diff --git a/apps/cistech-tunnel/source/entrypoint.sh b/apps/cistech-tunnel/source/entrypoint.sh
index a00cfd1..6eac090 100755
--- a/apps/cistech-tunnel/source/entrypoint.sh
+++ b/apps/cistech-tunnel/source/entrypoint.sh
@@ -96,8 +96,14 @@ ENVFILE
 source /etc/vpn.env
 echo "[$(date)] Starting VPN connection..."
 
+# Set password for openconnect
+export OPENCONNECT_PASSWORD="$OC_PASSWORD"
+
 # openconnect-sso reads TOTP from keyring automatically
-if [[ -n "$OC_USER" ]]; then
+# Pass password via stdin for SSO form if needed
+if [[ -n "$OC_USER" && -n "$OC_PASSWORD" ]]; then
+  echo "$OC_PASSWORD" | openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
+elif [[ -n "$OC_USER" ]]; then
   echo "" | openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
 else
   openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD