2 files changed, 47 insertions, 3 deletions

diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index 1cbb52ccf..5d5a4101b 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -7,11 +7,11 @@ run-as-user = nobody
 run-as-group = daemon
 
 {% if "radius" in authentication.mode %}
-{%      if "yes" in authentication.radius.groupconfig %}
+{%     if "yes" in authentication.radius.groupconfig %}
 auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]"
-{%      else %}
+{%     else %}
 auth = "radius [config=/run/ocserv/radiusclient.conf]"
-{%      endif %}
+{%     endif %}
 {% elif "local" in authentication.mode %}
 {%     if authentication.mode.local == "password-otp" %}
 auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"
@@ -66,6 +66,13 @@ device = sslvpn
 dns = {{ dns }}
 {%     endfor %}
 {% endif %}
+{% if network_settings.tunnel_all_dns is vyos_defined %}
+{%     if "yes" in network_settings.tunnel_all_dns %}
+tunnel-all-dns = true
+{%     else %}
+tunnel-all-dns = false
+{%     endif %}
+{% endif %}
 
 # IPv4 network pool
 {% if network_settings.client_ip_settings.subnet is vyos_defined %}
@@ -89,3 +96,10 @@ route = {{ route }}
 split-dns = {{ tmp }}
 {%     endfor %}
 {% endif %}
+
+{% if authentication.groups is vyos_defined %}
+# Group settings
+{%     for grp in authentication.groups %}
+select-group = {{ grp }}
+{%     endfor %}
+{% endif %}
\ No newline at end of file
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index 3ab8dd815..54f93344b 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -50,6 +50,16 @@
                   </leafNode>
                 </children>
               </node>
+              <leafNode name="groups">
+                <properties>
+                  <help>Groups that a client is allowed to select from. Maps to RADIUS Class attribute.</help>
+                  <valueHelp>
+                    <format>txt</format>
+                    <description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description>
+                  </valueHelp>
+                  <multi/>
+                </properties>
+              </leafNode>
               #include <include/auth-local-users.xml.i>
               <node name="local-users">
                 <children>
@@ -298,6 +308,26 @@
                   <multi/>
                 </properties>
               </leafNode>
+              <leafNode name="tunnel-all-dns">
+                <properties>
+                  <help>If the tunnel-all-dns option is set to yes, tunnel all DNS queries via the VPN. This is the default when a default route is set.</help>
+                  <completionHelp>
+                    <list>yes no</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>yes</format>
+                    <description>Enable tunneling of all DNS traffic</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>no</format>
+                    <description>Disable tunneling of all DNS traffic</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(yes|no)</regex>
+                  </constraint>
+                </properties>
+                <defaultValue>no</defaultValue>
+              </leafNode>
             </children>
           </node>
       </children>