From db06a4d1407ae73a04fd3eebf48110225bdf2ed8 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 6 Jan 2018 11:56:06 +0100
Subject: [PATCH] security/openconnect: New plugin (#462)

---
 security/openconnect/Makefile                 |  8 ++
 security/openconnect/pkg-descr                | 11 +++
 .../src/etc/inc/plugins.inc.d/openconnect.inc | 88 +++++++++++++++++++
 .../src/etc/rc.d/opnsense-openconnect         | 58 ++++++++++++
 .../Openconnect/Api/GeneralController.php     | 39 ++++++++
 .../Openconnect/Api/ServiceController.php     | 43 +++++++++
 .../Openconnect/GeneralController.php         | 38 ++++++++
 .../OPNsense/Openconnect/forms/general.xml    | 26 ++++++
 .../models/OPNsense/Openconnect/ACL/ACL.xml   |  9 ++
 .../models/OPNsense/Openconnect/General.php   | 35 ++++++++
 .../models/OPNsense/Openconnect/General.xml   | 27 ++++++
 .../models/OPNsense/Openconnect/Menu/Menu.xml |  5 ++
 .../views/OPNsense/Openconnect/general.volt   | 61 +++++++++++++
 .../conf/actions.d/actions_openconnect.conf   | 23 +++++
 .../templates/OPNsense/Openconnect/+TARGETS   |  3 +
 .../OPNsense/Openconnect/openconnect          | 12 +++
 .../OPNsense/Openconnect/openconnect.conf     | 11 +++
 .../OPNsense/Openconnect/openconnect.secret   |  5 ++
 18 files changed, 502 insertions(+)
 create mode 100644 security/openconnect/Makefile
 create mode 100644 security/openconnect/pkg-descr
 create mode 100644 security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc
 create mode 100644 security/openconnect/src/etc/rc.d/opnsense-openconnect
 create mode 100644 security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/Api/GeneralController.php
 create mode 100644 security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/Api/ServiceController.php
 create mode 100644 security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/GeneralController.php
 create mode 100644 security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
 create mode 100644 security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/ACL/ACL.xml
 create mode 100644 security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.php
 create mode 100644 security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
 create mode 100644 security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/Menu/Menu.xml
 create mode 100644 security/openconnect/src/opnsense/mvc/app/views/OPNsense/Openconnect/general.volt
 create mode 100644 security/openconnect/src/opnsense/service/conf/actions.d/actions_openconnect.conf
 create mode 100644 security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/+TARGETS
 create mode 100644 security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect
 create mode 100644 security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
 create mode 100644 security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.secret

diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
new file mode 100644
index 000000000..8d81fd17c
--- /dev/null
+++ b/security/openconnect/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		openconnect
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		OpenConnect Client
+PLUGIN_DEPENDS=		openconnect
+PLUGIN_MAINTAINER=	m.muenz@gmail.com
+PLUGIN_DEVEL=       yes
+
+.include "../../Mk/plugins.mk"
diff --git a/security/openconnect/pkg-descr b/security/openconnect/pkg-descr
new file mode 100644
index 000000000..25de61585
--- /dev/null
+++ b/security/openconnect/pkg-descr
@@ -0,0 +1,11 @@
+OpenConnect is an SSL VPN client initially created to support
+Cisco's AnyConnect SSL VPN. It has since been ported to support
+the Juniper SSL VPN which is now known as Pulse Connect Secure.
+
+OpenConnect is released under the GNU Lesser Public License, version 2.1.
+
+Like vpnc, OpenConnect is not officially supported by, or associated
+in any way with, Cisco Systems, Juniper Networks or Pulse Secure.
+It just happens to interoperate with their equipment.
