Automating VPN Reconnection on macOS: GlobalProtect with Hammerspoon

In today's remote work landscape, a stable VPN connection is critical - yet even the most reliable clients, like GlobalProtect, can falter, disrupting access to internal resources. For macOS users, manually reconnecting a dropped VPN is an unnecessary burden. This guide presents a sophisticated, automated solution to keep GlobalProtect connected, using shell scripts, AppleScript, LaunchAgents, and Hammerspoon. While optimized for GlobalProtect, notes throughout highlight where adaptations may be needed for other VPN clients. The result? A system that monitors your VPN status every two minutes and triggers reconnection upon screen unlock - all hands-free. Tested on macOS Catalina and later, this setup is ideal for IT professionals, developers, and remote workers. Let's dive into the implementation. The Objective: Uninterrupted GlobalProtect Connectivity This solution ensures GlobalProtect stays active by: Using a shell script to check VPN status via DNS resolution. Employing an AppleScript to manage GlobalProtect's UI for reconnection. Running a LaunchAgent for periodic monitoring. Leveraging Hammerspoon to check connectivity on screen unlock. Here's how to deploy it, with notes for customization. Prerequisites Ensure you have: macOS (Catalina or later). Homebrew installed (https://brew.sh). Hammerspoon (brew install - cask hammerspoon). terminal-notifier (brew install terminal-notifier). Accessibility permissions for Hammerspoon and UI scripting (System Preferences > Security & Privacy > Privacy > Accessibility). Terminal and text-editing proficiency. Scripts use absolute paths for consistency. Step 1: VPN Status Detection (Shell Script) The backbone is vpn_check.sh, which verifies GlobalProtect connectivity by resolving an internal domain (e.g., Any Internal Domain ). If resolution succeeds, the VPN is active; if it fails, reconnection is triggered. File: ~/Scripts/vpn_check.sh #!/bin/bash # vpn_check.sh # Define the internal domain that's accessible only when VPN is active internalDomain="wdc1-graf-p01.omnissa.com" # Perform DNS resolution using nslookup dnsResult=$(nslookup "$internalDomain" 2>&1) # Debug output (optional) # echo "DNS result:" # echo "$dnsResult" # Check if nslookup output indicates successful resolution. # Consider it failed if the output contains "Non-existent domain", "Can't find", or "error". if [[ "$dnsResult" != "Non-existent domain" && "$dnsResult" != "Can't find" && "$dnsResult" != "error" ]]; then # VPN is connected: do nothing exit 0 else terminal-notifier -title "VPN Status" -message "VPN is not connected, launching GlobalProtect" echo "$(date): Running VPN check" >> ~/vpn_debug.log osascript ~/Scripts/vpn_check.scpt >> ~/vpn_debug.log 2>&1 fi Set permissions: chmod a+x ~/Scripts/vpn_check.sh Note for Other VPNs: The internal domain is specific to GlobalProtect environments. Replace it with a domain or IP only accessible via your VPN. If your VPN lacks a unique internal domain, consider a ping-based check (e.g., ping -c 2 ) and adjust the logic accordingly. Step 2: UI Automation (AppleScript) The vpn_check.scpt script interacts with GlobalProtect's UI to reconnect when needed. It checks the app's state, opens its window, and clicks "Connect," verifying success with a ping. File: ~/Scripts/vpn_check.scpt -- First, check if GlobalProtect is running and whether its UI window is open try tell application "System Events" if not (exists process "GlobalProtect") then error "GlobalProtect is not running." end if tell process "GlobalProtect" set uiAlreadyOpen to false if exists window 1 then set uiAlreadyOpen to true else if exists menu bar item 1 of menu bar 2 then click menu bar item 1 of menu bar 2 delay 1 else error "GlobalProtect menu bar item not available." end if if not (exists window 1) then error "GlobalProtect window did not appear." end if set buttonTitle to title of button 2 of window 1 end tell end tell on error errMsg number errNum display notification "Error accessing GlobalProtect UI: " & errMsg with title "GlobalProtect Error" return end try -- Perform action based on the button title if buttonTitle is "Connect" then try tell application "System Events" tell process "GlobalProtect" click button 2 of window 1 end tell end tell delay 3 on error errMsg number errNum display notification "Error clicking Connect: " & errMsg with title "GlobalProtect Error" return end try try set recheckPing to do shell script "ping -c 2 10.235.3.14 | grep '2 packets received' || echo 'failed'" on error errMsg number errNum display notification "Error executing ping: " & errMsg with t

