adrienverge / openfortivpn

Client for PPP+TLS VPN tunnel services
GNU General Public License v3.0
2.69k stars 320 forks source link

After connection stablished can't access any of the VPNs websites #1128

Open rafaelcn opened 1 year ago

rafaelcn commented 1 year ago

Hi, I'm on Fedora and when connecting to a given VPN it does create a network device (ppp0), updates the routes and also prepends information on the DNS file resolve.conf with new entries. The problem is that I can't seem to access any of the services over that VPN, whenever I try to access a website that should be accessible there's no route to it.

I even tried the tun branch version but to no avail, it still doesn't work. If you want I can provide some logs. I tried to use two versions of the openfortivpn, the first is the package provided by my operating system (Fedora 38) with version 1.19.0 and the other I compiled myself from the branch tun (revision v1.20.4+git5.gbeefa44).

I don't know the version of FortiOS on the other end of the VPN.

DimitriPapadopoulos commented 1 year ago

Can you ping the IP address of the website but not the DNS name? Can you ping the DNS name?

Also please read Reporting issues. We'll see whether logs are needed after you answer the above questions.

rafaelcn commented 1 year ago

I can't do either, the only thing that resolves is the actual address of the VPN. I'll add more information as in the reporting issues section

DimitriPapadopoulos commented 1 year ago

Have you built the latest openfortivpn version? Used the RPM package?

rafaelcn commented 1 year ago

Updated this information on the issue description

DimitriPapadopoulos commented 1 year ago

Then I guess routing hasn't been properly set. It would be useful to see routes before/after running the VPN:

ip route
rafaelcn commented 1 year ago

They were, I verified the routes before and after the VPN starts and also initialized the openfortivpn on debug mode just to see what it did. The routes look a lot like the ones that are set up on my Windows machine when I connect using the official VPN client. Same thing with the resolv.conf file, it gets updated with two addresses for a nameserver and a search statement with lots of domains from the VPN.

msdobrescu commented 1 year ago

Hi, I have a similar problem and more. It seems it connects, creates the routes, adds the DNS servers, but I can't access the services behind, no ping response, although the commercial version under Windows works for the same connection. Compared to the Windows version, it seems to generate the same setup. Also, It stays for some time connected, maybe 10-20 mins, then disconnects.

msdobrescu commented 1 year ago

My system is a Gentoo-based distro, MocaccinoOS, we use openfortivpn 1.20.3. I've tested under KDE Plasma, where the Network Manager integration seems to be the cause, as the CLI version works fine. Although seems similar to https://github.com/adrienverge/openfortivpn/issues/1120, version 1.20.3 does not work for me either.

DimitriPapadopoulos commented 1 year ago

@msdobrescu You do not have a similar problem if openfortivpn works from the command line. Please create a ticket against the KDE Network Manager integration.

msdobrescu commented 1 year ago

Sorry, can't tell the cause - so it looked similar to me. My bad! Here: https://bugs.kde.org/show_bug.cgi?id=472491

msdobrescu commented 1 year ago

Can you confirm that it's exclusive issue of the KDE Network Manager integration? I use the OpenVPN client and it works fine.

rafaelcn commented 1 year ago

@DimitriPapadopoulos any thoughts on how can I make any discovery about this problem? I can provide the log output from pppd and also the route/interface output.

DimitriPapadopoulos commented 1 year ago

You could try FortiClient in addition to openfortivpn and compare routing after starting either VPN. Possible issues:

Perhaps a detailed log (-v -v -v) might help here, but I suspect looking at routing after starting FortiClient and openfortivpn could provide better clues.

rafaelcn commented 1 year ago

I know for sure that I won't be using IPv6 and the official client doesn't work for some reason, it fails with the error Config routing table failed which I assumed was because it didn't require any root permissions but the vpn program from the official client requires and fails for the same reason. Either way, it is another product and I was happy when the openfortivpn client connected to the VPN successfully.

I have the routing table from both programs (one in Linux and the other in Windows) and I'll compare them). What would be the other routing issue from what I told you about?

rafaelcn commented 1 year ago

I was worried that my requests were not being forwarded through the ppp0 interface created by openfortivpn so is there any way of debugging that? can I use iptables in some way to get more information about this problem?

mrbaseman commented 1 year ago

It could be the firewall, which doesn't allow the traffic that you would expect - either that your local iptables doesn't allow traffic to the ppp0 device, or the Fortigate at the other end of the tunnel. But if nothing is allowed per policy on the Fortigate, it wouldn't even push the routes.

Maybe endpoit detection is active and the Fortigate only allows specific clients (e.g. official windows Forticlient instances) - I have no experience, but I know this feature has been added to FortiOS

DimitriPapadopoulos commented 1 year ago

Indeed, endpoint detection might be the issue here. Have you tried FortiClient?

rafaelcn commented 1 year ago

@DimitriPapadopoulos, yes I tried as I wrote in the previous comment. So I happen to connect to the endpoint successfully and I do have routes configured just right. @mrbaseman I tried to disable the firewall before and even change the selinux policy to permissive but it didn't work as I was expecting. I'll try to disable the firewall and then have a look at the IP tables and maybe add a rule to the VPN interface created by openfortivpn (?).

I even tried to reverse engineer the official client to see where the failure point was being thrown and I'm leaning towards the conclusion of the client not having the right set of permissions to configure routes or whatever it actually tries to do (it's very hard to read disassembled code)

DimitriPapadopoulos commented 1 year ago

The Windows client relies on IPSec by default, while the Linux client is an SSL VPN. Perhaps VPN SSL is not enabled on that VPN server.

I was happy when the openfortivpn client connected to the VPN successfully.

