Home

Awesome

openfortivpn

openfortivpn is a client for PPP+TLS VPN tunnel services. It spawns a pppd process and operates the communication between the gateway and this process.

It is compatible with Fortinet VPNs.

Usage

man openfortivpn

Examples

Smartcard

Smartcard support needs openssl pkcs engine and opensc to be installed. The pkcs11-engine from libp11 needs to be compiled with p11-kit-devel installed. Check #464 for a discussion of known issues in this area.

To make use of your smartcard put at least pkcs11: to the user-cert config or commandline option. It takes the full or a partial PKCS#11 token URI.

user-cert = pkcs11:
user-cert = pkcs11:token=someuser
user-cert = pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser
username =
password =

In most cases user-cert = pkcs11: will do it, but if needed you can get the token-URI with p11tool --list-token-urls.

Multiple readers are currently not supported.

Smartcard support has been tested with Yubikey under Linux, but other PIV enabled smartcards may work too. On Mac OS X Mojave it is known that the pkcs engine-by-id is not found.

Installing

Installing existing packages

Some Linux distributions provide openfortivpn packages:

On macOS both Homebrew and MacPorts provide an openfortivpn package. Either install Homebrew then install openfortivpn:

# Install 'Homebrew'
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

# Install 'openfortivpn'
brew install openfortivpn

or install MacPorts then install openfortivpn:

# Install 'openfortivpn'
sudo port install openfortivpn

A more complete overview can be obtained from repology.

Building and installing from source

For other distros, you'll need to build and install from source:

  1. Install build dependencies.

    • RHEL/CentOS/Fedora: gcc automake autoconf openssl-devel make pkg-config
    • Debian/Ubuntu: gcc automake autoconf libssl-dev make pkg-config
    • Arch Linux: gcc automake autoconf openssl pkg-config
    • Gentoo Linux: net-dialup/ppp pkg-config
    • openSUSE: gcc automake autoconf libopenssl-devel pkg-config
    • macOS (Homebrew): automake autoconf openssl@1.1 pkg-config
    • FreeBSD: automake autoconf libressl pkgconf

    On Linux, if you manage your kernel yourself, ensure to compile those modules:

    CONFIG_PPP=m
    CONFIG_PPP_ASYNC=m
    

    On macOS, install 'Homebrew' to install the build dependencies:

    # Install 'Homebrew'
    /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
    
    # Install Dependencies
    brew install automake autoconf openssl@1.1 pkg-config
    
    # You may need to make this openssl available to compilers and pkg-config
    export LDFLAGS="-L/usr/local/opt/openssl/lib $LDFLAGS"
    export CPPFLAGS="-I/usr/local/opt/openssl/include $CPPFLAGS"
    export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig:$PKG_CONFIG_PATH"
    
  2. Build and install.

    ./autogen.sh
    ./configure --prefix=/usr/local --sysconfdir=/etc
    make
    sudo make install
    

    If targeting platforms with pppd < 2.5.0 such as current version of macOS, we suggest you configure with option --enable-legacy-pppd:

    ./autogen.sh
    ./configure --prefix=/usr/local --sysconfdir=/etc --enable-legacy-pppd
    make
    sudo make install
    

    If you need to specify the openssl location you can set the $PKG_CONFIG_PATH environment variable. For fine-tuning check the available configure arguments with ./configure --help especially when you are cross compiling.

    Finally, install runtime dependency ppp or pppd.

Running as root?

openfortivpn needs elevated privileges at three steps during tunnel set up:

For these reasons, you need to use sudo openfortivpn. If you need it to be usable by non-sudoer users, you might consider adding an entry in /etc/sudoers or a file under /etc/sudoers.d.

For example:

visudo -f /etc/sudoers.d/openfortivpn
Cmnd_Alias  OPENFORTIVPN = /usr/bin/openfortivpn

%adm       ALL = (ALL) OPENFORTIVPN

Adapt the above example by changing the openfortivpn path or choosing a group different from adm - such as a dedicated openfortivpn group.

Warning: Make sure only trusted users can run openfortivpn as root! As described in #54, a malicious user could use --pppd-plugin and --pppd-log options to divert the program's behaviour.

SSO/SAML/2FA

In some cases, the server may require the VPN client to load and interact with a web page containing JavaScript. Depending on the complexity of the web page, interpreting the web page might be beyond the reach of a command line program such as openfortivpn.

In such cases, you may use an external program spawning a full-fledged web browser such as openfortivpn-webview to authenticate and retrieve a session cookie. This cookie can be fed to openfortivpn using option --cookie-on-stdin. Obviously, such a solution requires a graphic session.

Contributing

Feel free to make pull requests!

C coding style should follow the Linux kernel coding style.