+
+WWW: http://www.infradead.org/openconnect/
diff --git a/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc b/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc
new file mode 100644
index 000000000..4f3658872
--- /dev/null
+++ b/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc
@@ -0,0 +1,88 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+function openconnect_enabled()
+{
+    $model = new \OPNsense\Openconnect\General();
+    if ((string)$model->enabled == '1') {
+        return true;
+    }
+
+    return false;
+}
+
+function openconnect_services()
+{
+    global $config;
+
+    $services = array();
+
+    if (isset($config['OPNsense']['openconnect']['general']['enabled']) && $config['OPNsense']['openconnect']['general']['enabled'] == 1) {
+        $services[] = array(
+            'description' => gettext('Openconnect Client'),
+            'configd' => array(
+                'restart' => array('openconnect restart'),
+                'start' => array('openconnect start'),
+                'stop' => array('openconnect stop'),
+            ),
+            'name' => 'openconnect',
+            'pidfile' => '/var/run/openconnect.pid'
+        );
+    }
+
+    return $services;
+}
+
+
+function openconnect_interfaces()
+{
+    $interfaces = array();
+
+    if (!openconnect_enabled()) {
+        return $interfaces;
+    }
+
+    $oic = array('enable' => true);
+    $oic['if'] = 'ocvpn';
+    $oic['descr'] = 'OpenConnect';
+    $oic['type'] = 'group';
+    $oic['virtual'] = true;
+    $oic['networks'] = array();
+    $interfaces['ocvpn'] = $oic;
+
+    return $interfaces;
+}
+
+function openconnect_xmlrpc_sync()
+{
+    $result = array();
+    $result['id'] = 'openconnectvpn';
+    $result['section'] = 'OPNsense.openconnect';
+    $result['description'] = gettext('OpenConnect Client');
+    return array($result);
+}
diff --git a/security/openconnect/src/etc/rc.d/opnsense-openconnect b/security/openconnect/src/etc/rc.d/opnsense-openconnect
new file mode 100644
index 000000000..54dfd222d
--- /dev/null
+++ b/security/openconnect/src/etc/rc.d/opnsense-openconnect
@@ -0,0 +1,58 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+# PROVIDE: opnsense-openconnect
+# REQUIRE: SERVERS
+# KEYWORD: shutdown
+#
+
+. /etc/rc.subr
+
+name=openconnect
+
+stop_cmd=openconnect_stop
+start_cmd=openconnect_start
+status_cmd=openconnect_status
+rcvar=openconnect_enable
+
+load_rc_config opnsense-openconnect
+pidfile=/var/run/${name}.pid
+command=/usr/local/sbin/${name}
+
+secret=/usr/local/etc/openconnect.secret
+
+[ -z "$openconnect_enable" ] && openconnect_enable="NO"
+
+# status of openconnect
+openconnect_status()
+{
+	 if [ -n "$rc_pid" ]; then
+	     echo "${name} is running as pid $rc_pid."
+	     return 0
+	 else
+	     echo "${name} is not running."
+	 fi
+}
+
+# stop openconnect
+openconnect_stop()
+{
+	echo "stopping openconnect"
+	killall openconnect
+	ifconfig ocvpn0 destroy
+	return 0
+}
+
+# start openconnect
+openconnect_start()
+{
+        echo "starting openconnect"  
+	/usr/local/sbin/openconnect ${openconnect_flags} < /usr/local/etc/openconnect.secret 2>&1 > /dev/null
+        sleep 5
+	ifconfig tun30000 name ocvpn0
+	ifconfig ocvpn0 group ocvpn
+	return 0
+}
+
+run_rc_command $1
diff --git a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/Api/GeneralController.php b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/Api/GeneralController.php
new file mode 100644
index 000000000..5cd9639ef
--- /dev/null
+++ b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/Api/GeneralController.php
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ *    Copyright (C) 2018 Michael Muenz
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Openconnect\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    static protected $internalModelClass = '\OPNsense\Openconnect\General';
+    static protected $internalModelName = 'general';
+}
diff --git a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/Api/ServiceController.php b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/Api/ServiceController.php
new file mode 100644
index 000000000..76613233d
--- /dev/null
+++ b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/Api/ServiceController.php
@@ -0,0 +1,43 @@
+<?php
+
+/**
+ *    Copyright (C) 2015 - 2017 Deciso B.V.
