NetworkManager + fortisslvpn can no longer connect after update

[dklementowski]

Describe the bug

After recent updates (I'm not sure which component is here to blame exactly, NM, pppd or the plugin) it can no longer connect to VPN. I can still connect fine when going back to generation made few days ago. I'll reboot to older generation to get versions of those components and post that in comments later.

Steps To Reproduce

Steps to reproduce the behavior:
1.Create Forti SSL VPN connection in NetworkManager
2. Try to connect

Expected behavior

Established connection

Screenshots

N/A

Additional context

Output from journalctl -b -u NetworkManager

maj 10 11:03:47 BigPC NetworkManager[3895]: INFO:   Connected to gateway.
maj 10 11:03:47 BigPC NetworkManager[3895]: INFO:   Authenticated.
maj 10 11:03:47 BigPC NetworkManager[3895]: INFO:   Remote gateway has allocated a VPN.
maj 10 11:03:47 BigPC pppd[3896]: Plugin /nix/store/brlk8rk7wj8h7jyaxkf1zx8nklx161by-NetworkManager-fortisslvpn-gnome-1.4.0/lib/pppd/2.5.0/nm-fortisslvpn-pppd-plugin.so loaded.
maj 10 11:03:47 BigPC NetworkManager[3896]: Plugin /nix/store/brlk8rk7wj8h7jyaxkf1zx8nklx161by-NetworkManager-fortisslvpn-gnome-1.4.0/lib/pppd/2.5.0/nm-fortisslvpn-pppd-plugin.so loaded.
maj 10 11:03:47 BigPC pppd[3896]: pppd 2.5.0 started by root, uid 0
maj 10 11:03:47 BigPC pppd[3896]: Using interface ppp0
maj 10 11:03:47 BigPC NetworkManager[3896]: Using interface ppp0
maj 10 11:03:47 BigPC NetworkManager[3896]: Connect: ppp0 <--> /dev/pts/0
maj 10 11:03:47 BigPC pppd[3896]: Connect: ppp0 <--> /dev/pts/0
maj 10 11:03:47 BigPC NetworkManager[3896]: {/tmp/.CJZA41} {/tmp}
maj 10 11:03:47 BigPC NetworkManager[3896]: {/tmp/.CJZA41} {.CJZA41}
maj 10 11:03:47 BigPC NetworkManager[3895]: INFO:   Got addresses: [OBFUSCATED]
maj 10 11:03:47 BigPC NetworkManager[3895]: INFO:   Negotiation complete.
maj 10 11:03:49 BigPC NetworkManager[3895]: INFO:   Negotiation complete.
maj 10 11:03:49 BigPC NetworkManager[3896]: Peer refused to agree to his IP address
maj 10 11:03:49 BigPC NetworkManager[3896]: Connect time 0.1 minutes.
maj 10 11:03:49 BigPC NetworkManager[3896]: Sent 1101 bytes, received 1081 bytes.
maj 10 11:03:49 BigPC pppd[3896]: Peer refused to agree to his IP address
maj 10 11:03:49 BigPC pppd[3896]: Connect time 0.1 minutes.
maj 10 11:03:49 BigPC pppd[3896]: Sent 1101 bytes, received 1081 bytes.
maj 10 11:04:47 BigPC NetworkManager[3895]: ERROR:  Timed out waiting for the ppp interface to be UP.
maj 10 11:04:47 BigPC NetworkManager[3895]: INFO:   Cancelling threads...
maj 10 11:04:47 BigPC NetworkManager[3895]: INFO:   Cleanup, joining threads...
maj 10 11:04:47 BigPC pppd[3896]: Hangup (SIGHUP)
maj 10 11:04:47 BigPC NetworkManager[3896]: Hangup (SIGHUP)
maj 10 11:04:47 BigPC NetworkManager[3896]: Modem hangup
maj 10 11:04:47 BigPC pppd[3896]: Modem hangup
maj 10 11:04:47 BigPC NetworkManager[3896]: Connection terminated.

