-
Notifications
You must be signed in to change notification settings - Fork 327
Home
- Run openfortivpn in verbose mode using command line option
-v
(or even-v -v
for very verbose output). - Retrieve the pppd log using command line option
--pppd-log
. Some issues are related to pppd which is forked by openfortivpn.
- Create a new ticket under Issues instead of adding comments to existing issues. Similar symptoms do not necessarily mean identical causes.
- Specify the versions of the operating system and openfortivpn.
- Provide the verbose openfortivpn output obtained with command line option
-v
and the pppd log obtained with command line option--pppd-log
. Remember to redact confidential information such as IP addresses.
-
StandardOutput=
should redirect the output of openfortivpn to a file. - With
Type=simple
the PID of openfortivpn should be known to systemd. Or useType=notify
support which was added in #370. -
Restart=
can be used instead of--persistent
. - see also #623 and #633 for integration with
systemd
pppd
sets a couple of environment variables (see man pppd
). ipparam
is currently passed through openfortivpn, but inside the ip-up
/ ip-down
scripts one can replace variables in this string as follows:
ipparam_raw=$6
ipparam=$(eval echo $ipparam_raw)
and invoke with openfortivpn --pppd-ipparam='device=$DEVICE'
Note the single quotes to prevent from variable expansion by the calling shell where $DEVICE
is not yet set. Expansion is done inside the script by the execution of eval echo $ipparam_raw
when the environment variables are made available by pppd
.
One application is to manage the update of /etc/resolv.conf
using openresolv
. When calling openfortivpn --no-dns -v
with the following scripts present on the system
/etc/ppp/ip-down.d/000resolvconf
:
#!/bin/sh
[ -x /sbin/resolvconf ] || exit 0
/sbin/resolvconf -f -d "$PPP_IFACE"
and /etc/ppp/ip-up.d/000resolvconf
:
#!/bin/sh
[ -x /sbin/resolvconf ] || exit 0
if [ -n "$DNS1" -o -n "$DNS2" ]; then
conf="# Generated by ppp.ip-up for $PPP_IFACE\n"
[ -n "$DNS1" ] && conf="${conf}nameserver $DNS1\n"
[ -n "$DNS2" ] && conf="${conf}nameserver $DNS2\n"
printf "$conf" | /sbin/resolvconf -a "$PPP_IFACE"
fi
See also pppd ip-up scripts and option --pppd-ipparam
in the openfortivpn man page.
- run
openfortivpn
with--no-routes
flag, or addset-routes = 0
in your configuration file - create a ppp script when link is up:
sudo touch /etc/ppp/ip-up.d/fortivpn
- make it executable:
sudo chmod a+x /etc/ppp/ip-up.d/fortivpn
- add your own routes, either by look up of their name or by adding specific ip addresses:
#!/bin/bash
#
# Example script for /etc/ppp/ip-up.d/openfortivpn
#
# Can be used to make internet work as usual having VPN running and only route Traffic
# for specified Networks to the VPN
#
# To use this, you may disable routing in /etc/openfortivpn/config like that:
#set-routes = 0
#half-internet-routes = 0
#
# Whitelist here all domains and ips (may be masked) that need to go through FortiVPN
# Domains are separated by a space
#
DOMAINS='example.com example.org'
IPS='10.0.0.0/8'
BASENAME=${0##*/}
INTERFACE=$1
DEVICE=$2
SPEED=$3
LOCALIP=$4
REMOTEIP=$5
IPPARAM=$6
ACTION=${0#/etc/ppp/}
let RESOLVED
for DOMAIN in $DOMAINS; do
RESOLVED=`dig +short $DOMAIN | tail -n1`
IPS="$IPS $RESOLVED"
done
for IP in $IPS; do
ip route add $IP dev $INTERFACE
done
- check the created routes:
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.10.254 0.0.0.0 UG 600 0 0 wlp3s0
one.one.one.one * 255.255.255.255 UH 0 0 0 ppp0
IP-OF-FIRST-DOMAIN * 255.255.255.255 UH 0 0 0 ppp0
IP-OF-SECOND-DOMAIN * 255.255.255.255 UH 0 0 0 ppp0
link-local * 255.255.0.0 U 1000 0 0 br-cc6b09fa8986
172.16.238.0 * 255.255.255.0 U 0 0 0 br-30ec352ff3e1
172.17.0.0 * 255.255.0.0 U 0 0 0 docker0
172.18.0.0 * 255.255.0.0 U 0 0 0 br-44b22a74e13d
172.19.0.0 * 255.255.0.0 U 0 0 0 br-cc6b09fa8986
172.20.0.0 * 255.255.0.0 U 0 0 0 br-2718c069c2ed
192.168.10.0 * 255.255.255.0 U 600 0 0 wlp3s0
- check your IP: https://duckduckgo.com/?q=what%27s+my+ip&t=lm&atb=v110-5_h&ia=answer It should be your regular IP, while you should have access to white-listed domains through the VPN.