Skip to content

adrienverge/openfortivpn

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

870 Commits
.github
.github
 
 
doc
doc
 
 
etc
etc
 
 
lib/systemd/system
lib/systemd/system
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
LICENSE.OpenSSL
LICENSE.OpenSSL
 
 
Makefile.am
Makefile.am
 
 
README.md
README.md
 
 
autogen.sh
autogen.sh
 
 
configure.ac
configure.ac
 
 

Repository files navigation

openfortivpn

openfortivpn is a client for PPP+TLS VPN tunnel services. It spawns a pppd process and operates the communication between the gateway and this process.

It is compatible with Fortinet VPNs.

Usage

man openfortivpn

Examples

  • Simply connect to a VPN:

    openfortivpn vpn-gateway:8443 --username=foo

  • Connect to a VPN using an authentication realm:

    openfortivpn vpn-gateway:8443 --username=foo --realm=bar

  • Store password securely with a pinentry program:

    openfortivpn vpn-gateway:8443 --username=foo --pinentry=pinentry-mac

  • Connect with a user certificate and no password:

    openfortivpn vpn-gateway:8443 --username= --password= --user-cert=cert.pem --user-key=key.pem

  • Connect using SAML login:

    openfortivpn vpn-gateway:8443 --saml-login

  • Don't set IP routes and don't add VPN nameservers to /etc/resolv.conf:

    openfortivpn vpn-gateway:8443 -u foo --no-routes --no-dns --pppd-no-peerdns

  • Using a configuration file:

    openfortivpn -c /etc/openfortivpn/my-config

    With /etc/openfortivpn/my-config containing:

    host = vpn-gateway
port = 8443
username = foo
set-dns = 0
pppd-use-peerdns = 0
# X509 certificate sha256 sum, trust only this one!
trusted-cert = e46d4aff08ba6914e64daa85bc6112a422fa7ce16631bff0b592a28556f993db

  • For the full list of config options, see the CONFIGURATION section of

    man openfortivpn

Smartcard

Smartcard support needs openssl pkcs engine and opensc to be installed. The pkcs11-engine from libp11 needs to be compiled with p11-kit-devel installed. Check #464 for a discussion of known issues in this area.

Building on Fedora since this update will NOT include engine support unless openssl-devel-engine is installed. Try first to use pkcs11-provider on OpenSSL >= 3.0.

To make use of your smartcard put at least pkcs11: to the user-cert config or commandline option. It takes the full or a partial PKCS#11 token URI.

user-cert = pkcs11:
user-cert = pkcs11:token=someuser
user-cert = pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser
username =
password =

In most cases user-cert = pkcs11: will do it, but if needed you can get the token-URI with p11tool --list-token-urls.

Multiple readers are currently not supported.

Smartcard support has been tested with Yubikey under Linux, but other PIV enabled smartcards may work too. On Mac OS X Mojave it is known that the pkcs engine-by-id is not found.

Installing

Installing existing packages

Some Linux distributions provide openfortivpn packages:

On macOS both Homebrew and MacPorts provide an openfortivpn package. Either install Homebrew then install openfortivpn:

# Install 'Homebrew'
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

# Install 'openfortivpn'
brew install openfortivpn

or install MacPorts then install openfortivpn:

# Install 'openfortivpn'
sudo port install openfortivpn

A more complete overview can be obtained from repology.

Building and installing from source

For other distros, you'll need to build and install from source:

  1. Install build dependencies.

    • RHEL/CentOS/Fedora: gcc automake autoconf openssl-devel make pkg-config
    • Debian/Ubuntu: gcc automake autoconf libssl-dev make pkg-config
    • Arch Linux: gcc automake autoconf openssl pkg-config
    • Gentoo Linux: net-dialup/ppp pkg-config
    • openSUSE: gcc automake autoconf libopenssl-devel pkg-config
    • macOS (Homebrew): automake autoconf [email protected] pkg-config
    • FreeBSD: automake autoconf libressl pkgconf

    On Linux, if you manage your kernel yourself, ensure to compile those modules:

    CONFIG_PPP=m
CONFIG_PPP_ASYNC=m

    On macOS, install 'Homebrew' to install the build dependencies:

    # Install 'Homebrew'
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

# Install Dependencies
brew install automake autoconf [email protected] pkg-config

# You may need to make this openssl available to compilers and pkg-config
export LDFLAGS="-L/usr/local/opt/openssl/lib $LDFLAGS"
export CPPFLAGS="-I/usr/local/opt/openssl/include $CPPFLAGS"
export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig:$PKG_CONFIG_PATH"

  2. Build and install.

    ./autogen.sh
./configure --prefix=/usr/local --sysconfdir=/etc
make
sudo make install

    If targeting platforms with pppd < 2.5.0 such as current version of macOS, we suggest you configure with option --enable-legacy-pppd:

    ./autogen.sh
./configure --prefix=/usr/local --sysconfdir=/etc --enable-legacy-pppd
make
sudo make install

    If you need to specify the openssl location you can set the $PKG_CONFIG_PATH environment variable. For fine-tuning check the available configure arguments with ./configure --help especially when you are cross compiling.

    Finally, install runtime dependency ppp or pppd.

Running as root?

openfortivpn needs elevated privileges at three steps during tunnel set up:

  • when spawning a /usr/sbin/pppd process;
  • when setting IP routes through VPN (when the tunnel is up);
  • when adding nameservers to /etc/resolv.conf (when the tunnel is up).

For these reasons, you need to use sudo openfortivpn. If you need it to be usable by non-sudoer users, you might consider adding an entry in /etc/sudoers or a file under /etc/sudoers.d.

For example:

visudo -f /etc/sudoers.d/openfortivpn
Cmnd_Alias  OPENFORTIVPN = /usr/bin/openfortivpn

%adm       ALL = (ALL) OPENFORTIVPN

Adapt the above example by changing the openfortivpn path or choosing a group different from adm - such as a dedicated openfortivpn group.

Warning: Make sure only trusted users can run openfortivpn as root! As described in #54, a malicious user could use --pppd-plugin and --pppd-log options to divert the program's behaviour.

SSO/SAML/2FA

In some cases, the server may require the VPN client to load and interact with a web page containing JavaScript. Depending on the complexity of the web page, interpreting the web page might be beyond the reach of a command line program such as openfortivpn.

In such cases, you may use an external program spawning a full-fledged web browser such as openfortivpn-webview to authenticate and retrieve a session cookie. This cookie can be fed to openfortivpn using option --cookie-on-stdin. Obviously, such a solution requires a graphic session.

When started using --saml-login the program creates a web server that accepts SAML login requests. To login using SAML you just have to open <your-vpn-domain>/remote/saml/start?redirect=1 and follow the login steps. At the end of the login process the page will be redirected to http://127.0.0.1:8020/?id=<session-id>

Contributing

Feel free to make pull requests!

C coding style should follow the Linux kernel coding style.

About

Client for PPP+TLS VPN tunnel services

Resources

Readme

License

GPL-3.0, Unknown licenses found

Licenses found

GPL-3.0
LICENSE
Unknown
LICENSE.OpenSSL

Security policy

Security policy
Activity

Stars

3.1k stars

Watchers

47 watching

Forks

354 forks
Report repository

Releases

46 tags

Packages

No packages published

Contributors 71

+ 57 contributors

Languages