Notify maintainers

@jtojnar @vcunat @maxeaubrey

Metadata

-> % nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.27, NixOS, 23.05 (Stoat), 23.05.20230509.9524f57`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.13.3`
 - channels(root): `"nixos"`
 - channels(dominik): `""`
 - channels(dkl): `"nixpkgs"`
 - nixpkgs: `/home/dkl/.nix-defexpr/channels/nixpkgs`

[dklementowski]

On older generation, NetworkManager succesfully connects and here's the log

maj 10 11:19:08 BigPC systemd[1]: Starting Network Manager...
maj 10 11:19:08 BigPC systemd[1]: Started Network Manager.
maj 10 11:19:33 BigPC NetworkManager[3197]: INFO:   Connected to gateway.
maj 10 11:19:33 BigPC NetworkManager[3197]: INFO:   Authenticated.
maj 10 11:19:33 BigPC NetworkManager[3197]: INFO:   Remote gateway has allocated a VPN.
maj 10 11:19:33 BigPC pppd[3201]: Plugin /nix/store/icwbvs7hzxrxc6ch7sj61hi3fn2k6ik4-NetworkManager-fortisslvpn-gnome-1.4.0/lib/pppd/2.4.5/nm-fortisslvpn-pppd-plugin.so loaded.
maj 10 11:19:33 BigPC NetworkManager[3201]: Plugin /nix/store/icwbvs7hzxrxc6ch7sj61hi3fn2k6ik4-NetworkManager-fortisslvpn-gnome-1.4.0/lib/pppd/2.4.5/nm-fortisslvpn-pppd-plugin.so loaded.
maj 10 11:19:33 BigPC pppd[3201]: pppd 2.4.9 started by root, uid 0
maj 10 11:19:33 BigPC pppd[3201]: Using interface ppp0
maj 10 11:19:33 BigPC NetworkManager[3201]: Using interface ppp0
maj 10 11:19:33 BigPC NetworkManager[3201]: Connect: ppp0 <--> /dev/pts/0
maj 10 11:19:33 BigPC pppd[3201]: Connect: ppp0 <--> /dev/pts/0
maj 10 11:19:33 BigPC NetworkManager[3201]: {/tmp/.X5VA41} {/tmp}
maj 10 11:19:33 BigPC NetworkManager[3201]: {/tmp/.X5VA41} {.X5VA41}
maj 10 11:19:33 BigPC NetworkManager[3197]: INFO:   Got addresses: [OBFUSCATED], ns [OBFUSCATED, 0.0.0.0], ns_suffix [OBFUSCATED]
maj 10 11:19:33 BigPC NetworkManager[3197]: INFO:   Negotiation complete.
maj 10 11:19:35 BigPC NetworkManager[3197]: INFO:   Negotiation complete.
maj 10 11:19:35 BigPC pppd[3201]: local  IP address OBFUSCATED
maj 10 11:19:35 BigPC NetworkManager[3201]: local  IP address OBFUSCATED
maj 10 11:19:35 BigPC NetworkManager[3201]: remote IP address OBFUSCATED
maj 10 11:19:35 BigPC pppd[3201]: remote IP address OBFUSCATED
maj 10 11:19:35 BigPC NetworkManager[3201]: Can't execute /etc/ppp/ip-up: Permission denied
maj 10 11:19:35 BigPC pppd[3201]: Can't execute /etc/ppp/ip-up: Permission denied
maj 10 11:19:35 BigPC NetworkManager[3197]: INFO:   Interface ppp0 is UP.
maj 10 11:19:35 BigPC NetworkManager[3197]: INFO:   Tunnel is up and running.

-> % nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.26, NixOS, 23.05 (Stoat), 23.05.20230429.3dcff81`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.13.3`
 - channels(root): `"nixos"`
 - channels(dominik): `""`
 - channels(dkl): `"nixpkgs"`
 - nixpkgs: `/home/dkl/.nix-defexpr/channels/nixpkgs`

[vcunat]

Uh, I don't know... perhaps updating to latest commit instead of just pulling the patches? For example: master...vcunat:nixpkgs:p/networkmanager-fortisslvpn

[dklementowski]

Uh, I don't know... perhaps updating to latest commit instead of just pulling the patches? For example: master...vcunat:nixpkgs:p/networkmanager-fortisslvpn

Unfortunately, the same result

maj 14 00:34:38 BigPC NetworkManager[3257]: INFO:   Connected to gateway.
maj 14 00:34:38 BigPC NetworkManager[3257]: INFO:   Authenticated.
maj 14 00:34:38 BigPC NetworkManager[3257]: INFO:   Remote gateway has allocated a VPN.
maj 14 00:34:38 BigPC pppd[3261]: Plugin /nix/store/9d7mdq5vhqmc1w6vyxg1hb13c13nimhh-NetworkManager-fortisslvpn-gnome-unstable-2023-03-07/lib/pppd/2.5.0/nm-fortisslvpn-pppd-plugin.so loaded.
maj 14 00:34:38 BigPC NetworkManager[3261]: Plugin /nix/store/9d7mdq5vhqmc1w6vyxg1hb13c13nimhh-NetworkManager-fortisslvpn-gnome-unstable-2023-03-07/lib/pppd/2.5.0/nm-fortisslvpn-pppd-plugin.so loaded.
maj 14 00:34:38 BigPC pppd[3261]: pppd 2.5.0 started by root, uid 0
maj 14 00:34:38 BigPC pppd[3261]: Using interface ppp0
maj 14 00:34:38 BigPC NetworkManager[3261]: Using interface ppp0
maj 14 00:34:38 BigPC NetworkManager[3261]: Connect: ppp0 <--> /dev/pts/0
maj 14 00:34:38 BigPC pppd[3261]: Connect: ppp0 <--> /dev/pts/0
maj 14 00:34:38 BigPC NetworkManager[3261]: {/tmp/.A04D51} {/tmp}
maj 14 00:34:38 BigPC NetworkManager[3261]: {/tmp/.A04D51} {.A04D51}
maj 14 00:34:38 BigPC NetworkManager[3257]: INFO:   Got addresses: [10.x.x.x], ns [x.x.x.x, 0.0.0.0], ns_suffix [blablabla]
maj 14 00:34:38 BigPC NetworkManager[3257]: INFO:   Negotiation complete.
maj 14 00:34:40 BigPC NetworkManager[3257]: INFO:   Negotiation complete.
maj 14 00:34:40 BigPC NetworkManager[3261]: Peer refused to agree to his IP address
maj 14 00:34:40 BigPC NetworkManager[3261]: Connect time 0.1 minutes.
maj 14 00:34:40 BigPC NetworkManager[3261]: Sent 1101 bytes, received 1081 bytes.
maj 14 00:34:40 BigPC pppd[3261]: Peer refused to agree to his IP address
maj 14 00:34:40 BigPC pppd[3261]: Connect time 0.1 minutes.
maj 14 00:34:40 BigPC pppd[3261]: Sent 1101 bytes, received 1081 bytes.
maj 14 00:35:39 BigPC NetworkManager[1339]: <warn>  [1684017339.5801] vpn[0x19144c0,0ba639c5-a719-44ba-8e06-1c519231cac6,"Unity VPN"]: connect timeout exceeded
maj 14 00:35:39 BigPC nm-fortisslvpn-[3234]: Connect timer expired, disconnecting.
maj 14 00:35:39 BigPC NetworkManager[3257]: INFO:   Cancelling threads...
maj 14 00:35:39 BigPC NetworkManager[3257]: INFO:   Cleanup, joining threads...
maj 14 00:35:39 BigPC NetworkManager[3261]: Hangup (SIGHUP)
maj 14 00:35:39 BigPC NetworkManager[3261]: Modem hangup
maj 14 00:35:39 BigPC pppd[3261]: Hangup (SIGHUP)
maj 14 00:35:39 BigPC NetworkManager[3261]: Connection terminated.
maj 14 00:35:39 BigPC NetworkManager[3261]: unable to delete pid file /var/run/pppdppp0.pid: Permission denied
maj 14 00:35:39 BigPC pppd[3261]: Modem hangup
maj 14 00:35:39 BigPC pppd[3261]: Connection terminated.
maj 14 00:35:39 BigPC pppd[3261]: unable to delete pid file /var/run/pppdppp0.pid: Permission denied
maj 14 00:35:39 BigPC pppd[3261]: Exit.
maj 14 00:35:39 BigPC NetworkManager[3257]: INFO:   pppd: The link was terminated by the modem hanging up.
maj 14 00:35:39 BigPC NetworkManager[3257]: INFO:   Terminated pppd.
maj 14 00:35:39 BigPC NetworkManager[3257]: INFO:   Closed connection to gateway.
maj 14 00:35:39 BigPC NetworkManager[3257]: INFO:   Logged out.

