OpenConnect supports sending accounting packets to a RADIUS server by adding the following line to ocserv.conf
acctserver {radius server ip}
I've tested this by manually editing vyos templates / ocserv config files and can confirm that it works e.g. when querying the RADIUS accounting database on the RADIUS server I get the following:
mysql> SELECT username, nasipaddress, acctstarttime, acctupdatetime, acctstoptime, acctinputoctets, acctoutputoctets, callingstationid, framedipaddress, connectinfo_start FROM radacct; +----------+---------------+---------------------+---------------------+---------------------+-----------------+------------------+------------------+-----------------+-----------------------------------+ | username | nasipaddress | acctstarttime | acctupdatetime | acctstoptime | acctinputoctets | acctoutputoctets | callingstationid | framedipaddress | connectinfo_start | +----------+---------------+---------------------+---------------------+---------------------+-----------------+------------------+------------------+-----------------+-----------------------------------+ | tester | xxx.xx.xx.xxx | 2023-01-13 00:59:15 | 2023-01-13 00:59:21 | 2023-01-13 00:59:21 | 10606 | 152 | xxx.xxx.xxx.xx | xx.x.xx.xx | Open AnyConnect VPN Agent v8.05-1 | +----------+---------------+---------------------+---------------------+---------------------+-----------------+------------------+------------------+-----------------+-----------------------------------+
I am currently on a contribution that is a work in progress at the moment to make this configurable via the VyOS CLI. I'm planning to submit a PR in the next few days.
My planned implementation will add a new config node for "accounting" as a child node of openconnect adjacent to "authentication". This way the feature to be compatible with both RADIUS and local authentication, and with a separate RADIUS server for authentication and accounting should someone need that level of flexibility.