Jump to content

OpenConnect

From Official NixOS Wiki
Revision as of 09:20, 30 May 2026 by Onny (talk | contribs) (Initial page)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

OpenConnect is a free, open‑source client‑to‑site VPN that works with many commercial SSL‑VPN gateways, such as Cisco AnyConnect, Palo Alto GlobalProtect, Pulse Secure (including Pulse Connect Secure), Juniper Network Connect, Fortinet, F5 and Array Networks.

Setup

Following example configures a permanent VPN connection using OpenConnect using the protocol anyconnect.

openconnect.interfaces.myvpn = {
  gateway = "vpn-ac.uni-heidelberg.de/2fa";
  protocol = "anyconnect";
  user = "myuser";
  passwordFile = "/etc/secrets/openconnect-secret";
  extraOptions = {
    useragent = "AnyConnect";
    non-inter = true;
  };
};

Further you can also provide TOTP secrets for two-factor-authentications (which should be avoided in production environments since it decreases the security concept drastically) and use vpn-slice to achieve split tunneling instead of routing all traffic through the VPN gateway.

openconnect.interfaces.myvpn = {
  [...]
  extraOptions = {
    token-mode = "totp";
    token-secret = "base32:ABC123";
    script = "${pkgs.vpn-slice}/bin/vpn-slice 129.206.0.0/16";
  };
};
Retrieved from "https://wiki.nixos.org/w/index.php?title=OpenConnect&oldid=32122"