My go to choice for this is ocserv to run a Cisco AnyConnect server, and sniproxy to sit on port 443 and handle traffic routing. You configure sniproxy to go to a different server by hostname, and configure ocserv as the fallback option to access the VPN. Any host I expose via sniproxy provides its own HTTPS certificate via my Traefik server.
My go to choice for this is ocserv to run a Cisco AnyConnect server, and sniproxy to sit on port 443 and handle traffic routing. You configure sniproxy to go to a different server by hostname, and configure ocserv as the fallback option to access the VPN. Any host I expose via sniproxy provides its own HTTPS certificate via my Traefik server.