Jump to content

OpenConnect

From Official NixOS Wiki

OpenConnect is a free, open‑source client‑to‑site VPN that works with many commercial SSL‑VPN gateways, such as Cisco AnyConnect, Palo Alto GlobalProtect, Pulse Secure (including Pulse Connect Secure), Juniper Network Connect, Fortinet, F5 and Array Networks.

Setup

Following example configures a permanent VPN connection using OpenConnect using the protocol anyconnect.

openconnect.interfaces.myvpn = {
  gateway = "vpn-ac.uni-heidelberg.de/2fa";
  protocol = "anyconnect";
  user = "myuser";
  passwordFile = "/etc/secrets/openconnect-secret";
  extraOptions = {
    useragent = "AnyConnect";
    non-inter = true;
  };
};

Further you can also provide TOTP secrets for two-factor-authentications (which should be avoided in production environments since it decreases the security concept drastically) and use vpn-slice to achieve split tunneling instead of routing all traffic through the VPN gateway.

openconnect.interfaces.myvpn = {
  [...]
  extraOptions = {
    token-mode = "totp";
    token-secret = "base32:ABC123";
    script = "${pkgs.vpn-slice}/bin/vpn-slice 129.206.0.0/16";
  };
};
Retrieved from "https://wiki.nixos.org/w/index.php?title=OpenConnect&oldid=32122"