-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for adding a specified route #371
Comments
Duplicate of #22 as far as I can see. See pppd ip-up scripts and option Please do not hesitate reopen if that doesn't help. |
I have similar "problems". As a "normal" user i don't want to modify/create any pppd/ifup/down scripts on a system global scale. For now i created a script which starts and forks openfortivpn and then adds the routes as desired. |
I believe Also I'm not certain it's (currently) possible to clean up the modified route from openfortivpn, after having forked pppd. Perhaps this is best left to pppd. Unfortunately the privileged way to interact with pppd seems to be through scripts in For the above reasons I still believe such needs would be better handled by scripts, either scripts run by pppd or (at the other end) scripts that fork openfortivpn, as suggested above. Hell, I could even agree to a script directly run by openfortivpn if there is no other easy way - but then again we cannot easily clean up when pppd exits. You are also raising the question how to help normal users. Some ideas, probably not perfect:
|
Also I'm not certain a user who runs multiple VPN concurrently with multiple network connections qualifies as normal (with all due respect of course :-). Such users will probably require different and complex networking options that seem best left to scripting. |
Finally please note pull request #370 that will notify the pppd tunnel is up using systemd. Perhaps it can help in this context. |
Additional note: Notifying that the pppd tunnel is up may be best left to pppd itself. |
One last suggestion: It could be up to the packager to have I realize I'm desperately trying to have pppd run your startup scripts instead of openfortivpn. Am I completely wrong? There are many issues at hand:
More opinions and ideas? |
After reading this thread I am convinced one of the most elegant solutions would be to have pppd emit systemd/D-Bus notifications. Either ask the pppd maintainers or write a pppd plugin. |
@thackel, for what it worth, here is how I've configured pppd to implement selecting routing through openfortivpn:
PPP documentation |
@feugy I gotta ask, how would you add a route for a specific ip (i.e. no domain available)? |
@DimitriPapadopoulos should we put this on the wiki? (I have just discovered it recently. I guess you have started it in the context of troubleshooting.) We have also thought about putting together an FAQ guide on the wiki in the context of starting openfortivpn as a service and about respawning it. |
Sure, let's improve the wiki! |
I have done so, copied a few parts from the issues to the wiki. The sections can still be improved, but at least the topics that we have identified as important get more attention than in closed issues |
Hi @Eerovil, sorry for the delay. Adding route for specific IP is actually simpler than for domains: #!/bin/bash
#
# Whitelist here all domains that need to go through FortiVPN
# Domains are separated by a space
#
domains='example.com example.fr'
ips='192.168.0.15'
let resolved
for domain in $domains; do
resolved=`dig +short $domain | tail -n1`
ips="$ips $resolved"
done
for ip in $ips; do
route add $ip dev ppp0
done I hope it helps! edited: removed |
I think we can close this issue now. An answer has been provided and we have created the wiki so that users who might not check closed issues can easily find the instructions |
Thanks, @feugy for the solution. I went ahead and wrote a blog for any beginner to be able to do this. |
@rohanrajpal There's already a systemd service file here: Since I'm new to these systemd service files, I'm interested in any feedback you may have. I have seen a few differences between our service files:
|
Hey, even I'm new to systemd services. Thanks for pointing these things out, I learned a few new things
I prefer idle because the service waits until all active jobs are dispatched, I was just trying to avoid any conflict. However, as we have set
Oh, my bad, I'll update this in my service.
great
Oh yes, I missed this. I will remove them from mine as well. |
How this script can be used when I use several instances of openfortivpn in parallel? Edit: Never mind, I found the answer in ppp docs this line |
Hello there, I encountered a similar issue with #291 and tried to use the solution described in this thread and article (thanks @rohanrajpal!) to add the route manually. I have managed to run the |
@stevenwjy simply adding a route does not necessarily give you ssh access to that IP. Usually, the Fortigate Appliance pushes the routes to those IPs / networks for which a firewall rule is configured that allows your account to access them. |
On Arch Linux, the proposed method does not work. To make it work, the file name This is because, according to We can edit the wiki page accordingly. |
I have a tunnel that is setup with openforti vpn and require custom routes using debian. It used to work great with the proposed solution. Now the script in /etc/ppp/ip-up.d stopped running. I have no idea why, no error message no nothing. It just doesn't run anymore and so the routes are not set. I tried the .sh rename in case the same thing was happening as in arch, but it changed exactly nothing. To be honest, this whole thing is very frustrating and clearly not how it should work. |
@deadalnix Please open a separate issue on an Arch Linux site. This doesn't look like it's directly related to openfortivpn. |
It's not an arch problem. Sure technically it is not an issue with openforti vpn, but is it really? People keep having problems with the advised solution,a nd because the whole thign happens through openfortivpn, debuggability is really poor. |
OK, but please open a new ticket for new issues. Not certain about "people keep having problems with the advised solution". Please provide logs. |
just wanted to mention I created simplified version of adding custom routes via config file simply by passing custom routes array through pppd-ipparam details here: |
I just updated your snippet by adding support for macOS as well. Thank you a lot!! |
I would like to add a custom route on the ppp interface after the VPN connection has been established. I can currently manually run
sudo ip route add 1.2.3.4/32 via 10.20.30.40 dev ppp0
to do this. But it would be a lot easier if openfortivpn did that for me when the interface is created and/or there is a working VPN connection. This way it wouldn't require manual intervention everytime my systems boots (and starts openfortivpn) or after VPN reconnect.I would suggest something like
--add-route 1.2.3.4/32
which would automatically determine the correct gateway address and interface name from the VPN connection.I would like to avoid
--set-routes
and--half-internet-routes
because I have other networking and VPN connections on the same system.The text was updated successfully, but these errors were encountered: