{ pkgs, ... }:
{
  users.users.<user>.packages = with pkgs; [
    (writeShellScriptBin "gp-vpn" ''
      # Ask for sudo password before doing anything
      # (prevents running out of time before the resolvectl command is ran later)
      sudo -v

      # Get the cookie
      cookie=$(${pkgs.gpauth}/bin/gpauth -q --default-browser <vpn-server.tld>)

      # Connect to the vpn
      # (If you aren't using NixOS, the gpclient package may come with its own hip report
      # script and you can just use `--hip` instead of specifying `--csd-wrapper`)
      printf '%s\n' "$cookie" | sudo ${pkgs.gpclient}/bin/gpclient connect <vpn-server.tld> \
        --csd-wrapper ${pkgs.openconnect}/libexec/openconnect/hipreport.sh \
        --cookie-on-stdin &

      # I don't like this, but it doesn't seem like gpclient has a way to run scripts after a
      # connection is established and we need to make sure that dns-over-tls is disabled for
      # connections to work.
      # It's also possible you may need to disable dnssec for this interface as well or you
      # may need to disable nothing at all in which case this script becomes much simpler
      sleep 5
      sudo resolvectl dnsovertls tun0 no

      # Can either Ctrl + C to exit or run `sudo gpclient disconnect`
      wait
    '')
    gpclient # This is needed so your browser gives you the "open global protect" prompt
  ];
}