openfortivpn

openfortivpn is a client for PPP+SSL VPN tunnel services.
It spawns a pppd process and operates the communication between the gateway and this process.

It is compatible with Fortinet VPNs.

---

Examples

• Simply connect to a VPN:

  openfortivpn vpn-gateway:8443 --username=foo
  

• Connect to a VPN using an authentication realm:

  openfortivpn vpn-gateway:8443 --username=foo --realm=bar
  

• Don't set IP routes and don't add VPN nameservers to /etc/resolv.conf:

  openfortivpn vpn-gateway:8443 -u foo -p bar --no-routes --no-dns --pppd-no-peerdns
  

• Using a config file:

  openfortivpn -c /etc/openfortivpn/my-config
  

  With /etc/openfortivpn/my-config containing:

  host = vpn-gateway
  port = 8443
  username = foo
  password = bar
  set-routes = 0
  set-dns = 0
  pppd-use-peerdns = 0
  # X509 certificate sha256 sum, trust only this one!
  trusted-cert = e46d4aff08ba6914e64daa85bc6112a422fa7ce16631bff0b592a28556f993db
  

---

Smartcard

Smartcard support needs openssl pkcs engine and opensc to be installed.

To make use of your smartcard put at least pkcs11: to the user-cert config or commandline. Takes full or partially PKCS#11 token URI. Also username and password must not be empty, but doesn't get used. So you can type in anything.

user-cert = pkcs11:
user-cert = pkcs11:token=someuser
user-cert = pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser
username = none
password = none

In most cases user-cert = pkcs11: will do it, but if needed you can get the token-URI with p11tool --list-token-urls.

Multiple readers are not supported.

Tested with Yubikey, but other PIV enabled smartcards may work too.

---

Installing

Installing existing packages

Some Linux distibutions provide openfortivpn packages:

• Fedora / CentOS
• openSUSE / SLE
• Gentoo
• NixOS
• Arch Linux
• Debian (testing)
• Ubuntu (bionic and later) and pre-bionic (ppa)
• Solus

On macOS both Homebrew and MacPorts provide an openfortivpn package. Either install Homebrew then install openfortivpn:

# Install 'Homebrew'
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

# Install 'openfortivpn'
brew install openfortivpn

(显示：

...

If you need to have openssl@1.1 first in your PATH run:

  echo 'export PATH="/usr/local/opt/openssl@1.1/bin:$PATH"' >> ~/.bash_profile

For compilers to find openssl@1.1 you may need to set:

  export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib"

  export CPPFLAGS="-I/usr/local/opt/openssl@1.1/include"

For pkg-config to find openssl@1.1 you may need to set:

  export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig")

or install MacPorts then install openfortivpn:

# Install 'openfortivpn'
sudo port install openfortivpn

Building and installing from source

For other distros, you'll need to build and install from source:

1. Install build dependencies.
   • RHEL/CentOS/Fedora: gcc automake autoconf openssl-devel make pkg-config
   • Debian/Ubuntu: gcc automake autoconf libssl-dev make pkg-config
   • Arch Linux: gcc automake autoconf openssl pkg-config
   • Gentoo Linux: net-dialup/ppp pkg-config
   • openSUSE: gcc automake autoconf libopenssl-devel pkg-config
   • macOS(Homebrew): automake autoconf openssl@1.0 pkg-config
   • FreeBSD: automake autoconf libressl pkgconf
   On Linux, if you manage your kernel yourself, ensure to compile those modules:

   CONFIG_PPP=m
   CONFIG_PPP_ASYNC=m
   

   On macOS, install 'Homebrew' to install the build dependencies:

   # Install 'Homebrew'
   /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
   
   # Install Dependencies
   brew install automake autoconf openssl@1.0 pkg-config
   
   # You may need to make this openssl available to compilers and pkg-config
   export LDFLAGS="-L/usr/local/opt/openssl/lib $LDFLAGS"
   export CPPFLAGS="-I/usr/local/opt/openssl/include $CPPFLAGS"
   export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig:$PKG_CONFIG_PATH"

2. Build and install.

   ./autogen.sh
   ./configure --prefix=/usr/local --sysconfdir=/etc
   make
   sudo make install

   If you need to specify the openssl location you can set the $PKG_CONFIG_PATH environment variable. For fine-tuning check the available configure arguments with ./configure --help especially when you are cross compiling.
   Finally, install runtime dependency ppp or pppd.

---

Running as root?

openfortivpn needs elevated privileges at three steps during tunnel set up:

• when spawning a /usr/sbin/pppd process;
• when setting IP routes through VPN (when the tunnel is up);
• when adding nameservers to /etc/resolv.conf (when the tunnel is up).

For these reasons, you may need to use sudo openfortivpn.
If you need it to be usable by non-sudoer users, you might consider adding an entry in /etc/sudoers.

For example: visudo -f /etc/sudoers.d/openfortivpn

Cmnd_Alias  OPENFORTIVPN = /usr/bin/openfortivpn

%adm       ALL = (ALL) OPENFORTIVPN

Warning: Make sure only trusted users can run openfortivpn as root!
As described in #54, a malicious user could use --pppd-plugin and --pppd-log options to divert the program's behaviour.

from https://github.com/adrienverge/openfortivpn