Mar 17, 2025 - 11:50

Automating VPN Reconnection on macOS: GlobalProtect with Hammerspoon

In today's remote work landscape, a stable VPN connection is critical - yet even the most reliable clients, like GlobalProtect, can falter, disrupting access to internal resources. For macOS users, manually reconnecting a dropped VPN is an unnecessary burden. This guide presents a sophisticated, automated solution to keep GlobalProtect connected, using shell scripts, AppleScript, LaunchAgents, and Hammerspoon. While optimized for GlobalProtect, notes throughout highlight where adaptations may be needed for other VPN clients.
The result? A system that monitors your VPN status every two minutes and triggers reconnection upon screen unlock - all hands-free. Tested on macOS Catalina and later, this setup is ideal for IT professionals, developers, and remote workers. Let's dive into the implementation.

The Objective: Uninterrupted GlobalProtect Connectivity

This solution ensures GlobalProtect stays active by:

Using a shell script to check VPN status via DNS resolution.
Employing an AppleScript to manage GlobalProtect's UI for reconnection.
Running a LaunchAgent for periodic monitoring.
Leveraging Hammerspoon to check connectivity on screen unlock.

Here's how to deploy it, with notes for customization.

Prerequisites

Ensure you have:

macOS (Catalina or later).
Homebrew installed (https://brew.sh).
Hammerspoon (brew install - cask hammerspoon).
terminal-notifier (brew install terminal-notifier).
Accessibility permissions for Hammerspoon and UI scripting (System Preferences > Security & Privacy > Privacy > Accessibility).
Terminal and text-editing proficiency.

Scripts use absolute paths for consistency.

Step 1: VPN Status Detection (Shell Script)

The backbone is vpn_check.sh, which verifies GlobalProtect connectivity by resolving an internal domain (e.g., Any Internal Domain ). If resolution succeeds, the VPN is active; if it fails, reconnection is triggered.

File: ~/Scripts/vpn_check.sh

#!/bin/bash
# vpn_check.sh
# Define the internal domain that's accessible only when VPN is active
internalDomain="wdc1-graf-p01.omnissa.com"
# Perform DNS resolution using nslookup
dnsResult=$(nslookup "$internalDomain" 2>&1)
# Debug output (optional)
# echo "DNS result:"
# echo "$dnsResult"
# Check if nslookup output indicates successful resolution.
# Consider it failed if the output contains "Non-existent domain", "Can't find", or "error".
if [[ "$dnsResult" != *"Non-existent domain"* && "$dnsResult" != *"Can't find"* && "$dnsResult" != *"error"* ]]; then
    # VPN is connected: do nothing
    exit 0
else
    terminal-notifier -title "VPN Status" -message "VPN is not connected, launching GlobalProtect"
    echo "$(date): Running VPN check" >> ~/vpn_debug.log
    osascript ~/Scripts/vpn_check.scpt >> ~/vpn_debug.log 2>&1
fi

Set permissions:
chmod a+x ~/Scripts/vpn_check.sh

Note for Other VPNs: The internal domain is specific to GlobalProtect environments. Replace it with a domain or IP only accessible via your VPN. If your VPN lacks a unique internal domain, consider a ping-based check (e.g., ping -c 2 ) and adjust the logic accordingly.

Step 2: UI Automation (AppleScript)
The vpn_check.scpt script interacts with GlobalProtect's UI to reconnect when needed. It checks the app's state, opens its window, and clicks "Connect," verifying success with a ping.

File: ~/Scripts/vpn_check.scpt

-- First, check if GlobalProtect is running and whether its UI window is open
try
    tell application "System Events"
        if not (exists process "GlobalProtect") then
            error "GlobalProtect is not running."
        end if

        tell process "GlobalProtect"
            set uiAlreadyOpen to false
            if exists window 1 then
                set uiAlreadyOpen to true
            else if exists menu bar item 1 of menu bar 2 then
                click menu bar item 1 of menu bar 2
                delay 1
            else
                error "GlobalProtect menu bar item not available."
            end if

            if not (exists window 1) then
                error "GlobalProtect window did not appear."
            end if

