Fermilab VPN access

Some resources can be accessed only from within Fermilab network. For some, the access outside Fermilab network is still allowed but crippled.
To allow users to access these resources in full one must connect via a Virtual Private Network (VPN), which needs to be set up on the client node.

A quite understandable description of the system is documented in CD DocDB 3435.
As stated in there, Fermilab has chosen Cisco "AnyConnect", which provides a client to connect to its VPN.
Cisco provides also a client to "enter" the VPN. There is also a free alternative.

Cisco client installation

The official Cisco AnyConnect client is supported for Linux, OSX, and Windows.

The software is only available via Fermilab.

  • Go to and log in with your Services account
    • The website will guide you to install the software

Additional setup for Linux

The website will just download a "script" That is not just the script (it contains the binary data of the package itself).
To install that, run:

sudo sh

or similar. In short: you need administrator privileges.
The script will also install SysV scripts to start and stop the VPN. It will also try to set it to start automatically (this failed on Gentoo Linux).
If your system uses systemd instead, it may still work... or not (this too failed on Gentoo Linux).
When the sequence of failures is long enough, you are ready to attempt installing the free client

VPN login

  • Open CISCO AnyConnect VPN
  • Type "" and click connect
  • Login with your Services account username and password
Username: plain username (no, or such)
Password: Services password (same as for e-mail access, ServiceNow, and others)


Under OSX, a graphical user interface called "Cisco AnyConnect Secure Mobility Client" will allow you to enter the information above.


On Linux, OpenConnect provides a command-line interface. The simplest command to start is:

sudo openconnect --user=<USERNAME>

or equivalent. Superuser privileges are likely necessary to mess with the network configuration.
The --user argument, optional, is the one like in the table above. If not specified, it will be requested interactively.
Remember that if you use that command, the first password request comes from sudo to gain administrator privileges on your own machine.
Then, the VPN access password is requested (as in the table above).
The shell is occupied by openconnect, unless the --background option is specified. If not, to disconnect it is enough to hit <Ctrl>+<C>.

Chances are that your Linux operating system is distributing convenience scripts to manage the VPN... check the standard places (e.g. something in /etc/init.d for Debian, service for RedHat, rc-service for Gentoo, ...).

OpenConnect (free) client installation

The free client OpenConnect is available for Linux, Windows, OSX, Android and many others.


Under OSX, OpenConnect is also via homebrew:

brew install openconnect


Chances are that your Linux distribution has it prepackaged for you.

iOS (Apple mobile)

You're on your own. Please add information here if you get it working.


OpenConnect binary distribution is available via F-Droid