Published on

Open alternative to FortiClient SSL VPN on Fedora

Authors

For whatever reason, my previous Fortigate client UI stopped working recently.

Since I haven't been able to configure anything using the NetworkManager VPN GUI, and the Fortigate binary has stopped working, something else was required The FortiClient package, which appears to do virus scanning, etc, and hide the VPN functionality (AFAICT), was quickly removed (after a >200Mb download)...

Single package required

The Fortigate custom openvpn is even part of the standard Fedora system repo ! :

# dnf whatprovides openfortivpn

openfortivpn-1.6.0-1.fc28.x86_64 : Client for PPP+SSL VPN tunnel services
Repo        : @System
Matched from:
Provide    : openfortivpn = 1.6.0-1.fc28

Initial tests

Try to connect manually first... Run as root :

# First, move away the configuration file, so that everything has to be explicit :
mv /etc/openfortivpn/config /etc/openfortivpn/config.old

# Now connect via the CLI (test by using the network somehow in another window) :
openfortivpn somewhere.fortiddns.com:10443 -u username \
             --trusted-cert dead1e96dead013cdead5c14dead8f5ddeadd3c5deadf3c9dead008bdead6c07
# This will prompt for your password

Where the value for --trusted-cert is given to you in the debug message, if openfortivpn fails to have a certificate that matches the VPN destination.

When it works, the connection messages for openfortivpn will look like :

VPN account password: (ENTERED HERE)
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
INFO:   Got addresses: [10.312.334.67], ns [192.168.2.335, 8.8.8.8]
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
INFO:   Adding VPN nameservers...
INFO:   Tunnel is up and running.

# Now the VPN connection is running, and ready for use... Until we press ^C in this window.

^CINFO:   Cancelling threads...
INFO:   Setting ppp interface down.
INFO:   Restoring routes...
INFO:   Removing VPN nameservers...
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
INFO:   Logged out.

Making it simpler

Having made sure the connection works on the command line, put the known-good parameters into /etc/openfortivpn/config (edit as root):

# config file for openfortivpn, see man openfortivpn(1)
host = somewhere.fortiddns.com
port = 10443
username = username
#password =
trusted-cert = dead1e96dead013cdead5c14dead8f5ddeadd3c5deadf3c9dead008bdead6c07

And now the VPN connection can be opened with a simple (run as root) :

openfortivpn
# Will prompt for password, unless you add it to /etc/openfortivpn/config

All done.