            set buttonTitle to title of button 2 of window 1
        end tell
    end tell
on error errMsg number errNum
    display notification "Error accessing GlobalProtect UI: " & errMsg with title "GlobalProtect Error"
    return
end try
-- Perform action based on the button title
if buttonTitle is "Connect" then
    try
        tell application "System Events"
            tell process "GlobalProtect"
                click button 2 of window 1
            end tell
        end tell
        delay 3
    on error errMsg number errNum
        display notification "Error clicking Connect: " & errMsg with title "GlobalProtect Error"
        return
    end try

    try
        set recheckPing to do shell script "ping -c 2 10.235.3.14 | grep '2 packets received' || echo 'failed'"
    on error errMsg number errNum
        display notification "Error executing ping: " & errMsg with title "GlobalProtect Error"
        return
    end try

    if recheckPing contains "2 packets received" then
        display notification "VPN connected successfully" with title "GlobalProtect Status"
    else
        display notification "VPN connection attempt failed" with title "GlobalProtect Error"
    end if

else if buttonTitle is "Disconnect" then
    display notification "VPN UI shows connected, but ping failed" with title "GlobalProtect Warning"
else
    display notification "Unable to determine VPN status via UI" with title "GlobalProtect Error"
end if
-- Finally, if the UI was not already open, close the window/menu
try
    tell application "System Events"
        tell process "GlobalProtect"
            if exists menu bar item 1 of menu bar 2 then
                click menu bar item 1 of menu bar 2
            end if
        end tell
    end tell
on error errMsg number errNum
    display notification "Error closing GlobalProtect UI: " & errMsg with title "GlobalProtect Error"
end try

Note for Other VPNs: This script is tailored to GlobalProtect's UI structure (e.g., menu bar item and button titles). For other clients like Cisco AnyConnect or OpenVPN, inspect the UI elements using Accessibility Inspector (part of Xcode) and modify the script to target the correct process name, window, and button labels. The ping target (10.235.3.14) must also be swapped for an internal resource specific to your VPN.

Step 3: Periodic Monitoring (LaunchAgent)
A LaunchAgent runs vpn_check.sh every 120 seconds to maintain GlobalProtect's uptime.

File: ~/Library/LaunchAgents/com.user.vpncheck.plist





    Label
    com.user.vpncheck
    ProgramArguments
    
        /bin/bash
        /Users//Scripts/vpn_check.sh
    
    RunAtLoad
    
    StartInterval
    120

Load it:

launchctl unload ~/Library/LaunchAgents/com.user.vpncheck.plist 2>/dev/null
launchctl load ~/Library/LaunchAgents/com.user.vpncheck.plist

Substitute /Users/your_username with your path.

Note for Other VPNs: This step is VPN-agnostic, assuming your vpn_check.sh is adapted. No changes are needed here unless your reconnection logic requires additional arguments.

Step 4: Screen Unlock Trigger (Hammerspoon)

Hammerspoon executes vpn_check.sh on screen unlock, ensuring GlobalProtect reconnects after idle periods. Install it:

brew install --cask hammerspoon

Grant Accessibility permissions, then edit ~/.hammerspoon/init.lua:

hs.alert.show("Hammerspoon initialized")
local sessionWatcher = hs.caffeinate.watcher.new(function(event)
    if event == hs.caffeinate.watcher.screensDidUnlock then
        hs.execute("~/Scripts/vpn_check.sh")
        hs.notify.new({title="VPN Check", informativeText="Executed on screen unlock"}):send()
    end
end)
sessionWatcher:start()

Reload via Hammerspoon's menu bar or hs.reload() in its console.

Note for Other VPNs: This configuration is universal, relying on vpn_check.sh. Ensure the script aligns with your VPN's requirements.
Validation and Troubleshooting

Testing the Shell Script and LaunchAgent

Manually run ~/Scripts/vpn_check.sh and review ~/vpn_debug.log.

Force a LaunchAgent run:
launchctl kickstart -k gui//com.user.vpncheck.

Testing Hammerspoon
Lock (Control+Command+Q) and unlock your screen; confirm execution via notifications and logs.
~/vpn_debug.log is your troubleshooting lifeline.

Key Considerations

Use absolute paths throughout.
Ensure scripts are executable (chmod a+x).
Adjust domains, IPs, and delays for your environment.
LaunchAgents and Hammerspoon may lack environment variables - define them explicitly if required.