I'll try to downgrade individual packages to see what helps.

[vcunat]

I'd guess that ppp update to 2.5.0 is what triggered the change/failure.

[dklementowski]

I finally made it to build it with ppp 2.4.9 (it triggered a lot of compilation), but sadly looks like that didn't help

I used such overlay

self: super:
{
  ppp = super.ppp.overrideAttrs (old: {
    version = "2.4.9";
    sha256 = "sha256-8+nbqRNfKPLDx+wmuKSkv+BSeG72hKJI4dNqypqeEK4=";
    configureFlags = [
      "--with-openssl=${super.openssl.dev}"
    ];
  });
}

And the output

kwi 20 15:29:27 BigPC pppd[17805]: pppd 2.4.9 started by root, uid 0
kwi 20 15:29:27 BigPC pppd[17805]: Using interface ppp0
kwi 20 15:29:27 BigPC NetworkManager[17805]: Using interface ppp0
kwi 20 15:29:27 BigPC NetworkManager[17805]: Connect: ppp0 <--> /dev/pts/2
[...]
kwi 20 15:29:29 BigPC NetworkManager[17805]: Can't execute /etc/ppp/ip-up: Permission denied
kwi 20 15:29:29 BigPC pppd[17805]: remote IP address 169.254.2.1
kwi 20 15:29:29 BigPC pppd[17805]: Can't execute /etc/ppp/ip-up: Permission denied
kwi 20 15:29:29 BigPC NetworkManager[17801]: INFO:   Interface ppp0 is UP.
kwi 20 15:29:29 BigPC NetworkManager[17801]: INFO:   Tunnel is up and running.
kwi 20 21:07:48 BigPC NetworkManager[17801]: INFO:   Cancelling threads...
kwi 20 21:07:48 BigPC NetworkManager[17801]: INFO:   Cleanup, joining threads...
kwi 20 21:07:48 BigPC NetworkManager[17801]: INFO:   Setting ppp0 interface down.
kwi 20 21:07:48 BigPC pppd[17805]: Hangup (SIGHUP)
kwi 20 21:07:48 BigPC NetworkManager[17805]: Hangup (SIGHUP)
kwi 20 21:07:48 BigPC NetworkManager[17805]: Modem hangup
kwi 20 21:07:48 BigPC NetworkManager[17805]: Connect time 338.4 minutes.
kwi 20 21:07:48 BigPC NetworkManager[17805]: Sent 986135184 bytes, received 4194691103 bytes.
kwi 20 21:07:48 BigPC NetworkManager[17805]: ioctl(SIOCSIFFLAGS): Operation not permitted (line 2664)
kwi 20 21:07:48 BigPC NetworkManager[17805]: ioctl(SIOCSIFADDR): Operation not permitted (line 2816)
kwi 20 21:07:48 BigPC NetworkManager[17805]: Can't execute /etc/ppp/ip-down: Permission denied

