# fastvpn — Automated Sophos SSL VPN Connect

Fully automated connect to Sophos SSL VPN with TOTP (no dialog, no manual input).

## How it works

Sophos SSL VPN uses OpenVPN with certificate + username/password+OTP authentication.
NetworkManager's normal flow requires an interactive KDE dialog which cannot be automated
reliably on Wayland. Instead, `vpn-connect.sh` starts `openvpn` directly with a Unix
management socket and feeds credentials programmatically via `socat`.

## Prerequisites

### Packages
```bash
sudo pacman -S openvpn oathtool socat libsecret
```

### Sudo rule (no password prompt for openvpn)
```bash
sudo bash -c 'echo "YOUR_USER ALL=(ALL) NOPASSWD: /usr/bin/openvpn" > /etc/sudoers.d/vpn-openvpn && chmod 440 /etc/sudoers.d/vpn-openvpn'
```

### Store credentials in keyring (once)
```bash
# VPN password
secret-tool store --label="Sophos VPN password" service sslvpn user YOUR_USER

# TOTP secret (base32 seed from your authenticator app)
secret-tool store --label="Sophos VPN TOTP" service sslvpn-totp user YOUR_USER
```

### Required files
- OpenVPN config: `~/Downloads/sslvpn-fixed.ovpn` (exported from Sophos user portal)
- Client certificate + key in NetworkManager certificate store:
  `/home/chk/.local/share/networkmanagement/certificates/nm-openvpn/`
  - `sslvpn-fixed-cert.pem`
  - `sslvpn-fixed-key.pem`

> The `.ovpn` file has empty `<cert>` and `<key>` blocks — NM stores them separately.
> The scripts reference the NM certificate path directly.

## Usage

```bash
# Connect
~/bin/vpn-connect.sh

# Disconnect
~/bin/vpn-disconnect.sh

# Check log
sudo cat /tmp/vpn-sophos.log
```

## Configuration

Edit the variables at the top of `vpn-connect.sh`:

| Variable | Description |
|----------|-------------|
| `VPN_USER` | VPN username |
| `OVPN` | Path to .ovpn config file |
| `DNS_SERVER` | VPN DNS server IP |
| `DNS_SEARCH` | Space-separated search domains |
| `CERT_DIR` | Directory containing cert/key PEM files |

## Pitfalls & lessons learned

### `#` in password breaks openvpn management interface
The openvpn management protocol interprets `#` as a comment character.
Passwords containing `#` must be wrapped in double quotes:
```
password "Auth" "mypassword#123456"
```
Without quotes, everything after `#` is silently ignored → `AUTH_FAILED`.

### ydotool / wtype don't work on KDE Wayland
- `ydotool` sends US keycodes — `y`↔`z` swap, `#` becomes `$` on DE layout
- `wtype` requires `zwp_virtual_keyboard` protocol — not supported by KDE Plasma
- `xdotool` works via XWayland but the KDE auth dialog runs natively on Wayland

### NM passwd-file is ignored with challenge-response-flags=2
Sophos VPN profiles exported from the user portal set `challenge-response-flags=2`
in the NetworkManager connection. With this flag, NM ignores `--passwd-file` and
waits for its interactive secret agent (KDE dialog). Removing the flag causes
connection timeouts. The only reliable automation path is bypassing NM entirely.

### OTP timing
The script waits for a fresh 30s TOTP window (>20s remaining) before generating
the OTP to avoid expiry during the TLS handshake.

### DNS requires routing domains (`~` prefix)
`resolvectl domain tun0 krah-gruppe.de` sets a search domain but does NOT route
DNS queries for that domain to tun0. The `~` prefix is required:
```
resolvectl domain tun0 ~krah-gruppe.de ~internal.lan ...
```

### VPN network icon does not show connected state
Since openvpn is started directly (not via NM), the NetworkManager applet in the
system tray does not reflect the VPN state. Functionally everything works.
To check: `ip link show tun0` or `sudo cat /tmp/vpn-sophos.log`.

### Account lockout
Sophos locks the account after several failed AUTH attempts. Wait ~5 minutes
before retrying after multiple failures.