We'd like to obtain the public IP of a user that connects via SSL VPN, the one that the user would have if he didn't connect that way.
In general that's a hard task, and unless there is an exploit on the VPN solution that allows someone to get the IP, I'm afraid that is not possible. Let me explain why:
Take as an example the following network diagram
UserA <------- VPN -------> VPN Service <----------------> ServiceB
In general when you make a VPN connection on the user side, all traffic is tunnel through a device (VPN device) on the UserA. Of course, you can configure the VPN client to not tunnel all traffic (for example youtube traffic, google, etc..) but in general, that's how works.
So the traffic between the UserA and the VPN service is encrypted. At this point, the UserA IP is known by the VPN Service. Then the VPN service establishes a session with a ServiceB with the IP addresses of the VPN Service, so ServiceB only has visibility on the VPN Service IP.
So the only case that I see is that there is a misconfiguration on some point of the client VPN or on the VPN Service that may be exploited by some code.
External links referenced by this document: