Install a vpnc-script.

OpenConnect just handles the communication with the VPN server; it does not know how to configure the network routing and name service (DNS) on all the various operating systems that it runs on.

To set the routing and name service up, it uses an external script which is usually called vpnc-script. It was originally identical to the same script that vpnc used; vpnc is a client for IKEv1-based VPNs (including Cisco VPN Concentrator) but has not been officially updated since 2008. OpenConnect has evolved and improved this script in mostly-backwards compatible ways, adding updated support for more platforms, completing IPv6 support, and fixing bugs.

If vpnc-script was not included with your distribution of OpenConnect, you can get a current version from here.

Note that the script needs to be executable, and stored somewhere where SELinux or similar security systems won't prevent the root user from accessing it.

Modern versions of OpenConnect are configured with the location of the script at build time, and will use that script automatically. If you are using a packaged build of OpenConnect rather than building it yourself, then the OpenConnect package should have a dependency on a suitable version of vpnc-script and should be built to look in the right place for it. Hopefully your distribution gets that right. If OpenConnect is invoked without a suitable script, it will not be able to configure the routing or name service for the VPN.


If you want to use a script other than the one that OpenConnect was configured to use, you can use the --script argument on the command line. For example:

The vpn-slice script (written in Python, by one of the OpenConnect developers) is a replacement for OpenConnect's bundled vpnc-script, with a specific focus on making it simple to connect to a VPN with OpenConnect, while customizing routing so that only a limited subset of traffic flows through the VPN. (Sometimes known as a "split tunnel.")


On Windows, the default configuration of OpenConnect will look for a script named vpnc-script-win.js in the same directory as the openconnect.exe executable, and will execute it with the command-based script host (CScript.exe).

The current version of this script can be found here.

Note that although the script is basically functional for configuring both IPv6 and Legacy IP, it does not fully tear down the configuration on exit so stale IP address might be left around on the interface.