diff --git a/apps/rego-tunnel/shared/cisco-vpn b/apps/rego-tunnel/shared/cisco-vpn
index b1fa55d..4176f1b 100755
--- a/apps/rego-tunnel/shared/cisco-vpn
+++ b/apps/rego-tunnel/shared/cisco-vpn
@@ -26,6 +26,10 @@ TOTP_SECRET="${VPN_TOTP_SECRET:-}"
 VPN_HOST="${VPN_HOST:-vpn-ord1.dovercorp.com}"
 TARGET_IP="${TARGET_IP:-10.35.33.230}"
 
+# Log file
+LOG_FILE="/var/log/cisco-vpn.log"
+mkdir -p "$(dirname "$LOG_FILE")" 2>/dev/null
+
 # Colors
 RED='\033[0;31m'
 GREEN='\033[0;32m'
@@ -47,18 +51,24 @@ SKIP_AUTO_LOGIN=false
 DO_CONNECT=false
 DO_DISCONNECT=false
 
-# Logging function with timestamp
+# Logging function with timestamp - writes to both console and file
 log() {
     local level="$1"
     local msg="$2"
-    local timestamp=$(date '+%H:%M:%S')
+    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
+    local timestamp_short=$(date '+%H:%M:%S')
+
+    # Write to log file (plain text, no colors)
+    echo "[$timestamp] [$level] $msg" >> "$LOG_FILE"
+
+    # Write to console (with colors)
     case $level in
-        INFO)  echo -e "${GRAY}[$timestamp]${NC} ${GREEN}[INFO]${NC}  $msg" ;;
-        WARN)  echo -e "${GRAY}[$timestamp]${NC} ${YELLOW}[WARN]${NC}  $msg" ;;
-        ERROR) echo -e "${GRAY}[$timestamp]${NC} ${RED}[ERROR]${NC} $msg" ;;
-        DEBUG) echo -e "${GRAY}[$timestamp]${NC} ${CYAN}[DEBUG]${NC} $msg" ;;
-        CMD)   echo -e "${GRAY}[$timestamp]${NC} ${GRAY}[CMD]${NC}   $msg" ;;
-        *)     echo -e "${GRAY}[$timestamp]${NC} $msg" ;;
+        INFO)  echo -e "${GRAY}[$timestamp_short]${NC} ${GREEN}[INFO]${NC}  $msg" ;;
+        WARN)  echo -e "${GRAY}[$timestamp_short]${NC} ${YELLOW}[WARN]${NC}  $msg" ;;
+        ERROR) echo -e "${GRAY}[$timestamp_short]${NC} ${RED}[ERROR]${NC} $msg" ;;
+        DEBUG) echo -e "${GRAY}[$timestamp_short]${NC} ${CYAN}[DEBUG]${NC} $msg" ;;
+        CMD)   echo -e "${GRAY}[$timestamp_short]${NC} ${GRAY}[CMD]${NC}   $msg" ;;
+        *)     echo -e "${GRAY}[$timestamp_short]${NC} $msg" ;;
     esac
 }
 
@@ -148,10 +158,10 @@ show_hosts() {
 edit_hosts() {
     local editor="${EDITOR:-nano}"
     if command -v "$editor" &>/dev/null; then
-        sudo "$editor" /etc/hosts
+        "$editor" /etc/hosts
     else
         log ERROR "No editor found. Set EDITOR environment variable."
-        log INFO "Try: sudo nano /etc/hosts"
+        log INFO "Try: nano /etc/hosts"
     fi
 }
 
@@ -233,7 +243,7 @@ kill_cisco_processes() {
     for pid in $(pgrep -x "vpnui" 2>/dev/null); do
         if [ "$pid" != "$my_pid" ] && [ "$pid" != "$my_ppid" ]; then
             log DEBUG "Killing vpnui (PID $pid)"
-            sudo kill -9 "$pid" 2>/dev/null && ((killed++))
+            kill -9 "$pid" 2>/dev/null && ((killed++))
         fi
     done
 
@@ -242,7 +252,7 @@ kill_cisco_processes() {
         for pid in $(pgrep -x "vpnagentd" 2>/dev/null); do
             if [ "$pid" != "$my_pid" ] && [ "$pid" != "$my_ppid" ]; then
                 log DEBUG "Killing vpnagentd (PID $pid)"
-                sudo kill -9 "$pid" 2>/dev/null && ((killed++))
+                kill -9 "$pid" 2>/dev/null && ((killed++))
             fi
         done
     fi
@@ -251,14 +261,14 @@ kill_cisco_processes() {
     for proc in cstub cscan acwebsecagent vpndownloader; do
         for pid in $(pgrep -x "$proc" 2>/dev/null); do
             log DEBUG "Killing $proc (PID $pid)"
-            sudo kill -9 "$pid" 2>/dev/null && ((killed++))
+            kill -9 "$pid" 2>/dev/null && ((killed++))
         done
     done
 
     # Kill openconnect (exact match)
     for pid in $(pgrep -x "openconnect" 2>/dev/null); do
         log DEBUG "Killing openconnect (PID $pid)"
-        sudo kill -9 "$pid" 2>/dev/null && ((killed++))
+        kill -9 "$pid" 2>/dev/null && ((killed++))
     done
 
     if [ $killed -eq 0 ]; then
@@ -275,7 +285,7 @@ disconnect_vpn() {
 
     # If vpncli exists, attempt a clean disconnect first (ignore failures)
     if [ -x /opt/cisco/secureclient/bin/vpncli ]; then
-        run_cmd "Attempting clean disconnect via vpncli" sudo /opt/cisco/secureclient/bin/vpncli -s <<'EOF' || true
+        run_cmd "Attempting clean disconnect via vpncli" /opt/cisco/secureclient/bin/vpncli -s <<'EOF' || true
 disconnect
 exit
 EOF
@@ -314,59 +324,59 @@ setup_forwarding() {
     log DEBUG "Container gateway: $container_gw"
 
