Forticlient VPN issue in Fedora 36

I have openfortivpn to connect to the office VPN. Although it shows the tunnel is up and running, I cannot access any internal application that’s hosted in my company’s network. Everything works fine if I use forticlient on Windows.

[gc@fedora ~]$ resolvectl domain
Global:
Link 2 (enp3s0):
Link 3 (wlo1):
Link 4 (docker0):
Link 6 (ppp0):
[gc@fedora ~]$ resolvectl dns
Global:
Link 2 (enp3s0):
Link 3 (wlo1): 192.168.208.98 10.180.2.98 fe80::1%32580
Link 4 (docker0):
Link 6 (ppp0): 

VPN output:

[gc@fedora ~]$ sudo openfortivpn vpnserver -u myname
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
INFO:   Got addresses: [10.1.xxx.yy], ns [192.168.123.45, 10.180.7.90]
INFO:   Negotiation complete.
INFO:   Got addresses: [10.1.xxx.yy], ns [192.168.123.45, 10.180.7.90]
INFO:   Negotiation complete.
INFO:   Got addresses: [10.1.xxx.yy], ns [192.168.123.45, 10.180.7.90]
INFO:   Negotiation complete.
INFO:   Negotiation complete.
local  IP address 10.1.xxx.yy
remote IP address 169.254.x.y

I read this link Forticlient Problem in Fedora 33 and also tried the following commands based on the output I got from the openfortivpn connection shown above but the issue still persists:

resolvectl dns vpn 169.254.x.y
resolvectl domain vpn "example.net"
resolvectl dns vpn 10.1.xxx.yy
resolvectl domain vpn "example.net"

I have this same issue.

If I set the dns to 8.8.8.8 and the domain to ~. forticlient VPN then worked and could access things. However these two settings kept getting wiped out by something every so often and I had to keep manually setting it. Not sure what. The Forticlient network manager gnome add on couldnt connect at all, so I uninstalled that.

I tried the following but for me it didn’t work:

resolvectl domain ppp0 ~.
resolvectl dns ppp0 8.8.8.8
$ resolvectl domain 
Global:
Link 2 (enp3s0):
Link 3 (wlo1):
Link 4 (docker0):
Link 6 (ppp0): ~.
$ resolvectl dns
Global:
Link 2 (enp3s0):
Link 3 (wlo1): 192.168.208.98 10.180.2.98 fe80::1%32613
Link 4 (docker0):
Link 6 (ppp0): 8.8.8.8

I was finally able to configure my VPN today. I first tried out building openfortivpn from source using --with-resolvconf=/usr/sbin/resolvconf but that didn’t work.

Then I tried removing the symlink /etc/resolv.conf which was pointing to /run/systemd/resolve/stub-resolv.conf. Then when I checked the /etc/resolv.conf content, it had the following entry:

nameserver 127.0.0.53
options edns0 trust-ad

I then tried connecting to the VPN and again checked the resolv.conf file content. This time, I saw there were two extra nameserver entries added automatically. I was now able to access few internal (company’s) websites but few were still not working. When I appended an entry (search .) in the resolv.conf file, the remaining websites also started working. However, this was a manual approach and would have required a script/loop to ensure the content of resolv.conf was correct.

I then ended up trying another solution which finally worked. But yes, I think this final solution also might have worked because I removed the symlink of /etc/resolv.conf as described above. I didn’t confirm this assumption because I was already exhausted.

Anyways, what finally worked was simply creating a new network connection. I am using Fedora Plasma spin. I don’t know whether this solution is spin-agnostic (although I don’t think this should matter) but just wanted to mention. Using Fedora almost after 15 years or so. Anyways, I am attaching few snapshots as well.

NetworkConnections_0

NetworkConnections_1

ChooseConnectionType_2

I use software token from my Android FortiToken app so I chose that option as you can see in the snapshot above. That’s it. Everything is working just fine now.

Either connect using the VPN connection you just created as shown below:

ConnectToVPN_4

OR

use the command line:

sudo openfortivpn <vpn-server:port> -u john.doe "--otp=xxxxxx"

:slight_smile: