====== Connect via VPN on Linux ====== This wiki page is incomplete and not adjusted for the configuration of OTH Regensburg. An up-to-date guide with configuration parameters for OTH Regensburg will soon be published. **Linux** systems are **not officially supported** by OTH. Therefore this wiki page is just **support for self-help**. If you have issues you will only receive **conditional support** from the data center service team at OTH.\\ This wiki page was created using **insert Linux distribution** and **Forticlient 4.4 for Linux**. Until the start of the semester Linux user only receive boarding aid with external links.\\ {{INLINETOC}} ====== Step 1: FortiClient Download ====== For the download a login with the OTH credentials is necessary - The username has to be entered with the following form: abc12345@hs-regensburg.de * [[https://filegw.hs-regensburg.de/webdav/Software/AustauschSoftware/supportwiki/Forticlient/forticlient_vpn_7.2.5.0854_x86_64.rpm|Forticlient rpm download for 64-bit Systeme]] \\ * [[https://filegw.hs-regensburg.de/webdav/Software/AustauschSoftware/supportwiki/FortiClient/forticlient_vpn_7.2.5.0854_amd64.deb|Forticlient deb download for 64-bit Systeme]] \\ ====== Step 2: FortiClient installation & configuration ====== [[http://kb.fortinet.com/kb/documentLink.do?externalID=FD39996|Offical Documentation for FortiClient Linux]]\\ Configuration parameters: * Server: https://sslvpn.oth-regensburg.de/vpn-default * Port: 443 * Username: your personal NDS-identifier according to the schema abc12345 * Password: your personal password * Zertifikat: Wird nicht benötigt, falls möglich bitte deaktivieren ====== Alternative: open-source-client openfortivpn ====== Alternatively, it is possible to use the open-source client [[https://github.com/adrienverge/openfortivpn|openfortivpn]]. Here the content of the required config file (/etc/openfortivpn/config): host = sslvpn.oth-regensburg.de realm = vpn-default port = 443 trusted-cert = 364fb4fa107e591626b3919f0e7f8169e9d2097974f3e3d55e56c7c756a1f94a username = abc12345 password = meinpasswort The certificate should be used to prevent man-in-the-middle attacks. The value of "trusted-cert" within the config file is identical to the SHA-256 hash of the server certificate. A simple verification of the certificate and its signatures is for example possible using your browser by opening [[https://sslvpn.oth-regensburg.de]] and inspecting the details of the certificate (z.B. lock icon left to the address bar in Firefox -> More information -> Show certificate). This should happen automatically if you import the DFN-certificate globally. You can use the "%%--%%persistent=" command line option to make openfortivpn reconnect automatically on connection loss. Important note: In order for the client to work "pppd" must be installed.\\ For pppd Versions > 2.5.0, you may need to additionally add the "%%--%%pppd-accept-remote" command line option to openfortivpn. See [[https://github.com/adrienverge/openfortivpn/issues/1138|this issue on openfortivpn's github]] for more information. **If you fail to mount network drives from fs.hs-regensburg.de while connected with openfortivpn:** This is likely because you have IPv6 enabled in your remote LAN and your system is set to prefer IPv6.\\ A workaround is to add a host entry to /etc/hosts, forcing IPv4 for fs.hs-regensburg.de: 127.0.0.1 localhost ::1 localhost 127.0.1.1 schwalbe.localdomain schwalbe 194.95.106.39 fs.hs-regensburg.de Also, you could use the IPv4 address instead of the hostname in your mount call. This happens because fs.hs-regensburg.de provides an IPv6 address, but as of now IPv6 isn't supported by the OTH network and also not by openfortivpn. So the IPv6 traffic is not routed through the VPN and the mount fails. You can check if your system tries to use IPv6 by pinging or mounting with debug output enabled: $ ping fs.hs-regensburg.de PING fs.hs-regensburg.de(fs.hs-regensburg.de (2001:638:a01:8013::39)) 56 Datenbytes $ mount -t cifs -v //fs.hs-regensburg.de/storage HS -o domain=hs-regensburg.de,username=abc12345 mount.cifs kernel mount options: ip=2001:638:a01:8013::39,unc=\\2001:638:a01:8013::39\storage,user=abc12345,domain=hs-regensburg.de,pass=******** mount error(101): Network is unreachable You can check the IPv6 status of your environment with a service like [[https://ipv6-test.com/]]. Also see the [[public:lwdoc:netzlaufwerke_linux|german]] or [[en:public:lwdoc:netzlaufwerke_linux|english]] articles for using the network drives with linux. ====== Alternative: configuration using NetworkManager and NetworkManager-fortisslvpn ====== Another possibility to establish a VPN connnection offers NetworkManager by the Gnome project. In order to use Fortinet SSL-VPN the extension NetworkManager-fortisslvpn must be installed with the package manager of your choice. By doing so, the package openfortivpn will be installed as well. The following example uses Fedora with Dandified YUM package manager. sudo dnf install NetworkManager-ppp NetworkManager-fortisslvpn In Ubuntu 20.04 NetworkManager is used as default applciation. Additionally, the following extensions must be be installed: sudo apt install network-manager-fortisslvpn network-manager-fortisslvpn-gnome Now, one has to create the VPN connection and subsequently add the appropriate connection parameters. //Please note:// the username **must** be adjusted. nmcli con add type vpn vpn-type org.freedesktop.NetworkManager.fortisslvpn con-name OTH nmcli con mod OTH vpn.data "gateway = sslvpn.oth-regensburg.de:443, otp-flags = 0, password-flags = 1, realm = vpn-default, trusted-cert = 79ccacdce687d5e24370ab15aa4d02bd11556ff143b1366b772afaed7044e223, user = abc12345" The VPN connection can now be established using the following command. You will be prompted for your password. nmcli --ask con up OTH In order to disconnect, use the following command. nmcli con down OTH If you want to permanently save your password you can create a "secret" which will be associated to the VPN connection. nmcli con mod OTH vpn.secrets "password=PasswordStrong" ====== Instructions for other operating systems ====== * [[public:netz:vpn_forticlient_windows|Install FortiClient for Microsoft Windows]] * [[public:netz:vpn_forticlient_macos|Install FortiClient for Apple Mac OS]] * [[public:netz:vpn_forticlient_android|Install FortiClient for Android]] * [[public:netz:vpn_forticlient_ios|Install FortiClient for Apple iPhone (iOS)]] * [[public:netz:vpn_forticlient_linux|Install FortiClient for Linux]]