State: April 2026
You might be in the unfortunate position of needing to use a VPN other than OpenVPN or Wireguard. It sucks, but it works, and you don’t need to install weird Cisco software on your device!
For the new method you need openconnect version 9.12-3.2 or newer. This might be an issue on stable distributions.
Disclaimer
It seems that these networks are not all the same. Quite some solutions, like native TOTP and username/password did not work in my case.
This guide for example explains how to add TOTP and username/password yourself, which would be desirable, but doesn’t work currently, it seems.
I will first explain the current solution, but add the “old” builtin one later.
Software
All you need is KDE Plasma, NetworkManager and the plasma-nm-openconnect plugin. You do not need to install any of the software that your institution might tell you.
You also need QtWebEngine for the current implementation using a WebView window to work. This means that you need a separate Chromium-based browser installed, sorry for that, thank Cisco for not helping NetworkManager to do it well. QtWebEngine should be preinstalled on Fedora KDE and Kinoite.
Create the connection
Click on the “wifi” button in the bottom right, then at the upper right of the popup click on the “settings” icon (or head to the network settings otherwise).
Add a new connection here:
Select “Cisco Anyconnect Compatible VPN (openconnect)”.
Change the name of the connection to one you like.
In the “VPN (openconnect” tab, all you need to do is
- Setting the “Gateway” as the VPN URL you should use, for example “vpn.institution.org”. There might be different URLs per role in the institution or age of your account. As everyone needs to enter this URL, it should be documented fairly well.
- Setting the User Agent to “AnyConnect”. This is crucial for the next steps to work… thank Cisco for that.
Once this is done, click on “save” in the bottom right. You might need to enter your sudo password once or twice.
Connect
Now clicking on the wifi icon, you can connect to the configured VPN:
Click on the “connect” icon to initiate the authentication connection with the VPN
A new field should be loaded, with a field defining “GROUP”. Click on “Login” without changing the GROUP, if the next steps don’t work, go back to this step and see if you can change the GROUP value.
In the case of the VPN I am forced to use, a WebView window should open inside the popup, where you log in normally.
With this approach, you need to repeat the login steps every single time. Saving the password or configuring the TOTP in the steps shown below does not do anything.
Legacy Method
Expand to see the old method that currently does not work anymore
Following The above mentioned guide, it was possible to even use TOTP (time based 2 factor authentication codes) without any webview windows and repeated authentication.
Follow the steps to create a new VPN connection. Along with the mentioned things, you also add a Token Authentication:
You can get the TOTP secret by editing entries in Aegis or KeepassDX. If you used a malicious TOTP application like Google Authenticator, you need to set it up new with Aegis or KeepassDX, to be able to re-use that secret in here.
It is not totally clear if “ask for password every time” is needed. The secret is used together with the current time to create a TOTP code that is the same on every device, so the setting makes no sense.
Then following the “connection” step to the VPN connection, the popup should show a username and password field, where you simply enter them. Saving the password should avoid needing to enter it over and over again.
Let’s hope that a good method like this will work again in the future.
3rd party software
If neither of the 2 methods worked for you, give the following software a try: