Skip to content
Martin Hecht edited this page Nov 15, 2018 · 26 revisions

Debugging openfortivpn

  • Run openfortivpn in verbose mode using command line option -v.
  • Retrieve the pppd log using command line option --pppd-log. Some issues are related to pppd which is forked by openfortivpn.

Reporting issues

  • Create a new ticket under Issues instead of adding comments to existing issues. Similar symptoms do not necessarily mean identical causes.
  • Specify the versions of the operating system and openfortivpn.
  • Provide the verbose openfortivpn output obtained with command line option -v and the pppd log obtained with command line option --pppd-log. Remember to redact confidential information such as IP addresses.

starting openfortivpn as a system service

  • StandardOutput= should redirect the output of openfortivpn to a file.
  • With Type=simple the PID of openfortivpn should be known to systemd.
  • Restart= can be used instead of --persistent.

using pppd ip-up / ip-down scripts

pppd sets a couple of environment variables (see man pppd). ipparam is currently passed through openfortivpn, but inside the ip-up / ip-down scripts one can replace variables in this string as follows:

ipparam_raw=$6
ipparam=$(eval echo $ipparam_raw)

and invoke with openfortivpn --pppd-ipparam='device=$DEVICE' Note the single quotes to prevent from variable expansion by the calling shell where $DEVICE is not yet set. Expansion is done inside the script by the execution of eval echo $ipparam_raw when the environment variables are made available by pppd.

One application is to manage the update of /etc/resolv.conf using openresolv. When calling openfortivpn --no-dns -v with the following scripts present on the system /etc/ppp/ip-down.d/000resolvconf:

#!/bin/sh
 
[ -x /sbin/resolvconf ] || exit 0
/sbin/resolvconf -f -d "$PPP_IFACE"

and /etc/ppp/ip-up.d/000resolvconf:

#!/bin/sh

[ -x /sbin/resolvconf ] || exit 0

if [ -n "$DNS1" -o -n "$DNS2" ]; then
        conf="# Generated by ppp.ip-up for $PPP_IFACE\n"
        [ -n "$DNS1" ] && conf="${conf}nameserver $DNS1\n"
        [ -n "$DNS2" ] && conf="${conf}nameserver $DNS2\n"
        printf "$conf" | /sbin/resolvconf -a "$PPP_IFACE"
fi

See also pppd ip-up scripts and option --pppd-ipparam in the openfortivpn man page.

How to add specific routes using pppd

  1. run openfortivpn with --no-route flag, or add set-routes = 0 in your configuration file
  2. create a ppp script when link is up: sudo touch /etc/ppp/ip-up.d/fortivpn
  3. make it executable: sudo chmod a+x /etc/ppp/ip-up.d/fortivpn
  4. add your own routes. I've decided to look up domains by their name:
    #!/bin/bash
    #
    # Whitelist here all domains that need to go through FortiVPN
    # Domains are separated by a space
    #
    domains='example.com example.fr'

    let ip
    for domain in $domains; do
      ip=`dig +short $domain | tail -n1`
      route add $ip dev ppp0
    done
  1. check the created routes:
    $ route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         192.168.10.254  0.0.0.0         UG    600    0        0 wlp3s0
    one.one.one.one *               255.255.255.255 UH    0      0        0 ppp0
    IP-OF-FIRST-DOMAIN *               255.255.255.255 UH    0      0        0 ppp0
    IP-OF-SECOND-DOMAIN *               255.255.255.255 UH    0      0        0 ppp0
    link-local      *               255.255.0.0     U     1000   0        0 br-cc6b09fa8986
    172.16.238.0    *               255.255.255.0   U     0      0        0 br-30ec352ff3e1
    172.17.0.0      *               255.255.0.0     U     0      0        0 docker0
    172.18.0.0      *               255.255.0.0     U     0      0        0 br-44b22a74e13d
    172.19.0.0      *               255.255.0.0     U     0      0        0 br-cc6b09fa8986
    172.20.0.0      *               255.255.0.0     U     0      0        0 br-2718c069c2ed
    192.168.10.0    *               255.255.255.0   U     600    0        0 wlp3s0
  1. check your IP: https://duckduckgo.com/?q=what%27s+my+ip&t=lm&atb=v110-5_h&ia=answer It should be your regular IP, while you should have access to white-listed domains through the VPN.
Clone this wiki locally