     # Enable IP forwarding
-    run_cmd "Enabling IP forwarding" sudo sysctl -w net.ipv4.ip_forward=1
+    run_cmd "Enabling IP forwarding" sysctl -w net.ipv4.ip_forward=1
 
     # NAT masquerade for traffic from container network (172.31.0.0/24) going through VPN
     # This is the ONLY masquerade rule needed - source-based, not destination-based
-    if ! sudo iptables -t nat -C POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE 2>/dev/null; then
-        run_cmd "Adding NAT masquerade for container network -> VPN" sudo iptables -t nat -A POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE
+    if ! iptables -t nat -C POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE 2>/dev/null; then
+        run_cmd "Adding NAT masquerade for container network -> VPN" iptables -t nat -A POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE
     else
         log DEBUG "NAT masquerade for container network already exists"
     fi
 
     # Forward rules
-    if ! sudo iptables -C FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
-        run_cmd "Adding forward rule (to target)" sudo iptables -A FORWARD -d "$TARGET_IP" -j ACCEPT
+    if ! iptables -C FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
+        run_cmd "Adding forward rule (to target)" iptables -A FORWARD -d "$TARGET_IP" -j ACCEPT
     else
         log DEBUG "Forward rule (to target) already exists"
     fi
 
-    if ! sudo iptables -C FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
-        run_cmd "Adding forward rule (from target)" sudo iptables -A FORWARD -s "$TARGET_IP" -j ACCEPT
+    if ! iptables -C FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
+        run_cmd "Adding forward rule (from target)" iptables -A FORWARD -s "$TARGET_IP" -j ACCEPT
     else
         log DEBUG "Forward rule (from target) already exists"
     fi
 
     # Accept forwarding from container network
-    if ! sudo iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
-        run_cmd "Adding forward rule (from container network)" sudo iptables -A FORWARD -s 172.31.0.0/24 -j ACCEPT
+    if ! iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
+        run_cmd "Adding forward rule (from container network)" iptables -A FORWARD -s 172.31.0.0/24 -j ACCEPT
     else
         log DEBUG "Forward rule (from container network) already exists"
     fi
 
-    if ! sudo iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
-        run_cmd "Adding forward rule (to container network)" sudo iptables -A FORWARD -d 172.31.0.0/24 -j ACCEPT
+    if ! iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
+        run_cmd "Adding forward rule (to container network)" iptables -A FORWARD -d 172.31.0.0/24 -j ACCEPT
     else
         log DEBUG "Forward rule (to container network) already exists"
     fi
 
     # Cisco VPN chain bypass (insert at top if chain exists)
-    if sudo iptables -L ciscovpn -n &>/dev/null; then
-        if ! sudo iptables -C ciscovpn -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
-            run_cmd "Adding ciscovpn bypass (outbound)" sudo iptables -I ciscovpn 1 -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT
+    if iptables -L ciscovpn -n &>/dev/null; then
+        if ! iptables -C ciscovpn -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
+            run_cmd "Adding ciscovpn bypass (outbound)" iptables -I ciscovpn 1 -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT
         else
             log DEBUG "Ciscovpn bypass (outbound) already exists"
         fi
 
-        if ! sudo iptables -C ciscovpn -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
-            run_cmd "Adding ciscovpn bypass (inbound)" sudo iptables -I ciscovpn 2 -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT
+        if ! iptables -C ciscovpn -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
+            run_cmd "Adding ciscovpn bypass (inbound)" iptables -I ciscovpn 2 -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT
         else
             log DEBUG "Ciscovpn bypass (inbound) already exists"
         fi
 
         # Also allow container network through ciscovpn chain
-        if ! sudo iptables -C ciscovpn -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
-            run_cmd "Adding ciscovpn bypass (container network)" sudo iptables -I ciscovpn 3 -s 172.31.0.0/24 -j ACCEPT
+        if ! iptables -C ciscovpn -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
+            run_cmd "Adding ciscovpn bypass (container network)" iptables -I ciscovpn 3 -s 172.31.0.0/24 -j ACCEPT
         fi
     else
         log DEBUG "ciscovpn chain does not exist (yet)"
@@ -568,7 +578,7 @@ start_anyconnect() {
     # Start vpnagentd if not running
     if ! pgrep -x vpnagentd >/dev/null; then
         log INFO "Starting vpnagentd..."
-        sudo /opt/cisco/secureclient/bin/vpnagentd &
+        /opt/cisco/secureclient/bin/vpnagentd &
         log DEBUG "Waiting for vpnagentd to initialize..."
         sleep 5
     fi
@@ -706,6 +716,15 @@ parse_args() {
 # Main
 parse_args "$@"
 
+# Log script start
+echo "" >> "$LOG_FILE"
+echo "========================================" >> "$LOG_FILE"
+log INFO "cisco-vpn script started"
+log DEBUG "VPN_EMAIL=$EMAIL"
+log DEBUG "VPN_HOST=$VPN_HOST"
+log DEBUG "TARGET_IP=$TARGET_IP"
+log DEBUG "TOTP_SECRET is $([ -n "$TOTP_SECRET" ] && echo 'set' || echo 'NOT SET')"
+
 print_banner
 
 if [ "$DO_DISCONNECT" = "true" ]; then