I don't know if that can be related to permission denied while accessing /etc/ppp/ip-{up,down}? There were some other differences in the update patch and I didn't reverse everything. I'll leave it like that and try to also roll back NetworkManager fortisslvpn plugin

[dklementowski]

Trying to connect directly using openfortivpn also doesn't work and I already installed previous version (1.20.2)
It ends up with pretty much the same result

Peer refused to agree to his IP address
Connect time 0.1 minutes.
Sent 1101 bytes, received 1081 bytes.
ERROR:  Timed out waiting for the ppp interface to be UP.
INFO:   Cancelling threads...
INFO:   Cleanup, joining threads...
Hangup (SIGHUP)
Modem hangup
Connection terminated.
ERROR:  pppd: The link was terminated by the modem hanging up.
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
INFO:   Logged out.

[yochai]

Using latest unstable, I managed to connect using openfortivpn by adding ipcp-accept-remote to /etc/ppp/options.

[jmastr]

For me ipcp-accept-remote was already there. A simple downgrade to the version in nixos 22.11: openfortivpn v1.19.0 resolved the issue

[mode89]

Same issue here. Happened after upgrading from 22.11 to 23.05.

Both of the following workarounds worked for me:

1. Using overlay with ppp 2.4.9.
2. Adding ipcp-accept-remote to /etc/ppp/options.

[wmertens]

just echoing that for me the solution was also

{
  environment.etc.ppp.options.text = "ipcp-accept-remote";
}

[DimitriPapadopoulos]

It should be fixed upstream by adrienverge/openfortivpn#1111 in the upcoming release 1.20.4.

[aminvakil]

networkmanager-fortisslvpn on Arch Linux (extra-testing repo which has been upgraded ppp to 2.5.0 and networkmanager-fortisslvpn has been rebuilt with that) still has the problem, on openfortivpn latest commit (which includes ipcp-accept-remote patch).

Executing openfortivpn directly works though.

There are some commits like this https://gitlab.gnome.org/GNOME/NetworkManager-fortisslvpn/-/merge_requests/27 regarding ppp 2.5.0, but it hasn't made through a tag though.

[br337]

Just adding ipcp-accept-remote to /etc/ppp/options doesn't seem to be solving it for me.
Now I no longer get the Peer refused to agree to his IP address error, but the Can't execute /etc/ppp/ip-up: Permission denied error.

Downgrading to ppp 2.4.9 isn't an option since the build time is immense.

How do I apply the support-ppp-2.5.0.patch?

[vcunat]

That patch was needed to even build it, so it is applied already (b4135f4).

[br337]

Then it seems that the problem might lay elsewhere. Any ideas on how to debug this?

$ cat /etc/ppp/options 
ipcp-accept-remote

Logs journalctl -b -u NetworkManager:

