Skip to content

This document is a WORK IN PROGRESS.
This is just a quick personal cheat sheet: treat its contents with caution!


OpenFortiVPN

OpenFortiVPN is a client for PPP + SSL VPN tunnel services. It spawns a pppd (PPP daemon) process and operates the communication between the gateway and this process.

It is compatible with Fortinet VPNs.

Reference(s)

Table of contents


Install

A correct kernel config is needed:

$ cd /usr/src/linux
# make nconfig # or `# make menuconfig`

TODO

The following kernel modules are needed: - CONFIG_PPP - CONFIG_PPP_ASYNC - CONFIG_PPP_SYNC_TTY - CONFIG_PPP_DEFLATE - CONFIG_PPP_BSDCOMP - CONFIG_PPP_MPPE - CONFIG_PPPOE

Warning

After configuring the kernel don't forget to do a kernel make and rebuild!

# emerge -a net-vpn/openfortivpn
# pacman -S openfortivpn
# apt install openfortivpn

TODO

TODO


Use

  • Simply connect to a VPN:

    $ openfortivpn 123.123.1.2:1234 --username=foo
    

  • Connect to a VPN using an authentication realm:

    $ openfortivpn 123.123.1.2:1234 --username=foo --realm=bar
    

  • Store password securely:

    $ openfortivpn 123.123.1.2:1234 --username=foo --pinentry=pinentry-mac
    

  • Don't set IP routes and don't add VPN name servers to /etc/resolv.conf:

    $ openfortivpn 123.123.1.2:1234 -u foo --no-routes --no-dns --pppd-no-peerdns
    

  • Using a configuration file:

    $ openfortivpn -c /etc/openfortivpn/my-config
    

With /etc/openfortivpn/my-config containing:

host = vpn-gateway
port = 8443
username = foo
set-dns = 0
pppd-use-peerdns = 0
# X509 certificate sha256 sum, trust only this one!
trusted-cert = e46d4aff08ba6914e64daa85bc6112a422fa7ce16631bff0b592a28556f993db

  • For the full list of config options, see the CONFIGURATION section of:
    $ man openfortivpn
    

Troubleshooting

Peer refused to agree to his IP address

If you ever come accross an error like the following one:

...
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
Using interface ppp0
Connect: ppp0 <--> /dev/pts/9
INFO:   Negotiation complete.
Peer refused to agree to his IP address
Connect time 0.0 minutes.
Sent 1101 bytes, received 1081 bytes.
INFO:   Cancelling threads...
INFO:   Cleanup, joining threads...
Hangup (SIGHUP)
Modem hangup
Connection terminated.

Then you might want to try to uncomment the ipcp-accept-local and/or ipcp-accept-remote options in /etc/ppp/options, like described here: https://github.com/adrienverge/openfortivpn/issues/920#issuecomment-1249267382


If this cheat sheet has been useful to you, then please consider leaving a star here.