diff --git a/pkgs/tools/networking/network-manager/default.nix b/pkgs/tools/networking/network-manager/default.nix
index 58e5e9343a76..585ffe1d3b19 100644
--- a/pkgs/tools/networking/network-manager/default.nix
+++ b/pkgs/tools/networking/network-manager/default.nix
@@ -3,7 +3,7 @@
 , libgcrypt, dnsmasq, bluez5, readline
 , gobjectIntrospection, modemmanager, openresolv, libndp, newt, libsoup
 , ethtool, iputils, gnused, coreutils, file, inetutils, kmod, jansson, libxslt
-, python3Packages, docbook_xsl, fetchpatch }:
+, python3Packages, docbook_xsl, fetchpatch, openconnect }:
 
 stdenv.mkDerivation rec {
   name    = "network-manager-${version}";
@@ -41,6 +41,8 @@ stdenv.mkDerivation rec {
       --replace /bin/sed ${gnused}/bin/sed
     substituteInPlace data/NetworkManager.service.in \
       --replace /bin/kill ${coreutils}/bin/kill
+    substituteInPlace clients/common/nm-vpn-helpers.c \
+      --subst-var-by openconnect ${openconnect}
     # to enable link-local connections
     configureFlags="$configureFlags --with-udev-dir=$out/lib/udev"
   '';
@@ -76,6 +78,7 @@ stdenv.mkDerivation rec {
       name = "null-dereference.patch";
       url = "https://github.com/NetworkManager/NetworkManager/commit/4e8eddd100bbc8429806a70620c90b72cfd29cb1.patch";
     })
+    ./openconnect_helper_path.patch
   ];
 
   buildInputs = [ systemd libgudev libnl libuuid polkit ppp libndp
diff --git a/pkgs/tools/networking/network-manager/openconnect_helper_path.patch b/pkgs/tools/networking/network-manager/openconnect_helper_path.patch
new file mode 100644
index 000000000000..597fb753e268
--- /dev/null
+++ b/pkgs/tools/networking/network-manager/openconnect_helper_path.patch
@@ -0,0 +1,29 @@
+diff --git a/clients/common/nm-vpn-helpers.c b/clients/common/nm-vpn-helpers.c
+index 15611c45c..4a7444d3a 100644
+--- a/clients/common/nm-vpn-helpers.c
++++ b/clients/common/nm-vpn-helpers.c
+@@ -203,23 +203,8 @@ nm_vpn_openconnect_authenticate_helper (const char *host,
+ 	gboolean ret;
+ 	char **strv = NULL, **iter;
+ 	char *argv[4];
+-	const char *path;
+-	const char *const DEFAULT_PATHS[] = {
+-		"/sbin/",
+-		"/usr/sbin/",
+-		"/usr/local/sbin/",
+-		"/bin/",
+-		"/usr/bin/",
+-		"/usr/local/bin/",
+-		NULL,
+-	};
+-
+-	path = nm_utils_file_search_in_paths ("openconnect", "/usr/sbin/openconnect", DEFAULT_PATHS,
+-	                                      G_FILE_TEST_IS_EXECUTABLE, NULL, NULL, error);
+-	if (!path)
+-		return FALSE;
+ 
+-	argv[0] = (char *) path;
++	argv[0] = "@openconnect@/bin/openconnect";
+ 	argv[1] = "--authenticate";
+ 	argv[2] = (char *) host;
+ 	argv[3] = NULL;