
server
Required
OpenConnect VPN server HTTPS URL.
The https:// scheme is added if omitted. URL user information, queries, and fragments are not supported.
flavor
OpenConnect protocol flavor, one of anyconnect, gp, fortinet, f5, pulse, or nc.
anyconnect is used by default.
username
Username used to fill matching authentication form fields.
password
Password used to fill matching authentication form fields.
auth_group
Authentication group used to preselect a matching group, realm, domain, or gateway choice when supported by the selected flavor.
token
Software token configuration for automatically answering matching token fields.
token.mode
Required
Software token mode, one of:
totp: Time-based One-Time Password.hotp: HMAC-based One-Time Password.stoken: RSA SecurID software token.
token.secret
Required
Software token secret.
For totp and hotp, this can be a Base32 secret, a base32:-prefixed secret, or an otpauth:// URI of the matching type.
For stoken, this is the encoded RSA SecurID CTF token content.
token.pin
RSA SecurID PIN for stoken mode.
token.password
Password for decrypting a password-protected RSA SecurID token in stoken mode.
token.device_id
Device ID for decrypting a device-bound RSA SecurID token in stoken mode.
token.counter
Initial counter for hotp mode.
If zero, the counter from an otpauth:// URI is used when present; otherwise the counter starts at zero.
reported_os
Operating system identity reported to the VPN server when supported by the selected flavor.
For anyconnect, gp, and pulse, the supported values are linux, linux-64, win, mac-intel, android, and apple-ios.
anyconnect uses linux-64 by default. gp and pulse select a value based on the system platform by default.
user_agent
User agent reported to the VPN server when supported by the selected flavor.
The default is flavor-specific.
csd
AnyConnect CSD/host scan compliance options.
Built-in CSD handling is used by default when requested by the server.
csd.wrapper_path
Path to an external AnyConnect CSD wrapper executable.
Built-in CSD handling is used if empty.
hip
GlobalProtect HIP check and report options.
Built-in HIP reporting is used by default when requested by the server.
hip.wrapper_path
Path to an external GlobalProtect HIP report wrapper executable.
Built-in HIP reporting is used if empty.
tncc
Network Connect TNCC compliance options.
Built-in TNCC handling is used by default when requested by the server.
tncc.wrapper_path
Path to an external Network Connect TNCC wrapper executable.
Built-in TNCC handling is used if empty.
Conflict with tncc.device_id, tncc.user_agent, tncc.machine_identification_enabled, and tncc.certificates.
tncc.device_id
Device ID reported by the built-in TNCC handler.
Conflict with tncc.wrapper_path.
tncc.user_agent
User agent used by the built-in TNCC handler.
Neoteris HC Http is used by default.
Conflict with tncc.wrapper_path.
tncc.machine_identification_enabled
Enable built-in TNCC machine identification, including the platform, hostname, and observed MAC addresses.
Conflict with tncc.wrapper_path.
tncc.certificates
Machine certificates used by the built-in TNCC handler to answer certificate requests.
Requires tncc.machine_identification_enabled.
Conflict with tncc.wrapper_path.
tncc.certificates.certificate
TNCC machine certificate content in PEM format.
Conflict with tncc.certificates.certificate_path.
tncc.certificates.certificate_path
TNCC machine certificate path in PEM format.
Conflict with tncc.certificates.certificate.
no_udp
Disable the DTLS or ESP secondary data channel and use the TLS data channel only.
allow_insecure_crypto
Allow deprecated TLS and DTLS versions and cipher suites required by legacy VPN servers.
Disabled by default. This option does not disable server certificate verification.
tls
OpenConnect TLS configuration.
tls.certificate_authority
Additional trusted CA certificate content in PEM format.
The certificates are added to the system certificate pool.
Conflict with tls.certificate_authority_path.
tls.certificate_authority_path
Path to additional trusted CA certificates in PEM format.
The certificates are added to the system certificate pool.
Conflict with tls.certificate_authority.
tls.client_certificate
Client certificate chain content in PEM format.
Conflict with tls.client_certificate_path.
tls.client_certificate_path
Client certificate chain path in PEM format.
Conflict with tls.client_certificate.
tls.client_key
Client private key content in PEM format.
Conflict with tls.client_key_path.
tls.client_key_path
Client private key path in PEM format.
Conflict with tls.client_key.
The client certificate and key must both be set or both be empty.
tls.client_key_password
Password for the encrypted client private key.
tls.mca_certificate
AnyConnect multiple-certificate authentication (MCA) certificate chain content in PEM format.
Conflict with tls.mca_certificate_path.
tls.mca_certificate_path
AnyConnect multiple-certificate authentication (MCA) certificate chain path in PEM format.
Conflict with tls.mca_certificate.
tls.mca_key
AnyConnect multiple-certificate authentication (MCA) private key content in PEM format.
Conflict with tls.mca_key_path.
tls.mca_key_path
AnyConnect multiple-certificate authentication (MCA) private key path in PEM format.
Conflict with tls.mca_key.
The MCA certificate and key must both be set or both be empty.
tls.mca_key_password
Password for the encrypted MCA private key.
form_entries
Authentication form field overrides.
An entry matches by submission_key when set, or by the combination of form_id and name. Later matching entries take precedence.
form_entries.form_id
Authentication form identifier used with form_entries.name when form_entries.submission_key is empty.
form_entries.submission_key
Authentication field submission key.
Either form_entries.submission_key or both form_entries.form_id and form_entries.name are required.
form_entries.name
Authentication field name used with form_entries.form_id when form_entries.submission_key is empty.
form_entries.value
Value supplied automatically for the matching authentication field.
Conflict with form_entries.promote.
form_entries.promote
Ask for the matching authentication field interactively instead of supplying an automatic value.
Conflict with form_entries.value.
Dial Fields
See Dial Fields for details.
Interactive authentication
Use Tools > Endpoints in the sing-box dashboard or any sing-box graphical client to authenticate and manage the endpoint.