+ *    Copyright (C) 2017 Michael Muenz
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Openconnect\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    static protected $internalServiceClass = '\OPNsense\Openconnect\General';
+    static protected $internalServiceTemplate = 'OPNsense/Openconnect';
+    static protected $internalServiceEnabled = 'enabled';
+    static protected $internalServiceName = 'openconnect';
+}
diff --git a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/GeneralController.php b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/GeneralController.php
new file mode 100644
index 000000000..b7e71aa1e
--- /dev/null
+++ b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/GeneralController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Openconnect;
+
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->pick('OPNsense/Openconnect/general');
+    }
+}
diff --git a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
new file mode 100644
index 000000000..2e2c60bfd
--- /dev/null
+++ b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
@@ -0,0 +1,26 @@
+<form>
+    <field>
+        <id>general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>This will activate OpenConnect Client.</help>
+    </field>
+    <field>
+        <id>general.server</id>
+        <label>VPN Server</label>
+        <type>text</type>
+        <help>The FQDN or IP address of the VPN server.</help>
+    </field>
+    <field>
+        <id>general.user</id>
+        <label>Username</label>
+        <type>text</type>
+        <help>The user name for this connection.</help>
+    </field>
+    <field>
+        <id>general.password</id>
+        <label>Password</label>
+        <type>password</type>
+        <help>The password name for this connection. Be aware that it will stored in cleartext on this device.</help>
+    </field>
+</form>
diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/ACL/ACL.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/ACL/ACL.xml
new file mode 100644
index 000000000..9408998dd
--- /dev/null
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-openconnect-config>
+        <name>VPN: OpenConnect configuration</name>
+        <patterns>
+            <pattern>ui/openconnect/*</pattern>
+            <pattern>api/openconnect/*</pattern>
+        </patterns>
+    </page-openconnect-config>
+</acl>
diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.php b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.php
new file mode 100644
index 000000000..cec108a66
--- /dev/null
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Openconnect;
+
+use OPNsense\Base\BaseModel;
+
+class General extends BaseModel
+{
+}
diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
new file mode 100644
index 000000000..22a96795f
--- /dev/null
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
@@ -0,0 +1,27 @@
+<model>
+    <mount>//OPNsense/openconnect/general</mount>
+    <description>Openconnect configuration</description>
+    <version>1.0.0</version>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+        <server type="TextField">
+            <default>server</default>
+            <Required>Y</Required>
+            <mask>/\S*/</mask>
+            <ValidationMessage>Please provide IP or hostname (no spaces allowed).</ValidationMessage>
+        </server>
+        <user type="TextField">
+            <default>user</default>
+            <Required>Y</Required>
+            <mask>/^[a-z0-9._-]{1,32}$/</mask>
+            <ValidationMessage>Please provide a valid username. Allowed characters are a-z0-9._- and it has to be 1-32 characters long.</ValidationMessage>
+        </user>
+        <password type="TextField">
+            <default>password</default>
+            <Required>Y</Required>
+        </password>
+    </items>
+</model>
diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/Menu/Menu.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/Menu/Menu.xml
new file mode 100644
index 000000000..52e0ef70a
--- /dev/null
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/Menu/Menu.xml
@@ -0,0 +1,5 @@
+<menu>
+    <VPN>
+      <OpenConnect cssClass="fa fa-lock fa-fw" url="/ui/openconnect/general/index" order="15" />
+    </VPN>
+</menu>
diff --git a/security/openconnect/src/opnsense/mvc/app/views/OPNsense/Openconnect/general.volt b/security/openconnect/src/opnsense/mvc/app/views/OPNsense/Openconnect/general.volt
new file mode 100644
index 000000000..1ba7cde6b
--- /dev/null
+++ b/security/openconnect/src/opnsense/mvc/app/views/OPNsense/Openconnect/general.volt
@@ -0,0 +1,61 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2018 by Deciso B.V.
