VPNC, Linux VPN client for Cisco VPNs

These instructions are known to work (with a few minor tweaks) on both 2.4 and 2.6 series kernels on a variety of distributions and platforms, including:

In short, they probably work on any current Linux system. If you're comfortable with your Linux system, you can probably get working VPN with just three brief instructions:

  1. Make sure you have the tun module.
  2. Install the vpnc package.
  3. Run vpnc-connect.

If you need more detailed instructions, read on.

Kernel support (tun)

You may already have the tun module loaded. Check with lsmod | grep tun. If it is not loaded, you'll need to install it:

To get tun for RHEL 3.0, you may need to install the kernel-unsupported package.

Check to make sure you have the device node for tun with ls -l /dev/net/tun. If not, you'll need to create the node:

Install VPN client (vpnc)

This is a user-space program which implements IPSEC VPN. It is installed in Knoppix by default and is available in Debian sarge and Ubuntu warty (run apt-get install vpnc to install ). RPMs and Debian woody backports are available somewhere.

You can also install vpnc from source Source is available from It depends on libgcrypt.

Configure your VPN connection

You can run vpnc-connect or vpnc with no config file. You will be prompted for configuration information interactively. However, you probably want to have a config file (/etc/vpnc/default.conf on some systems). All lines are optional; you will be prompted for any information which is excluded.

Example file:

 IPSec gateway ip.of.vpn.con
 Xauth username YOURID
 Xauth password YOURPASS

ip.of.vpn.con should be replaced with the IP of your VPN concentrator; GROUPID, GROUPPASS, YOURID, and YOURPASS should be replaced with your login credentials.


Recent versions of vpnc come with vpn-connect and vpn-disconnect scripts. Run these (as root or using sudo) to connect and disconnect.

If you do not have vpn-connect, you'll need to use vpnc to connect and then bring up the routes manually. Put this in script, since you'll need to execute it every time you connect:

 /usr/local/sbin/vpnc /etc/vpnc/default.conf
 route del -net dev eth1
 route add -host ip.of.vpn.con gw dev eth1
 route add default gw `ifconfig tun0 | grep inet | awk '{print $2}' | cut -d : -f 2` dev tun0

You'll need to substitute in the IP of the VPN concentrator and the IP of your gateway.

That's it! The process vpnc should be running in the background. (Check with ps aux | grep vpnc.)


For troubleshooting, make sure you have an network connection and can ping the IP address of the VPN concentrator before connecting. If the VPN connection is established, but you still do not have network access, check your routing tables with route -n or ip route show. Try pinging hosts by IP as well as by hostname to determine if you have a DNS problem (e.g., if you need to change the nameservers listed in /etc/resolv.conf upon establishing a connection). If you are running a firewall or packet filter (e.g., iptables), you may need to modify or temporarily disable it for testing.

Here's what my interfaces and routes look like when I'm connected. (My IP is; the IP of the concentrator is

 $ ifconfig

 eth1      Link encap:Ethernet  HWaddr 00:30:65:16:44:AA
           inet addr:  Bcast:  Mask:
           inet6 addr: fe80::230:65ff:fe16:4dad/64 Scope:Link
           RX packets:2455 errors:0 dropped:0 overruns:0 frame:0
           TX packets:3716 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:457690 (446.9 KiB)  TX bytes:543490 (530.7 KiB)

 tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-0E-BA-00-00-00-00-00-00-00-00
           inet addr:  P-t-P: Mask:
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:10
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

 $ route -n

 Destination     Gateway         Genmask         Flags Metric Ref    Use Iface UGH   0      0        0 eth1   U     0      0        0 eth1         U     0      0        0 tun0

 $ ip route show via dev eth1  src  mtu 1500 advmss 1460 dev eth1  proto kernel  scope link  src
 default dev tun0  scope link