openfortivpn is a client for PPP+TLS VPN tunnel services. It spawns a pppd process and operates the communication between the gateway and this process.
On Windows, it uses an in-process PPP engine with wintun instead of pppd.
It is compatible with Fortinet VPNs.
man openfortivpn-
Simply connect to a VPN:
openfortivpn vpn-gateway:8443 --username=foo
-
Connect to a VPN using an authentication realm:
openfortivpn vpn-gateway:8443 --username=foo --realm=bar
-
Store password securely with a pinentry program:
openfortivpn vpn-gateway:8443 --username=foo --pinentry=pinentry-mac
-
Connect with a user certificate and no password:
openfortivpn vpn-gateway:8443 --username= --password= --user-cert=cert.pem --user-key=key.pem
-
Connect using SAML login:
openfortivpn vpn-gateway:8443 --saml-login
-
Don't set IP routes and don't add VPN nameservers to
/etc/resolv.conf:openfortivpn vpn-gateway:8443 -u foo --no-routes --no-dns --pppd-no-peerdns
-
Using a configuration file:
openfortivpn -c /etc/openfortivpn/my-config
With
/etc/openfortivpn/my-configcontaining:host = vpn-gateway port = 8443 username = foo set-dns = 0 pppd-use-peerdns = 0 # X509 certificate sha256 sum, trust only this one! trusted-cert = e46d4aff08ba6914e64daa85bc6112a422fa7ce16631bff0b592a28556f993db
-
For the full list of config options, see the
CONFIGURATIONsection ofman openfortivpn
Smartcard support needs openssl pkcs engine and opensc to be installed.
The pkcs11-engine from libp11 needs to be compiled with p11-kit-devel installed.
Check #464 for a discussion
of known issues in this area.
Building on Fedora since this
update
will NOT include engine support unless openssl-devel-engine is installed. Try
first to use pkcs11-provider on OpenSSL >= 3.0.
To make use of your smartcard put at least pkcs11: to the user-cert config or commandline
option. It takes the full or a partial PKCS#11 token URI.
user-cert = pkcs11:
user-cert = pkcs11:token=someuser
user-cert = pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser
username =
password =In most cases user-cert = pkcs11: will do it, but if needed you can get the token-URI
with p11tool --list-token-urls.
Multiple readers are currently not supported.
Smartcard support has been tested with Yubikey under Linux, but other PIV enabled smartcards may work too. On Mac OS X Mojave it is known that the pkcs engine-by-id is not found.
Some Linux distributions provide openfortivpn packages:
On macOS both Homebrew and
MacPorts
provide an openfortivpn package.
Either install Homebrew then install openfortivpn:
# Install 'Homebrew'
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
# Install 'openfortivpn'
brew install openfortivpnor install MacPorts then install openfortivpn:
# Install 'openfortivpn'
sudo port install openfortivpnA more complete overview can be obtained from repology.
Windows support uses wintun (a lightweight TUN driver from the WireGuard project) instead of pppd. PPP negotiation is handled in-process.
Requirements:
- Windows 10 or later
- Administrator privileges (for TUN adapter and route management)
- wintun.dll in the same directory as
openfortivpn.exeor in the system PATH
Building with MinGW-w64 (MSYS2):
- Install MSYS2 and open a MinGW64 shell.
- Install dependencies:
pacman -S mingw-w64-x86_64-gcc mingw-w64-x86_64-cmake mingw-w64-x86_64-openssl mingw-w64-x86_64-ninja
- Build:
mkdir build && cd build cmake .. -G Ninja ninja
Building with MSVC:
- Install Visual Studio with C/C++ workload.
- Install OpenSSL via vcpkg:
vcpkg install openssl:x64-windows
- Build:
mkdir build && cd build cmake .. -DCMAKE_TOOLCHAIN_FILE=[vcpkg root]/scripts/buildsystems/vcpkg.cmake cmake --build . --config Release
Running:
Download wintun.dll from https://www.wintun.net/ and place it next to
openfortivpn.exe, then run from an Administrator command prompt:
openfortivpn vpn-gateway:8443 --username=fooFor other distros, you'll need to build and install from source:
-
Install build dependencies.
