Cisco VPN Client on DD-WRT Wireless Router

If you connect to a network served by a Cisco VPN concentrator, then you can run the Cisco VPN client on a router, instead of your computer. Running Cisco VPN on a router creates several advantages:

  • Masquerades (NAT) the local network so that all computers behind the router can access the VPN network
  • Re-connects on dropped connections.
  • Splits and sends only traffic destined to the foreign network over the VPN connection.


  • Router that supports DD-WRT: Netgear WNR3500L
  • DD-WRT Firmware containing vpnc: dd-wrt.v24-14311_NEWD-2_K2.6_openvpn.bin
  • Journaling Flash Filesystem (JFFS) enabled on the router

Add the following to the startup script under Administration -> Commands -> Startup

sleep 15
cat /jffs/vpnc.txt | sh

Create the file /jffs/vpnc.txt on the router

mkdir -p /tmp/etc/vpnc
echo '

#### Set all Variables

vpn_concentrator=""  # ip or hostname of ipsec vpn concentrator
vpn_keepalive_host="" # the ip or hostname of a computer, reachable if vpn is established
vpn_groupname="group_name"         # group name hereconnection
vpn_grouppasswd="group_password" # group password here
vpn_username="user_name"             # your username here
vpn_password="user_password"     # your password here

#### Create a local script to split routes

echo "
CISCO_SPLIT_INC_0_ADDR=  # IP range to go into first tunnel
CISCO_SPLIT_INC_0_MASK= # Subnet Mask for first tunnel
CISCO_SPLIT_INC_0_MASKLEN=8      # Mask length
. /etc/vpnc/vpnc-script
" > /tmp/etc/vpnc/vpnc-script-local
chmod a+x /tmp/etc/vpnc/vpnc-script-local

#### Create the vpnc.conf file

echo "
IPSec gateway $vpn_concentrator
IPSec ID $vpn_groupname
IPSec secret $vpn_grouppasswd
Xauth username $vpn_username
Xauth password $vpn_password
Script /tmp/etc/vpnc/vpnc-script-local  # points to the local script
" > /tmp/etc/vpnc/vpnc.conf

#### Create the file

pingtest () {
 ping -q -c1 $1 >> /dev/null
 if [ "$?" == "0" ]; then
       echo 1 #reachable 

       echo 0 #not reachable

while [ true ]; do
  # wait until the concentrator is reachable
  while [ "`pingtest $vpn_concentrator`" != "1" ]; do
    echo "Vpnc concentrator $vpn_concentrator is not reachable, sleeping 10"
    sleep 10;

  if [ "`pingtest $vpn_keepalive_host`" == "1" ]; then
    echo "vpn connection active: $vpn_keepalive_host is alive"
    sleep 300;
    echo "vpn connection down: $vpn_keepalive_host is unreachable"
    echo "Attempting to start vpnc"
    vpnc /tmp/etc/vpnc/vpnc.conf --dpd-idle 0
    tundev="`ifconfig |grep tun |cut -b 1-4|tail -n 1`"
    iptables -A FORWARD -o $tundev -j ACCEPT
    iptables -A FORWARD -i $tundev -j ACCEPT
    iptables -t nat -A POSTROUTING -o $tundev -j MASQUERADE
  sleep 1;

return 0;
' > /tmp/etc/vpnc/
chmod a+x /tmp/etc/vpnc/