Jul 04 13:28:26 nixos NetworkManager[897670]: INFO:   Connected to gateway.
Jul 04 13:28:26 nixos NetworkManager[897670]: INFO:   Authenticated.
Jul 04 13:28:26 nixos NetworkManager[897670]: INFO:   Remote gateway has allocated a VPN.
Jul 04 13:28:26 nixos pppd[897671]: Plugin /nix/store/7hpjmywg9skxfxl8fyzmjflss67f43w5-NetworkManager-fortisslvpn-gnome-1.4.0/lib/pppd>
Jul 04 13:28:26 nixos NetworkManager[897671]: Plugin /nix/store/7hpjmywg9skxfxl8fyzmjflss67f43w5-NetworkManager-fortisslvpn-gnome-1.4.>
Jul 04 13:28:26 nixos pppd[897671]: pppd 2.5.0 started by root, uid 0
Jul 04 13:28:26 nixos pppd[897671]: Using interface ppp0
Jul 04 13:28:26 nixos NetworkManager[897671]: Using interface ppp0
Jul 04 13:28:26 nixos NetworkManager[897671]: Connect: ppp0 <--> /dev/pts/1
Jul 04 13:28:26 nixos pppd[897671]: Connect: ppp0 <--> /dev/pts/1
Jul 04 13:28:26 nixos NetworkManager[897671]: {/tmp/.LE0G71} {/tmp}
Jul 04 13:28:26 nixos NetworkManager[897671]: {/tmp/.LE0G71} {.LE0G71}
Jul 04 13:28:26 nixos NetworkManager[897670]: INFO:   Got addresses: [192.168.10.98], ns [172.16.80.10, 172.16.67.10]
Jul 04 13:28:26 nixos NetworkManager[897670]: INFO:   Negotiation complete.
Jul 04 13:28:26 nixos NetworkManager[897671]: Failed to create /etc/ppp/resolv.conf: No such file or directory
Jul 04 13:28:26 nixos pppd[897671]: Failed to create /etc/ppp/resolv.conf: No such file or directory
Jul 04 13:28:26 nixos pppd[897671]: local  IP address 192.168.10.98
Jul 04 13:28:26 nixos NetworkManager[897671]: local  IP address 192.168.10.98
Jul 04 13:28:26 nixos NetworkManager[897671]: remote IP address 195.14.205.226
Jul 04 13:28:26 nixos NetworkManager[897671]: primary   DNS address 172.16.80.10
Jul 04 13:28:26 nixos NetworkManager[897671]: secondary DNS address 172.16.67.10
Jul 04 13:28:26 nixos pppd[897671]: remote IP address 195.14.205.226
Jul 04 13:28:26 nixos pppd[897671]: primary   DNS address 172.16.80.10
Jul 04 13:28:26 nixos pppd[897671]: secondary DNS address 172.16.67.10
Jul 04 13:28:26 nixos pppd[897671]: Can't execute /etc/ppp/ip-up: Permission denied
Jul 04 13:28:26 nixos NetworkManager[897671]: Can't execute /etc/ppp/ip-up: Permission denied
Jul 04 13:28:26 nixos NetworkManager[897670]: INFO:   Interface ppp0 is UP.
Jul 04 13:28:26 nixos NetworkManager[897670]: INFO:   Tunnel is up and running.

And my configuration.nix file:

  environment.systemPackages = with pkgs; [
    networkmanager-fortisslvpn
  ];

Using the following expression in configuration.nix yields the same results:

  networking.networkmanager = {
    enable = true;
    plugins = [
      pkgs.networkmanager-fortisslvpn
    ];
  };

Along with system info:

 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.34, NixOS, 23.05 (Stoat), 23.05.1532.aed4b19d312`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.13.3`
 - channels(root): `"nixos-23.05, nixos-unstable"`

I am trying to figure out what else might be causing this problem.

(P.S. IP Addresses have been obfuscated)

[DimitriPapadopoulos]

Unfortunately, I had to revert the change in 1.20.4 in 1.20.5, because it breaks macOS and NetworkManager-fortivpnssl with pppd 2.4.9, until I can find time to understand and solve the problem.

1. What exactly doesn't work? Your log suggests that the tunnel is up, so I guess routing is broken.
2. Routing is probably broken because of Can't execute /etc/ppp/ip-up: Permission denied, which raises the question of who or what created /etc/ppp/ip-up. And what is the output of ls -l /etc/ppp/ip-up?
3. As for message Failed to create /etc/ppp/resolv.conf: No such file or directory suggests directory /etc/ppp might be missing, which is not the case. Why?
4. And finally, the options in /etc/ppp/options might not be sufficient. Who or what created this file?