- RHEL/CentOS/Fedora:
gccautomakeautoconfopenssl-develmakepkg-config - Debian/Ubuntu:
gccautomakeautoconflibssl-devmakepkg-config - Arch Linux:
gccautomakeautoconfopensslpkg-config - Gentoo Linux:
net-dialup/ppppkg-config - openSUSE:
gccautomakeautoconflibopenssl-develpkg-config - macOS (Homebrew):
automakeautoconfopenssl@1.1pkg-config - FreeBSD:
automakeautoconflibresslpkgconf
On Linux, if you manage your kernel yourself, ensure to compile those modules:
CONFIG_PPP=m CONFIG_PPP_ASYNC=mOn macOS, install 'Homebrew' to install the build dependencies:
# Install 'Homebrew' /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" # Install Dependencies brew install automake autoconf openssl@1.1 pkg-config # You may need to make this openssl available to compilers and pkg-config export LDFLAGS="-L/usr/local/opt/openssl/lib $LDFLAGS" export CPPFLAGS="-I/usr/local/opt/openssl/include $CPPFLAGS" export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig:$PKG_CONFIG_PATH"
- RHEL/CentOS/Fedora:
-
Build and install.
./autogen.sh ./configure --prefix=/usr/local --sysconfdir=/etc make sudo make install
If targeting platforms with pppd < 2.5.0 such as current version of macOS, we suggest you configure with option --enable-legacy-pppd:
./autogen.sh ./configure --prefix=/usr/local --sysconfdir=/etc --enable-legacy-pppd make sudo make install
If you need to specify the openssl location you can set the
$PKG_CONFIG_PATHenvironment variable. For fine-tuning check the available configure arguments with./configure --helpespecially when you are cross compiling.Finally, install runtime dependency
ppporpppd.
openfortivpn needs elevated privileges at three steps during tunnel set up:
- when spawning a
/usr/sbin/pppdprocess (Linux/macOS) or creating a TUN adapter (Windows); - when setting IP routes through VPN (when the tunnel is up);
- when adding nameservers to
/etc/resolv.conf(Linux/macOS) or configuring DNS via netsh (Windows).
On Linux/macOS, you need to use sudo openfortivpn.
If you need it to be usable by non-sudoer users, you might consider adding an
entry in /etc/sudoers or a file under /etc/sudoers.d.
On Windows, run openfortivpn from an Administrator command prompt or PowerShell.
For example:
visudo -f /etc/sudoers.d/openfortivpnCmnd_Alias OPENFORTIVPN = /usr/bin/openfortivpn
%adm ALL = (ALL) OPENFORTIVPN
Adapt the above example by changing the openfortivpn path or choosing
a group different from adm - such as a dedicated openfortivpn group.
Warning: Make sure only trusted users can run openfortivpn as root!
As described in #54,
a malicious user could use --pppd-plugin and --pppd-log options to divert
the program's behaviour.
In some cases, the server may require the VPN client to load and interact with a web page containing JavaScript. Depending on the complexity of the web page, interpreting the web page might be beyond the reach of a command line program such as openfortivpn.
In such cases, you may use an external program spawning a full-fledged
web browser such as
openfortivpn-webview
to authenticate and retrieve a session cookie. This cookie can be fed
to openfortivpn using option --cookie-on-stdin. Obviously, such a
solution requires a graphic session.
When started using --saml-login the program creates a web server that
accepts SAML login requests. To login using SAML you just have to open
<your-vpn-domain>/remote/saml/start?redirect=1 and follow the login steps.
At the end of the login process the page will be redirected to
http://127.0.0.1:8020/?id=<session-id>
Feel free to make pull requests!
C coding style should follow the Linux kernel coding style.