diff --git a/docs.json b/docs.json
index 0c49896..d19cc55 100644
--- a/docs.json
+++ b/docs.json
@@ -124,7 +124,8 @@
"integrations/infisical",
"integrations/snyk",
"integrations/stripe",
- "integrations/teams"
+ "integrations/teams",
+ "integrations/openconnect"
]
},
{
diff --git a/integrations/openconnect.mdx b/integrations/openconnect.mdx
new file mode 100644
index 0000000..65868dc
--- /dev/null
+++ b/integrations/openconnect.mdx
@@ -0,0 +1,69 @@
+---
+title: "OpenConnect"
+description: "Connect sandboxes to private networks via OpenConnect VPN."
+---
+
+## Features
+
+- Connect agent sandboxes to private networks so they can reach internal databases and services
+- VPN connection is established automatically at the start of every session
+- Works alongside the Postgres integration to access databases that aren't publicly reachable
+
+## Supported VPNs
+
+The VPN integration uses [OpenConnect](https://www.infradead.org/openconnect/), an open-source VPN client that is compatible with several enterprise VPN servers:
+
+| Protocol | Compatible with |
+|----------|----------------|
+| Fortinet SSL VPN | FortiClient, FortiGate |
+| Cisco AnyConnect | Cisco Secure Client, ASA, IOS |
+| Palo Alto GlobalProtect | GlobalProtect client, PAN-OS |
+| Juniper Network Connect | Juniper/Pulse Secure, Ivanti Connect Secure |
+
+If your organization uses any of these VPN products, Tembo can connect to it directly — no changes to your VPN infrastructure required.
+
+## Installation
+
+
+
+ Open [Integrations](https://app.tembo.io/integrations) and click **Install** next to VPN under the **Network** category.
+
+
+ Fill in the connection form:
+ - **Connection Name** — a label for this VPN (e.g. "Production VPN")
+ - **Protocol** — select your VPN type
+ - **VPN Gateway** — the hostname or IP of your VPN concentrator (e.g. `vpn.example.com`)
+ - **Username** and **Password** — credentials that the sandbox will use to authenticate
+
+
+ Once the VPN is configured, add a [Postgres integration](/integrations/postgres) using the **private** connection string of your database. Tembo will connect to the VPN first, then reach the database through the tunnel.
+
+
+
+## Usage
+
+When a session starts, Tembo automatically connects to your VPN before the agent begins work. The tunnel stays active for the duration of the session.
+
+This is useful when your database or internal services are behind a firewall and not reachable from the public internet. Instead of exposing your database publicly or setting up a bastion host, you provide the same VPN credentials your team already uses.
+
+### Example workflow
+
+1. Configure the VPN integration with your gateway credentials
+2. Add a Postgres integration with your private connection string (e.g. `postgresql://user:pass@10.0.1.50:5432/mydb`)
+3. Create a session — Tembo connects to the VPN, then the agent can query your database as if it were on your network
+
+## Advanced
+
+
+
+ At each session start, the sandbox VM runs OpenConnect in the background to establish a VPN tunnel. This creates a virtual network interface (`tun0`) that routes traffic to your private network through the encrypted tunnel. The connection is re-established on every session start since VPN state does not persist across sessions.
+
+
+
+ OpenConnect supports some forms of MFA (e.g. TOTP tokens appended to the password field), but interactive MFA prompts are not supported. If your VPN requires interactive two-factor authentication, consider creating a dedicated service account with a static password or certificate-based authentication for Tembo access.
+
+
+
+ VPN credentials are injected into the sandbox at session start for the system to establish the tunnel before the agent begins work. Consider using a dedicated VPN account with limited network access scoped to only the resources Tembo needs.
+
+