[br337]

1. Internet access becomes very slow (pings to google.com and such). Internal DNS names aren't resolved even though they've been added to the VPN configuration.
2. The /etc/ppp/ directory had to be created manually by me. It wasn't there before. I created it in order to add ipcp-accept-remote to the options file (which I also had to manually create). As for the prompt you gave me, the location doesn't seem to exist (ls: cannot access '/etc/ppp/ip-up': No such file or directory).
3. As described above, I had to manually create the ppp directory so that NetworkManager (or whatever service/process needs access to it) can read it. Which seemed to change something (since the error switched from Peer refused to agree to his IP address to Can't execute /etc/ppp/ip-up: Permission denied). The directory permissions look as such drwxr-xr-x 2 root root 4096 4. Jul 12:31 ppp.
4. The /etc/ppp/options has been created by me manually as well. Any of the above stated files had to be created manually since they didn't exist and weren't created by other processes in the first place. The directory /etc/ppp/ only includes the options file. Both of which have been added by me.

[DimitriPapadopoulos]

1. It might be that the internal DNS servers have been taken into account, but are not reachable, because of a routing issue. Hence all DNS requests are slow, as slow as the DNS client timeout. Are pings to the IP address associated to google.com faster?
2. I suspect NetworkManager-fortivpnssl attempts to create /etc/ppp/ip-up, but fails. I am afraid I have no clue, except that NetworkManager-fortivpnssl is not correctly installed.
3. If I had to guess, I'd say NetworkManager-fortivpnssl needs to run as root or run a helper as root, but fails to do so. I don't know enough about NetworkManager-fortivpnssl to help much. It would probably help to run tests on a Linux distribution where NetworkManager-fortivpnssl and pppd are already properly installed, fix any issues there, and then resolve remaining issues specific to NixOS.
4. Who or what installed NetworkManager-fortivpnssl?

[br337]

With VPN:

$ ping google.com
PING google.com(fra16s51-in-x0e.1e100.net (2a00:1450:4001:811::200e)) 56 data bytes
64 bytes from fra16s51-in-x0e.1e100.net (2a00:1450:4001:811::200e): icmp_seq=1 ttl=59 time=20.4 ms
64 bytes from fra16s51-in-x0e.1e100.net (2a00:1450:4001:811::200e): icmp_seq=2 ttl=59 time=21.0 ms
64 bytes from fra16s51-in-x0e.1e100.net (2a00:1450:4001:811::200e): icmp_seq=3 ttl=59 time=21.9 ms
64 bytes from fra16s51-in-x0e.1e100.net (2a00:1450:4001:811::200e): icmp_seq=4 ttl=59 time=24.1 ms
64 bytes from fra16s51-in-x0e.1e100.net (2a00:1450:4001:811::200e): icmp_seq=5 ttl=59 time=21.9 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 32124ms
rtt min/avg/max/mdev = 20.383/21.854/24.053/1.247 ms

Without VPN:

$ ping google.com
PING google.com(fra16s51-in-x0e.1e100.net (2a00:1450:4001:811::200e)) 56 data bytes
64 bytes from fra16s51-in-x0e.1e100.net (2a00:1450:4001:811::200e): icmp_seq=1 ttl=59 time=23.3 ms
64 bytes from fra16s51-in-x0e.1e100.net (2a00:1450:4001:811::200e): icmp_seq=2 ttl=59 time=23.2 ms
64 bytes from fra16s51-in-x0e.1e100.net (2a00:1450:4001:811::200e): icmp_seq=3 ttl=59 time=27.0 ms
64 bytes from fra16s51-in-x0e.1e100.net (2a00:1450:4001:811::200e): icmp_seq=4 ttl=59 time=26.5 ms
64 bytes from fra16s51-in-x0e.1e100.net (2a00:1450:4001:811::200e): icmp_seq=5 ttl=59 time=19.8 ms
^C
--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 19.803/23.963/26.961/2.603 ms

As you can see, to send 5 packets with the VPN on it takes over 30s, whereas with the VPN disabled it takes only 4s.

