Install a vpnc-script.

OpenConnect just handles the communication with the VPN server; it does not know how to configure the network routing and name service on all the various operating systems that it runs on.

To set the routing and name service up, it uses an external script which is usually called vpnc-script. It's exactly the same script that vpnc uses. You may already have a vpnc-script installed on your system, perhaps in a location such as /etc/vpnc/vpnc-script.

If you don't already have it, you can get a current version from here. Even if you already have a copy from vpnc, you may wish to install this updated version which has support for IPv6, and for running on Solaris and on newer Linux kernels amongst other bug fixes.

Note that the script needs to be executable, and stored somewhere where SELinux or similar security systems won't prevent the root user from accessing it.

Current versions of OpenConnect (since version 3.17) are configured with the location of the script at build time, and will use the script automatically. If you are using a packaged build of OpenConnect rather than building it yourself, then the OpenConnect package should have a dependency on a suitable version of vpnc-script and should be built to look in the right place for it. Hopefully your distributions gets that right.

If you're using an older version of OpenConnect, or if you want to use a script other than the one that OpenConnect was configured to use, you can use the --script argument on the command line. For example:

If OpenConnect is invoked without a suitable script, it will not be able to configure the routing or name service for the VPN.


On Windows, the default configuration of OpenConnect will look for a script named vpnc-script-win.js in the same directory as the openconnect.exe executable, and will execute it with the command-based script host (CScript.exe).

The current version of this script can be found here.

Note that although the script is basically functional for configuring both IPv6 and Legacy IP, it does not fully tear down the configuration on exit so stale IP address might be left around on the interface.