* Forticlient rpm download for 64-bit Systeme
* Forticlient deb download for 64-bit Systeme
Offical Documentation for FortiClient Linux
Configuration parameters:
Alternatively, it is possible to use the open-source client openfortivpn. Here the content of the required config file (/etc/openfortivpn/config):
host = sslvpn.oth-regensburg.de realm = vpn-default port = 443 trusted-cert = 364fb4fa107e591626b3919f0e7f8169e9d2097974f3e3d55e56c7c756a1f94a username = abc12345 password = meinpasswort
The certificate should be used to prevent man-in-the-middle attacks. The value of „trusted-cert“ within the config file is identical to the SHA-256 hash of the server certificate. A simple verification of the certificate and its signatures is for example possible using your browser by opening https://sslvpn.oth-regensburg.de and inspecting the details of the certificate (z.B. lock icon left to the address bar in Firefox → More information → Show certificate). This should happen automatically if you import the DFN-certificate globally.
You can use the „--persistent=<interval seconds>“ command line option to make openfortivpn reconnect automatically on connection loss.
Important note: In order for the client to work „pppd“ must be installed.
For pppd Versions > 2.5.0, you may need to additionally add the „--pppd-accept-remote“ command line option to openfortivpn. See this issue on openfortivpn's github for more information.
If you fail to mount network drives from fs.hs-regensburg.de while connected with openfortivpn:
This is likely because you have IPv6 enabled in your remote LAN and your system is set to prefer IPv6.
A workaround is to add a host entry to /etc/hosts, forcing IPv4 for fs.hs-regensburg.de:
127.0.0.1 localhost ::1 localhost 127.0.1.1 schwalbe.localdomain schwalbe 194.95.106.39 fs.hs-regensburg.de
Also, you could use the IPv4 address instead of the hostname in your mount call.
This happens because fs.hs-regensburg.de provides an IPv6 address, but as of now IPv6 isn't supported by the OTH network and also not by openfortivpn. So the IPv6 traffic is not routed through the VPN and the mount fails.
You can check if your system tries to use IPv6 by pinging or mounting with debug output enabled:
$ ping fs.hs-regensburg.de PING fs.hs-regensburg.de(fs.hs-regensburg.de (2001:638:a01:8013::39)) 56 Datenbytes $ mount -t cifs -v //fs.hs-regensburg.de/storage HS -o domain=hs-regensburg.de,username=abc12345 mount.cifs kernel mount options: ip=2001:638:a01:8013::39,unc=\\2001:638:a01:8013::39\storage,user=abc12345,domain=hs-regensburg.de,pass=******** mount error(101): Network is unreachable
You can check the IPv6 status of your environment with a service like https://ipv6-test.com/.
Also see the german or english articles for using the network drives with linux.
Another possibility to establish a VPN connnection offers NetworkManager by the Gnome project.
In order to use Fortinet SSL-VPN the extension NetworkManager-fortisslvpn must be installed with the package manager of your choice. By doing so, the package openfortivpn will be installed as well.
The following example uses Fedora with Dandified YUM package manager.
sudo dnf install NetworkManager-ppp NetworkManager-fortisslvpn
In Ubuntu 20.04 NetworkManager is used as default applciation. Additionally, the following extensions must be be installed:
sudo apt install network-manager-fortisslvpn network-manager-fortisslvpn-gnome
Now, one has to create the VPN connection and subsequently add the appropriate connection parameters. Please note: the username must be adjusted.
nmcli con add type vpn vpn-type org.freedesktop.NetworkManager.fortisslvpn con-name OTH nmcli con mod OTH vpn.data "gateway = sslvpn.oth-regensburg.de:443, otp-flags = 0, password-flags = 1, realm = vpn-default, trusted-cert = 79ccacdce687d5e24370ab15aa4d02bd11556ff143b1366b772afaed7044e223, user = abc12345"
The VPN connection can now be established using the following command. You will be prompted for your password.
nmcli --ask con up OTH
In order to disconnect, use the following command.
nmcli con down OTH
If you want to permanently save your password you can create a „secret“ which will be associated to the VPN connection.
nmcli con mod OTH vpn.secrets "password=PasswordStrong"