-
Notifications
You must be signed in to change notification settings - Fork 324
Home
- Run openfortivpn in verbose mode using command line option
-v
(or even-v -v
for very verbose output). - Retrieve the pppd log using command line option
--pppd-log
. Some issues are related to pppd which is forked by openfortivpn.
- Create a new ticket under Issues instead of adding comments to existing issues. Similar symptoms do not necessarily mean identical causes.
- Specify the versions of the operating system and openfortivpn, as well as the version of FortiOS on the VPN gateway when that information is available.
- Provide the verbose openfortivpn output obtained with command line option
-v
and the pppd log obtained with command line option--pppd-log
. Remember to redact confidential information such as IP addresses.
-
StandardOutput=
should redirect the output of openfortivpn to a file. - With
Type=simple
the PID of openfortivpn should be known to systemd. Or useType=notify
support which was added in #370. -
Restart=
can be used instead of--persistent
. - see also #623 and #633 for integration with
systemd
pppd
sets a couple of environment variables (see man pppd
). ipparam
is currently passed through openfortivpn, but inside the ip-up
/ ip-down
scripts one can replace variables in this string as follows:
ipparam_raw=$6
ipparam=$(eval echo $ipparam_raw)
and invoke with openfortivpn --pppd-ipparam='device=$DEVICE'
Note the single quotes to prevent from variable expansion by the calling shell where $DEVICE
is not yet set. Expansion is done inside the script by the execution of eval echo $ipparam_raw
when the environment variables are made available by pppd
.
One application is to manage the update of /etc/resolv.conf
using openresolv
. When calling openfortivpn --no-dns -v
with the following scripts present on the system
/etc/ppp/ip-down.d/000resolvconf
:
#!/bin/sh
[ -x /sbin/resolvconf ] || exit 0
/sbin/resolvconf -f -d "$PPP_IFACE"
and /etc/ppp/ip-up.d/000resolvconf
:
#!/bin/sh
[ -x /sbin/resolvconf ] || exit 0
if [ -n "$DNS1" -o -n "$DNS2" ]; then
conf="# Generated by ppp.ip-up for $PPP_IFACE\n"
[ -n "$DNS1" ] && conf="${conf}nameserver $DNS1\n"
[ -n "$DNS2" ] && conf="${conf}nameserver $DNS2\n"
printf "$conf" | /sbin/resolvconf -a "$PPP_IFACE"
fi
See also pppd ip-up scripts and option --pppd-ipparam
in the openfortivpn man page.
assign routes to pppd-ipparam
in your config file eg.
set-routes=0
pppd-ipparam=192.168.77.88 192.168.77.233 192.168.77.205
Then put this into /etc/ppp/ip-up.d/openfortivpn
(Linux) or /etc/ppp/ip-up
(macOS).
#!/bin/sh -e
# $PPP_IFACE should also be available with $1, if needed.
logger "forticlient connection is up $PPP_IFACE connection ip routes: ${6}"
OS="$(uname)"
IPS="${6}"
for IP in ${IPS}
do
if [ "$OS" = "Darwin" ]; then
/sbin/route add "${IP}" -interface "${PPP_IFACE}"
elif [ "$OS" = "Linux" ]; then
ip route add "${IP}" dev "${PPP_IFACE}"
fi
done
Don't forget to make it executable: sudo chmod a+x /etc/ppp/ip-up.d/openfortivpn
(Linux) or sudo chmod a+x /etc/ppp/ip-up
(macOS).
- run
openfortivpn
with--no-routes
flag, or addset-routes = 0
in your configuration file - create a ppp script when link is up:
sudo touch /etc/ppp/ip-up.d/fortivpn
- make it executable:
sudo chmod a+x /etc/ppp/ip-up.d/fortivpn
- add your own routes, either by look up of their name or by adding specific ip addresses:
#!/bin/bash
#
# Example script for /etc/ppp/ip-up.d/openfortivpn
#
# Can be used to make internet work as usual having VPN running and only route Traffic
# for specified Networks to the VPN
#
# To use this, you may disable routing in /etc/openfortivpn/config like that:
#set-routes = 0
#half-internet-routes = 0
#
# Whitelist here all domains and ips (may be masked) that need to go through FortiVPN
# Domains are separated by a space
#
DOMAINS='example.com example.org'
IPS='10.0.0.0/8'
BASENAME=${0##*/}
INTERFACE=$1
DEVICE=$2
SPEED=$3
LOCALIP=$4
REMOTEIP=$5
IPPARAM=$6
ACTION=${0#/etc/ppp/}
let RESOLVED
for DOMAIN in $DOMAINS; do
RESOLVED=`dig +short $DOMAIN | tail -n1`
IPS="$IPS $RESOLVED"
done
for IP in $IPS; do
ip route add $IP dev $INTERFACE
done
- check the created routes:
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.10.254 0.0.0.0 UG 600 0 0 wlp3s0
one.one.one.one * 255.255.255.255 UH 0 0 0 ppp0
IP-OF-FIRST-DOMAIN * 255.255.255.255 UH 0 0 0 ppp0
IP-OF-SECOND-DOMAIN * 255.255.255.255 UH 0 0 0 ppp0
link-local * 255.255.0.0 U 1000 0 0 br-cc6b09fa8986
172.16.238.0 * 255.255.255.0 U 0 0 0 br-30ec352ff3e1
172.17.0.0 * 255.255.0.0 U 0 0 0 docker0
172.18.0.0 * 255.255.0.0 U 0 0 0 br-44b22a74e13d
172.19.0.0 * 255.255.0.0 U 0 0 0 br-cc6b09fa8986
172.20.0.0 * 255.255.0.0 U 0 0 0 br-2718c069c2ed
192.168.10.0 * 255.255.255.0 U 600 0 0 wlp3s0
- check your IP: https://duckduckgo.com/?q=what%27s+my+ip&t=lm&atb=v110-5_h&ia=answer It should be your regular IP, while you should have access to white-listed domains through the VPN.
If the VPN gateway certificate is signed by a certification authority (CA) that is now known by the system, we suggest you add that CA to the system certificate store. See for example How to import CA root certificates on Linux and Windows.
As a last resort, you may retrieve the certificate from the VPN gateway and use the --trusted-cert
option of openfortivpn
. However, this implies a much higher risk of man-in-the-middle (MITM) attack. To retrieve the certificate, see openfortivpn#946 (comment).