NetworkManager-vpnc fails with "Permission denied" because /usr/sbin/vpnc points to consolehelper

Ask Fedora
, ,
1

Environment

  • Fedora 43
  • vpnc
  • NetworkManager-vpnc
  • NetworkManager-vpnc-gnome
  • GNOME
  • FRITZ!Box IPSec VPN (XAuth PSK)

Problem

I was trying to connect to a FRITZ!Box VPN configured as:

VPN Type: IPSec Xauth PSK
Server: <public IP or DDNS hostname>
IPSec ID / Group Name: <group name>
Shared Secret: <PSK>
Username: <FRITZ!Box user>
Password: <FRITZ!Box user password>

This type of VPN connection requires the vpnc plugin on Fedora, since the FRITZ!Box uses an IPSec/XAuth PSK configuration that is not supported by the GNOME strongSwan GUI.

Attempting to connect using the NetworkManager vpnc plugin failed immediately with:

failed to connect:
Child process "/usr/sbin/vpnc" could not be executed (Permission denied)

The VPN profile itself was valid. The connection never reached the authentication phase because the vpnc executable could not be started.

Investigation

The installed packages were:

vpnc
NetworkManager-vpnc
NetworkManager-vpnc-gnome

/usr/sbin/vpnc existed, but was only a symlink:

/usr/sbin/vpnc -> ../bin/vpnc

and:

/usr/bin/vpnc -> consolehelper

The actual vpnc binary was located at:

/usr/libexec/vpnc

Verification:

sudo /usr/libexec/vpnc --version

Output:

vpnc version 0.5.3
Supported Auth-Methods: psk psk+xauth hybrid(rsa)

This confirmed that the real vpnc binary was present and functional.

Workaround

Replace the symlink used by NetworkManager with a direct link to the real vpnc binary:

sudo mv /usr/sbin/vpnc /usr/sbin/vpnc.consolehelper-link
sudo ln -s /usr/libexec/vpnc /usr/sbin/vpnc

Optional disconnect fix:

sudo mv /usr/sbin/vpnc-disconnect /usr/sbin/vpnc-disconnect.consolehelper-link
sudo ln -s /usr/libexec/vpnc-disconnect /usr/sbin/vpnc-disconnect

Restart NetworkManager:

sudo systemctl restart NetworkManager

After applying the workaround, NetworkManager was able to launch vpnc and the FRITZ!Box IPSec VPN connection worked normally.

Notes

This appears to be related to the use of the legacy consolehelper wrapper. On this system, NetworkManager attempted to execute /usr/sbin/vpnc, which ultimately resolved to consolehelper instead of the actual vpnc binary, resulting in a permission error.

The workaround bypasses the wrapper and points NetworkManager directly to the functional vpnc executable.

This issue is particularly relevant for users of older FRITZ!Box models (e.g. older FRITZ!Box models) that support IPSec/XAuth PSK VPN but do not support WireGuard.