Connect to FortigateVPN with OpenfortiVPN
I've got a lot of feedback for my old article How to connect to a FortiGate IPSec-VPN using Linux. However, the connection with vpnc was never stable for me, it always segfaults after a while and I had to restart it.
So I did some more research and found a relative new project called openfortivpn by Adrien Vergé, which uses the SSL VPN tunnel feature of Fortigate instead of IPSec. Additionally, NetworkManager support already exists thanks to the Gnome people.
The installation of openfortivpn is easy, just follow the instructions in the project's README file. Now you can test it already with the commands descriped in the README file. I had to pass port 443 instead of 8443, but that depends on the configuration of your Fortigate SSL VPN. Also, I had to whitelist the certificate as suggested in the excellent error message on the first connect.
The installation of NetworkManager-fortisslvpn is a little harder as the compilation is not exactly described by the INSTALL file, nor are the dependencies. I used the following commands to compile and install the source code:
- Install additional dependencies - more might be required if your system is missing additional development packages I have already installed:
$ sudo apt install shtool ppp-dev intltool libglib2.0-dev libgtk-3-dev libnma-dev libsecret-1-dev libnm-gtk-dev libnm-glib-vpn-dev libnm-glib-vpn1
- Use autotools to prepare the configuration and Makefile:
- Change the default configuration - on my system (Debian Stretch) NetworkManager failed to locale the required files when not installed into system paths:
$ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/local
- Build and install
$ make && sudo make install
Non-Gnome-Users have also to install "network-manager-gnome" via apt as the configuration UI does only exist for Gnome's connection editor at the moment. You will still be able to start the connection from KDE's Plasma App or via "nmcli con up NAME" after configuration.
Next, restart NetworkManager:
$ sudo systemctl restart network-manager
And start "nm-connection-editor". Select "Add" and "Fortinet-SSLVPN", and configure your connection. Note that you may have to whitelist your certificate under the "Advanced" dialog again, even if you have already trusted it in /etc/openfortivpn/config.
Now you should be able to start the connection. I'm usally doing this from command line at the first run because that is easier to debug. Use "nmcli con" to look up the exact name or UUID of the configured VPN connection and type "nmcli --ask con up NAME_OR_UUID" to start the connection.