VPN AnyConnect

Virtual Private Network (VPN) technology allows remote users to access resources that are otherwise only available on campus. A secure connection is established and data traffic is tunneled encrypted through the public internet.  The remote computer is assigned an IP address from the Garching MPG campus address range, virtually extending the campus network to the remote user.

VPN Server (Gateway)

Since August 2018, a new VPN service has been deployed based on Cisco AnyConnect technology:
vpn.mpcdf.mpg.de (only reachable from outside the Garching MPG campus or eduroam)

The old VPN server 130.183.203.254 (L2TP/IPSec) with the corresponding clients (Shrew Soft, vpnc) will still be available during a transitional phase.

Still, we recommend switching to the new VPN service as soon as possible. It offers significantly better performance and should also work in restrictive networks where the old one did not.

Connection Profiles (Groups)

After connecting to vpn.mpcdf.mpg.de, you will be offered a selection of groups to chose from.

AllUsers can be used by all users with a MPCDF (Kerberos) account same as the old VPN service.

The MPCDF and IPP groups authenticate against their respective Windows Active Directory. They will assign addresses from dedicated ranges which might be required for specific services such as the IPP intranet.

By default, all traffic is sent through the VPN tunnel once the secure connection has been established.
Using the SplitTunnel profiles, you can elect to only send traffic to the Garching MPG campus (130.183.X.X) through the tunnel, while all other traffic is sent through your normal local router.

For the best security, we recommend always using the normal, fully tunneled profiles unless you have a specific reason not to.

Desktop and Notebook (Windows, Mac OS X, Linux)

To set up the VPN on your computer, just point your browser to
https://vpn.mpcdf.mpg.de

Please note that this and the VPN in general only works from outside the Garching MPG campus or from the guest network (eduroam).

VPN AnyConnect Login

Once logged in, the client for your operating system will be available for download together with futher instructions and screenshots. On the first connection, enter vpn.mpcdf.mpg.de as the server.

Mobile Devices (Android and iOS)

You can install the Cisco AnyConnect client direcly from the app stores.

 

Alternative OpenConnect client (Linux)

For Linux users preferring not to install third-party software, the OpenConnect client is included in most recent distributions. While not officially supported, it has proven to work quite well: http://www.infradead.org/openconnect/packages.html

Usually you will have to install two packages, OpenConnect itself and the NetworkManager integration. For example in the case of OpenSUSE:

zypper install openconnect NetworkManager-openconnect

 

Technical Details (Ports and Firewalls)

The AnyConnect VPN client communicates with the server via port 443 same as a normal web browser. Generally, no special firewall rules should be necessary.

Please note that the VPN server is only reachable from outside the Garching MPG campus or the guest networks (eduroam).

At the moment IPs are assigned to clients from the following ranges:

    MPCDF:    130.183.212.8   - 130.183.212.62  (130.183.212.0/26)
    AllUsers: 130.183.212.65 - 130.183.212.94 (130.183.212.64/26)
    IPP GAR: 130.183.212.129 - 130.183.212.191 (130.183.212.128/26)
    IPP HGW: 130.183.212.192 - 130.183.212.223 (130.183.212.192/27)

In case you want to whitelist those IPs in your services please note that while the assignment of the IPs mentioned above will not change, the ranges may be extended in the future depending how much the individual groups are used.

Document Actions