+This file is Copyright © 2018 by Michael Muenz
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
+    and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+<div class="content-box" style="padding-bottom: 1.5em;">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+    <div class="col-md-12">
+        <hr />
+        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
+</div>
+
+<script type="text/javascript">
+    $( document ).ready(function() {
+        var data_get_map = {'frm_general_settings':"/api/openconnect/general/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+        ajaxCall(url="/api/openconnect/service/status", sendData={}, callback=function(data,status) {
+            updateServiceStatusUI(data['status']);
+        });
+
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            saveFormToEndpoint(url="/api/openconnect/general/set", formid='frm_general_settings',callback_ok=function(){
+                    $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+                    ajaxCall(url="/api/openconnect/service/reconfigure", sendData={}, callback=function(data,status) {
+                            ajaxCall(url="/api/openconnect/service/status", sendData={}, callback=function(data,status) {
+                                    updateServiceStatusUI(data['status']);
+                            });
+                            $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                    });
+            });
+        });
+    });
+</script>
diff --git a/security/openconnect/src/opnsense/service/conf/actions.d/actions_openconnect.conf b/security/openconnect/src/opnsense/service/conf/actions.d/actions_openconnect.conf
new file mode 100644
index 000000000..cd1596665
--- /dev/null
+++ b/security/openconnect/src/opnsense/service/conf/actions.d/actions_openconnect.conf
@@ -0,0 +1,23 @@
+[stop]
+command:sh /usr/local/etc/rc.d/opnsense-openconnect onestop;exit 0
+parameters:
+type:script_output
+message:stop openconnect
+
+[start]
+command:sh /usr/local/etc/rc.d/opnsense-openconnect onestart
+parameters:
+type:script_output
+message:start openconnect
+
+[restart]
+command:sh /usr/local/etc/rc.d/opnsense-openconnect onestop;exit 0;sh /usr/local/etc/rc.d/opnsense-openconnect onestart
+parameters:
+type:script_output
+message:restart openconnect
+
+[status]
+command:sh /usr/local/etc/rc.d/opnsense-openconnect status
+parameters:
+type:script_output
+message:openconnect status
diff --git a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/+TARGETS b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/+TARGETS
new file mode 100644
index 000000000..02d684604
--- /dev/null
+++ b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/+TARGETS
@@ -0,0 +1,3 @@
+openconnect:/etc/rc.conf.d/opnsense-openconnect
+openconnect.conf:/usr/local/etc/openconnect.conf
+openconnect.secret:/usr/local/etc/openconnect.secret
diff --git a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect
new file mode 100644
index 000000000..5b8dd9037
--- /dev/null
+++ b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect
@@ -0,0 +1,12 @@
+{% if helpers.exists('OPNsense.openconnect.general.enabled') and OPNsense.openconnect.general.enabled == '1' %}
+openconnect_enable="YES"
+{%   if helpers.exists('OPNsense.openconnect.general.server') and OPNsense.openconnect.general.server != '' %}
+{%     if helpers.exists('OPNsense.openconnect.general.user') and OPNsense.openconnect.general.user != '' %}
+{%       if helpers.exists('OPNsense.openconnect.general.password') and OPNsense.openconnect.general.password != '' %}
+openconnect_flags="--config=/usr/local/etc/openconnect.conf {{ OPNsense.openconnect.general.server }}"
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% else %}
+openconnect_enable="NO"
+{% endif %}
diff --git a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
new file mode 100644
index 000000000..b85015237
--- /dev/null
+++ b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
@@ -0,0 +1,11 @@
+{% if helpers.exists('OPNsense.openconnect.general.enabled') and OPNsense.openconnect.general.enabled == '1' %}
+{%   if helpers.exists('OPNsense.openconnect.general.user') and OPNsense.openconnect.general.user != '' %}
+user={{ OPNsense.openconnect.general.user }}
+{%   endif %}
+pid-file=/var/run/openconnect.pid
+background
+quiet
+interface=tun30000
+syslog
+passwd-on-stdin
+{% endif %}
diff --git a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.secret b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.secret
new file mode 100644
index 000000000..7153b880c
--- /dev/null
+++ b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.secret
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.openconnect.general.enabled') and OPNsense.openconnect.general.enabled == '1' %}
+{%   if helpers.exists('OPNsense.openconnect.general.password') and OPNsense.openconnect.general.password != '' %}
+{{ OPNsense.openconnect.general.password }}
+{%   endif %}
+{% endif %}