diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index fe59e441abec..62f84011c72c 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -701,11 +701,10 @@
 
 - `isync` has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details.
 
-- Legacy package `globalprotect-openconnect` 1.x and related module
-  `services.globalprotect` were dropped. Two new packages -- `gpauth` and `gpclient`
-  from the 2.x version of the GlobalProtect-openconnect project -- are added in its
-  place. The GUI components related to the project are non-free and not
-  packaged.
+- Two new packages -- `gpauth` and `gpclient` from the 2.x version of the
+  GlobalProtect-openconnect project -- are added in parallel to
+  `globalprotect-openconnect`. The GUI components related to the project are
+  non-free and not packaged.
 
 - Compatible string matching for `hardware.deviceTree.overlays` has been changed to a more correct behavior. See [below](#sec-release-24.11-migration-dto-compatible) for details.
 
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index dbf82d63d5e5..212aa3ecefaf 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1055,6 +1055,7 @@
   ./services/networking/gdomap.nix
   ./services/networking/ghostunnel.nix
   ./services/networking/git-daemon.nix
+  ./services/networking/globalprotect-vpn.nix
   ./services/networking/gns3-server.nix
   ./services/networking/gnunet.nix
   ./services/networking/go-autoconfig.nix
diff --git a/nixos/modules/services/networking/globalprotect-vpn.nix b/nixos/modules/services/networking/globalprotect-vpn.nix
new file mode 100644
index 000000000000..87ce8a5e142f
--- /dev/null
+++ b/nixos/modules/services/networking/globalprotect-vpn.nix
@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.globalprotect;
+
+  execStart =
+    if cfg.csdWrapper == null then
+      "${pkgs.globalprotect-openconnect}/bin/gpservice"
+    else
+      "${pkgs.globalprotect-openconnect}/bin/gpservice --csd-wrapper=${cfg.csdWrapper}";
+in
+
+{
+  options.services.globalprotect = {
+    enable = lib.mkEnableOption "globalprotect";
+
+    settings = lib.mkOption {
+      description = ''
+        GlobalProtect-openconnect configuration. For more information, visit
+        <https://github.com/yuezk/GlobalProtect-openconnect/wiki/Configuration>.
+      '';
+      default = { };
+      example = {
+        "vpn1.company.com" = {
+          openconnect-args = "--script=/path/to/vpnc-script";
+        };
+      };
+      type = lib.types.attrs;
+    };
+
+    csdWrapper = lib.mkOption {
+      description = ''
+        A script that will produce a Host Integrity Protection (HIP) report,
+        as described at <https://www.infradead.org/openconnect/hip.html>
+      '';
+      default = null;
+      example = lib.literalExpression ''"''${pkgs.openconnect}/libexec/openconnect/hipreport.sh"'';
+      type = lib.types.nullOr lib.types.path;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.dbus.packages = [ pkgs.globalprotect-openconnect ];
+
+    environment.etc."gpservice/gp.conf".text = lib.generators.toINI { } cfg.settings;
+
+    systemd.services.gpservice = {
+      description = "GlobalProtect openconnect DBus service";
+      serviceConfig = {
+        Type = "dbus";
+        BusName = "com.yuezk.qt.GPService";
+        ExecStart = execStart;
+      };
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+    };
+  };
+}
diff --git a/pkgs/tools/networking/globalprotect-openconnect/default.nix b/pkgs/tools/networking/globalprotect-openconnect/default.nix
new file mode 100644
index 000000000000..5b00de2fda85
--- /dev/null
+++ b/pkgs/tools/networking/globalprotect-openconnect/default.nix
@@ -0,0 +1,32 @@
+{ stdenv, lib, fetchurl
+, cmake, qtwebsockets, qtwebengine, qtkeychain, wrapQtAppsHook, openconnect
+}:
+
+stdenv.mkDerivation rec {
+  pname = "globalprotect-openconnect";
+  version = "1.4.9";
+
+  src = fetchurl {
+    url = "https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v${version}/globalprotect-openconnect-${version}.tar.gz";
+    hash = "sha256-vhvVKESLbqHx3XumxbIWOXIreDkW3yONDMXMHxhjsvk=";
+  };
+
+  nativeBuildInputs = [ cmake wrapQtAppsHook ];
+
+  buildInputs = [ openconnect qtwebsockets qtwebengine qtkeychain ];
+
+  patchPhase = ''
+    substituteInPlace GPService/gpservice.h \
+      --replace /usr/local/bin/openconnect ${openconnect}/bin/openconnect;
+    substituteInPlace GPService/CMakeLists.txt \
+      --replace /etc/gpservice $out/etc/gpservice;
+  '';
+
+  meta = with lib; {
+    description = "GlobalProtect VPN client (GUI) for Linux based on OpenConnect that supports SAML auth mode";
+    homepage = "https://github.com/yuezk/GlobalProtect-openconnect";
+    license = licenses.gpl3Only;
+    maintainers = [ maintainers.jerith666 ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 0519ee38b00f..ff2d311c5c0c 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5652,6 +5652,8 @@ with pkgs;
 
   inherit (openconnectPackages) openconnect openconnect_openssl;
 
+  globalprotect-openconnect = libsForQt5.callPackage ../tools/networking/globalprotect-openconnect { };
+
   sssd = callPackage ../os-specific/linux/sssd {
     inherit (perlPackages) Po4a;
     # python312Packages.python-ldap is broken