Home Features Getting Started Mailing List / Help Contribute Protocols VPN Server

OpenConnect VPN client

About Supported Platforms Download Packages Changelog Licence

Download

Released versions of OpenConnect are available from the FTP site, and also over HTTP:

• ftp://ftp.infradead.org/pub/openconnect/
• https://www.infradead.org/openconnect/download/

Release tarballs (since 3.13) are signed with the PGP key with fingerprint BE07 D9FD 5480 9AB2 C4B0 FF5F 6376 2CDA 67E2 F359.

The latest release is OpenConnect v9.20 (PGP signature), released on 2026-06-13 with the following changelog:

• Use oc_text_buf for dynamic string construction instead of unsafe snprintf() cursor arithmetic.
• Handle short reads from Pulse server during packet reassembly (#456, !608).
• Support non-default TOTP period from PSKC token data (#843).
• Support otpauth:// URI format for HOTP/TOTP token secrets (#843).
• Fix Cisco Anyconnect STRAP channel bindings with TLSv1.3 (#659).
• Fix ASN.1 encoding of TPMv2 ECDSA signatures with GnuTLS < 3.6.0
• Handle Pulse configuration packets that cannot fit in a single TLS frame (#617, !480).
• Send operating system information to Pulse servers (!481).
• Change default user-agent string to be compatible with newer Cisco servers ( #544, #593, #602, #618, #635, #657, #662, #665, !497).
• Fix bug which has caused GlobalProtect split-include IPv6 routes to be broken since v9.00 (64f0c03d).
• Sort GlobalProtect gateways according to portal's regionalized priority list (#663, !495).
• openconnect_disable_dtls() allows to disable DTLS unless it is already connected (#697)
• Enable DTLSv1.0 to continue working with OpenSSL v3.1.0 and newer (!504, !536).
• Fix bug that caused OpenConnect to incorrectly log the remaining time until a re-key or periodic Trojan (#677, !539)
• Fix bug that prevented GlobalProtect ESP from working correctly when the server sends both Legacy IP and IPv6 versions of the ESP "magic ping" address, but no IPv6 client address (!565)
• Use the full URI (including "usergroup" or path) as specified in --server for all requests during authentication instead of only the first one (!560).
• Deal with more Juniper NC framing idiocy (#779).
• Stop OpenConnect from exiting with SIGPIPE(#783).
• Fix Cisco DTLS MTU detection when servers don't send back the same DPD payload(#823).

For older releases and change logs, see the changelog page.

Latest sources

The latest source code is available from the git repository at:

• git://git.infradead.org/users/dwmw2/openconnect.git
  or browsable in gitweb at:
• https://git.infradead.org/users/dwmw2/openconnect.git