Doesn't connect on a certain network

[sourav-majumdar-math]

I have been using openfortivpn for around two years. On my home wifi when I try to connect to the vpn there are no messages on stdout and it doesn't connect. I used to be able to connect on the home wifi earlier. I am able to connect to the vpn when I change my network to my mobile data.

However when I connect to the vpn using the android forticlient through the home wifi I am able to connect.

The issue seems to be openfortivpn+linux+home wifi? I am out of my wits on how to debug this.

I am on Arch Linux.

[DimitriPapadopoulos]

A simple network change cannot explain the lack of messages on stdout. You must be using a different version of openfortivpn on your home wifi and elsewhere.

What about the output of openfortivpn -v -v -v?

[sourav-majumdar-math]

Thank you so much for responding.

I ran sudo openfortivpn -v -v -v -c openfortivpn.conf and I get the following,

DEBUG:  ATTENTION: the output contains sensitive information such as the THE CLEAR TEXT PASSWORD.
DEBUG:  openfortivpn 1.20.3
DEBUG:  Loaded configuration file "openfortivpn.conf".
DEBUG:  Loaded password from configuration file "openfortivpn.conf"
DEBUG:  Configuration host = "REDACTED"
DEBUG:  Configuration realm = ""
DEBUG:  Configuration port = "REDACTED"
DEBUG:  Configuration username = "REDACTED"
DEBUG:  Configuration password = "REDACTED"
DEBUG:  Resolving gateway host ip
DEBUG:  Establishing ssl connection
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 131072
DEBUG:  server_addr: REDACTED
DEBUG:  server_port: REDACTED
DEBUG:  gateway_ip: REDACTED
DEBUG:  gateway_port: REDACTED
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
No response to 4 echo-requests
Serial link appears to be disconnected.
Connection terminated.
Modem hangup

and it just stays stuck here on my home wifi

[DimitriPapadopoulos]

So there is output to stdout after all.

What does openfortivpn -v -v -v has to say from a different network than home wifi?

Also, these messages are from pppd:

• No response to 4 echo-requests
• Serial link appears to be disconnected.
• Connection terminated.

Not sure why pppd doesn't work as expected. Perhaps a routing problem?

[sourav-majumdar-math]

So there is output to stdout after all.

I wasn't patient enough to wait for it to appear previously. Apologies for the confusion.

When I change network I am able to connect and the output of the command is,

DEBUG:  ATTENTION: the output contains sensitive information such as the THE CLEAR TEXT PASSWORD.
DEBUG:  openfortivpn 1.20.3
DEBUG:  Loaded configuration file "openfortivpn.conf".
DEBUG:  Loaded password from configuration file "openfortivpn.conf"
DEBUG:  Configuration host = "REDACTED"
DEBUG:  Configuration realm = ""
DEBUG:  Configuration port = "REDACTED"
DEBUG:  Configuration username = "REDACTED"
DEBUG:  Configuration password = "REDACTED"
DEBUG:  Resolving gateway host ip
DEBUG:  Establishing ssl connection
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 131072
DEBUG:  server_addr: REDACTED
DEBUG:  server_port: REDACTED
DEBUG:  gateway_ip: REDACTED
DEBUG:  gateway_port: REDACTED
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Connected to gateway.
DEBUG:  http_send:
POST /remote/logincheck HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: gzip, deflate, br
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: 
Content-Length: 51

username=REDACTED&credential=REDACTED&realm=&ajax=1
DEBUG:  http_receive:
HTTP/1.1 200 OK
Date: Thu, 25 May 2023 15:16:26 GMT
Server: xxxxxxxx-xxxxx
Set-Cookie: SVPNCOOKIE=REDACTED; path=/; secure; httponly; SameSite=Strict
Transfer-Encoding: chunked
Content-Type: text/html
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https   'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000

6e    
<html><head>
<script language='javascript'>
document.location='/sslvpn/portal.html';
</script>
</head></html>

0

7.0
DEBUG:  Cookie: SVPNCOOKIE=REDACTED
INFO:   Authenticated.
DEBUG:  Cookie: SVPNCOOKIE=REDACTED
DEBUG:  http_send:
GET /remote/index HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: gzip, deflate, br
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: SVPNCOOKIE=REDACTED
Content-Length: 0

and it goes on and on. Let me know if a specific portion of the output is worth looking at

[DimitriPapadopoulos]

I see the message Establishing ssl connection but not the message Connected to gateway. which means openfortivpn fails to complete step 1, creating the TLS connection, https://github.com/adrienverge/openfortivpn/blob/45cb8e0f9984f1d54b648e499bda637d96568908/src/tunnel.c#L1266-L1271

In that case, it shouldn't attempt step 4, starting pppd: https://github.com/adrienverge/openfortivpn/blob/45cb8e0f9984f1d54b648e499bda637d96568908/src/tunnel.c#L1311-L1313 And indeed, I don't see message Establishing the tunnel. Yet, we see error messages from pppd. That's disturbing. It's been a long time since I last looked at the details of openfortivpn sources, so I may be missing something, but I find this disturbing. Something's very wrong here, but what?

[DimitriPapadopoulos]

Perhaps you can add a few printf calls here and there in the source code, rebuild, and attempt to find where exactly openfortivpn fails.