wat?

OpenConnect is an alternative to the official Cisco AnyConnect VPN client. Gentoo ships a simple OpenRC init script to configure this for multiple VPNs, however, the script expects you to hard code your password in a configuration file and provides no mechanism for multifactor authentication. There are a few simple changes you can make to the init script to support prompting for the password and TOTP token. It should be simple to add support for other mechanisms, as well, but I have no way to test those changes.

Modifications

/etc/conf.d/openconnect modifications:

server_vpn0="<server>"
+password_prompt_vpn0="true"
+token_prompt_vpn0="true"
+#password_vpn0=""
-password_vpn0=""
+vpnopts_vpn0="-l --passwd-on-stdin --non-inter --pfs --user=<user> --script=/etc/openconnect/openconnect.sh"
-vpnopts_vpn0="-l --passwd-on-stdin --user=<user> --script=/etc/openconnect/openconnect.sh"
			

/etc/init.d/openconnect modifications:

#!/sbin/openrc-run
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

VPN="${RC_SVCNAME#*.}"
VPNDIR="/etc/openconnect/${VPN}"
VPNLOG="/var/log/openconnect/${VPN}"
VPNLOGFILE="${VPNLOG}/openconnect.log"
VPNERRFILE="${VPNLOG}/openconnect.err"

+USER="nobody"
+
command="/usr/sbin/openconnect"
name="OpenConnect: ${VPN}"
pidfile="/run/openconnect/${VPN}.pid"
stopsig="SIGINT"

...

start() {
+	local server vpnopts password password_prompt token_prompt
-	local server vpnopts password
	eval server=\$server_${VPN}
-	eval password=\$password_${VPN}
	eval vpnopts=\$vpnopts_${VPN}
+	eval password_prompt=\$password_prompt_${VPN}
+	eval token_prompt=\$token_prompt_${VPN}
+	
+	if [ -z "$password_prompt" ];
+	then
+		eval password=\$password_${VPN}
+	else
+		read -rs -p "password: " password
+		echo
+	fi
+
+	if [ ! -z "$token_prompt" ];
+	then
+		read -rs -p "token: " token
+		echo
+	fi

	ebegin "Starting ${name}"
	start-stop-daemon --start --exec "${command}" -- \
		--background \
		--interface="${VPN}" \
		--pid-file="${pidfile}" \
+		--setuid="${USER}" \
		${vpnopts} \
		"${server}" \
		>> "${VPNLOGFILE}" \
		2>> "${VPNERRFILE}" \
		<<EOF
${password}
+${token}
EOF
	eend $?
}