Our network configuration requires that our Master, in one DMZ, start an agent in another DMZ that are separated by firewalls, proxies, and a VPN bridge with separate credentials from the agent machine.

This is a request to add the following to SSH Slaves:

1. Host IP/name of the VPN proxy.
2. A field to specify the command to launch a VPN proxy. Sample: `openconnect --protocol=gp --server-key=... --user=something --key-password=something`
3. A credential specification to be used for the VPN proxy.
4. Launching the VPN proxy command.
5. Continue with SSH startup of the agent JVM but from an SSH session initiated on the VPN proxy instead of initiated from the master.

There are actually three distinct sets of credentials involved here:

• Controller to VPN proxy SSH keys
• VPN proxy to VPN server keys (whichever they use, probably user/password)
• Controller to Agent SSH keys once the VPN connection is established.

The original thought was to use or even take over the now defunked openconnect plugin, but that seems to have disappeared. There are many different possible VPN solutions, with openconnect being one of them. This enhancement would remove the need to establish a static VPN connection available to all users and Jenkins instances on the Controller.