- Table of contents
- Fermilab VPN access
Fermilab VPN access¶
Some resources can be accessed only from within Fermilab network. For some, the access outside Fermilab network is still allowed but crippled.
To allow users to access these resources in full one must connect via a Virtual Private Network (VPN), which needs to be set up on the client node.
A quite understandable description of the system is documented in CD DocDB 3435.
As stated in there, Fermilab has chosen Cisco "AnyConnect", which provides a client to connect to its VPN.
Cisco provides also a client to "enter" the VPN. There is also a free alternative.
Cisco client installation¶
The official Cisco AnyConnect client is supported for Linux, OSX, and Windows.
The software is only available via Fermilab.
- Go to https://vpn.fnal.gov and log in with your Services account
- The website will guide you to install the software
Additional setup for Linux¶
The website will just download a "script"
vpnsetup.sh. That is not just the script (it contains the binary data of the package itself).
To install that, run:
sudo sh vpnsetup.sh
or similar. In short: you need administrator privileges.
The script will also install SysV scripts to start and stop the VPN. It will also try to set it to start automatically (this failed on Gentoo Linux).
If your system uses
systemd instead, it may still work... or not (this too failed on Gentoo Linux).
When the sequence of failures is long enough, you are ready to attempt installing the free client
- Open CISCO AnyConnect VPN
- Type "vpn.fnal.gov" and click connect
- Login with your Services account username and password
|Username:||plain username (no @fnal.gov, @services.fnal.gov or such)|
|Password:||Services password (same as for e-mail access, ServiceNow, and others)|
Under OSX, a graphical user interface called "Cisco AnyConnect Secure Mobility Client" will allow you to enter the information above.
On Linux, OpenConnect provides a command-line interface. The simplest command to start is:
sudo openconnect --user=<USERNAME> vpn.fnal.gov
or equivalent. Superuser privileges are likely necessary to mess with the network configuration.
--user argument, optional, is the one like in the table above. If not specified, it will be requested interactively.
Remember that if you use that command, the first password request comes from
sudo to gain administrator privileges on your own machine.
Then, the VPN access password is requested (as in the table above).
The shell is occupied by openconnect, unless the
--background option is specified. If not, to disconnect it is enough to hit
Chances are that your Linux operating system is distributing convenience scripts to manage the VPN... check the standard places (e.g. something in
/etc/init.d for Debian,
service for RedHat,
rc-service for Gentoo, ...).
OpenConnect (free) client installation¶
Under OSX, OpenConnect is also via homebrew:
brew install openconnect
Chances are that your Linux distribution has it prepackaged for you.
iOS (Apple mobile)¶
You're on your own. Please add information here if you get it working.
OpenConnect binary distribution is available via F-Droid