The package is installed with the expression present in configuration.nix and should - in theory - work fine:

  environment.systemPackages = with pkgs; [
    networkmanager-fortisslvpn
  ];

I will try to look further into it and see if I can come up with a fix. Thanks a lot for your assistance

[DimitriPapadopoulos]

Actually, google.com is a bad example, because it has both IPv4 and IPv6 addresses, and openfortivpn does not support IPv6 (adrienverge/openfortivpn#112):

• Only IPv4 traffic is routed through the tunnel.
• IPv6 traffic cannot be routed through the tunnel, in your case it's probably (poorly) routed outside the tunnel after some timeout.
• Because of that, there's a risk of creating a bridge between the protected internal IPv4 network and IPv6 internet.

In any case, experiment with IPv4 addresses to start with.

[ktaf]

Hi,
I've added this to the configuration.nix, and issue solved for me.
environment.etc."ppp/options".text = "ipcp-accept-remote";

[github0004]

Hi, I've added this to the configuration.nix, and issue solved for me. environment.etc."ppp/options".text = "ipcp-accept-remote";

Hello I've had this in my config ever since this issue came up and it fixed openfortivpn via CLI but not NetworkManager. Can you confirm that this is working in NetworkManager?

[dminuoso]

Hi, I've added this to the configuration.nix, and issue solved for me. environment.etc."ppp/options".text = "ipcp-accept-remote";

Hello I've had this in my config ever since this issue came up and it fixed openfortivpn via CLI but not NetworkManager. Can you confirm that this is working in NetworkManager?

Can confirm that this workaround works for me with NetworkManager (VPN configured and started via networkmanagerapplet)

It only causes NetworkManager to report the tunnel to be opened, but it is non-functional.

There's at least the following error message in my journal

Aug 04 12:59:14 asterix pppd[3388]: Can't execute /etc/ppp/ip-up: Permission denied
Aug 04 12:59:14 asterix NetworkManager[3388]: Can't execute /etc/ppp/ip-up: Permission denied

[johannwagner]

I also debugged this some more. Something creates bogus routes which lead to a disfunctional tunnel. It creates some routes to the tunnel gateway via the ppp0 interface. If I remove those routes, the tunnel gets functional.

1.2.3.4 dev ppp0 proto kernel scope link src 10.22.250.1 
1.2.3.4 via 192.168.42.1 dev wlp3s0 proto static metric 50 
1.2.3.4 dev ppp0 proto kernel scope link src 10.22.250.1 metric 50 

It may be a specific Forti configuration, since @dminuoso and I are working at the same company.

[dventura]

same problem with openfortigui & ppp 2.5.0, under gentoo
all resolved adding into /etc/ppp/options:

ipcp-accept-remote
plugin /lib64/pppd/2.5.0/pppoe.so

[jsalgado78]

Same problem with openfortivpn & ppp 2.5.0, under Fedora 39. This workaround works fine

same problem with openfortigui & ppp 2.5.0, under gentoo all resolved adding into /etc/ppp/options:

ipcp-accept-remote plugin /lib64/pppd/2.5.0/pppoe.so

[DimitriPapadopoulos]

The new version of openfortivpn 1.21.0 will fix that, at the expense of breaking openfortivpn (by default only) on platforms with pppd < 2.5.0.

[sgremyachikh]

Folks. Its better to use openconnect instead of openfortivpn:

1. CLI way:

echo $vpn_password | sudo openconnect --prot=your-gateway.domain.net:443 -u [email protected] --passwd-on-stdin

3. GUI way (NetworkManager): chose openconnect
   
   

[jmperro]

Folks. Its better to use openconnect instead of openfortivpn:

1. CLI way:

echo $vpn_password | sudo openconnect --prot=your-gateway.domain.net:443 -u [email protected] --passwd-on-stdin

3. GUI way (NetworkManager): chose openconnect
   
   

This is working perfectly!
Thanks @sgremyachikh !

[Neustradamus]

Any progress on it?

[p4block]

Folks. Its better to use openconnect instead of openfortivpn:

Indeed after updating to ubuntu 24.10 my work VPN stopped working. I just switched to running that oneliner instead of the broken NM plugin.