VPN Up vs. raw OpenConnect

VPN Up is not a replacement for OpenConnect — it’s a thin, secure wrapper around it. OpenConnect does the tunnelling; VPN Up adds the profile management and credential hygiene that raw command lines lack.

The raw way

echo "$PASSWORD" | sudo openconnect --protocol=anyconnect --authgroup=Employees \
  --user=me --servercert pin-sha256:… --passwd-on-stdin vpn.example.com

Every gateway is a long command to remember, the password lands in your shell history and the process table, and there’s no “is it up?”, “stop it”, or “reconnect at login.”

The VPN Up way

vpn-up start "Work VPN"

Side by side

Capability Raw openconnect VPN Up
Multiple named profiles manual
Secrets in Keychain / keyring / encrypted vault
Password kept out of argv & shell history manual
Duo 2FA prompt ordering (push/phone/sms/passcode) manual
Browser-based SSO (--external-browser) wiring manual
Client-certificate auth (file or PKCS#11 / YubiKey PIV) manual ✅ profile field; PIN kept out of argv
Certificate-pinning helper (pin / pin --save) manual
Profile-aware status / logs -f / stop
Auto-reconnect login service (launchd/systemd) manual
Connect/disconnect hooks & desktop notifications
Shell completion

When to use which

  • Use raw openconnect for a one-off connection, scripting around a single fixed gateway, or debugging the tunnel itself.
  • Use VPN Up when you connect regularly, juggle multiple gateways, want credentials stored safely, need Duo/SSO handled cleanly, or want connect-at-login.

Under the hood it’s still OpenConnect — so anything your gateway needs that OpenConnect supports keeps working.

Get started: installation · usage.

Comparing specific clients? See VPN Up vs. openconnect-sso (Cisco AnyConnect SSO), VPN Up vs. GlobalProtect-openconnect, and VPN Up vs. NetworkManager-openconnect.