What happened since then? Upgrade of the VPN server? Upgrade of your own Linux machine?

rafaelcn commented 1 year ago

I meant that I was happy that openfortivpn was able to connect to the VPN server as the official client couldn't. Even though I connect to the VPN server successfully I'm unable to access any of the websites over that VPN for some reason.

Let me show you the debug information for the openfortivpn client. Don't worry because all of the personal information is redacted in some way.

openfortivpn -v

``` DEBUG: openfortivpn 1.19.0 DEBUG: revision unavailable DEBUG: Loaded configuration file "/etc/openfortivpn/config". DEBUG: Loaded password from configuration file "/etc/openfortivpn/config" DEBUG: Configuration host = "teletrabalho.someplace.com.br" DEBUG: Configuration realm = "" DEBUG: Configuration port = "443" DEBUG: Configuration username = "user.name" DEBUG: Resolving gateway host ip DEBUG: Establishing ssl connection DEBUG: SO_KEEPALIVE: OFF DEBUG: TCP_KEEPIDLE: 7200 DEBUG: TCP_KEEPINTVL: 75 DEBUG: TCP_KEEPCNT: 9 DEBUG: SO_SNDBUF: 16384 DEBUG: SO_RCVBUF: 131072 DEBUG: server_addr: 187.72.XXX.XXX DEBUG: server_port: 443 DEBUG: gateway_addr: 187.72.XXX.XXX DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Setting minimum protocol version to: 0x303. DEBUG: Gateway certificate validation succeeded. INFO: Connected to gateway. DEBUG: Empty cookie. Two-factor authentication token: DEBUG: Cookie: SVPNCOOKIE= INFO: Authenticated. DEBUG: Cookie: SVPNCOOKIE= INFO: Remote gateway has allocated a VPN. DEBUG: SO_KEEPALIVE: OFF DEBUG: TCP_KEEPIDLE: 7200 DEBUG: TCP_KEEPINTVL: 75 DEBUG: TCP_KEEPCNT: 9 DEBUG: SO_SNDBUF: 16384 DEBUG: SO_RCVBUF: 131072 DEBUG: server_addr: 187.72.XXX.XXX DEBUG: server_port: 443 DEBUG: gateway_addr: 187.72.XXX.XXX DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Setting minimum protocol version to: 0x303. DEBUG: Gateway certificate validation succeeded. DEBUG: Retrieving configuration DEBUG: found dns suffix b.br;s.com.br;h.com.br;s.c.br;c.com.br in xml config DEBUG: found dns server 10.210.XXX.XXX in xml config DEBUG: found dns server 10.100.XXX.XXX in xml config DEBUG: Establishing the tunnel DEBUG: ppp_path: /usr/sbin/pppd DEBUG: Switch to tunneling mode DEBUG: Starting IO through the tunnel DEBUG: pppd_read thread DEBUG: ssl_read thread DEBUG: ssl_write thread DEBUG: if_config thread Using interface ppp0 Connect: ppp0 <--> /dev/pts/5 DEBUG: pppd ---> gateway (16 bytes) DEBUG: pppd_write thread DEBUG: gateway ---> pppd (12 bytes) DEBUG: gateway ---> pppd (16 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: pppd ---> gateway (17 bytes) DEBUG: pppd ---> gateway (18 bytes) DEBUG: pppd ---> gateway (16 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: gateway ---> pppd (6 bytes) DEBUG: gateway ---> pppd (17 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: pppd ---> gateway (6 bytes) DEBUG: pppd ---> gateway (6 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: gateway ---> pppd (24 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: gateway ---> pppd (6 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) INFO: Got addresses: [172.20.XXX.XXX], ns [10.210.XXX.XXX, 10.100.XXX.XXX], ns_suffix [b.br;s.com.br;h.com.br;s.c.br;c.com.br] INFO: Negotiation complete. DEBUG: Got Address: 172.20.XXX.XXX DEBUG: if_config: not ready yet... DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: Got Address: 172.20.XXX.XXX DEBUG: if_config: not ready yet... DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: Got Address: 172.20.XXX.XXX DEBUG: if_config: not ready yet... DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: Got Address: 172.20.XXX.XXX DEBUG: pppd ---> gateway (12 bytes) DEBUG: if_config: not ready yet... DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: Got Address: 172.20.XXX.XXX DEBUG: if_config: not ready yet... DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: Got Address: 172.20.XXX.XXX DEBUG: if_config: not ready yet... DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: Got Address: 172.20.XXX.XXX DEBUG: if_config: not ready yet... DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: Got Address: 172.20.XXX.XXX DEBUG: if_config: not ready yet... DEBUG: gateway ---> pppd (12 bytes) DEBUG: pppd ---> gateway (12 bytes) DEBUG: gateway ---> pppd (16 bytes) DEBUG: pppd ---> gateway (16 bytes) DEBUG: gateway ---> pppd (6 bytes) INFO: Negotiation complete. DEBUG: pppd ---> gateway (6 bytes) local IP address 172.20.XXX.XXX remote IP address 169.254.XXX.XXX DEBUG: pppd ---> gateway (42 bytes) DEBUG: Got Address: 172.20.XXX.XXX DEBUG: Interface Name: ppp0 DEBUG: Interface Addr: 172.20.XXX.XXX INFO: Interface ppp0 is UP. INFO: Setting new routes... DEBUG: ip route show to 0.0.XXX.XXX/0.0.XXX.XXX dev !ppp0 DEBUG: ip route show to 187.72.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: Route not found. DEBUG: ip route show to 187.72.XXX.XXX/255.255.XXX.XXX dev !ppp0 DEBUG: Setting route to vpn server... DEBUG: ip route show to 187.72.XXX.XXX/255.255.XXX.XXX via 192.168.XXX.XXX dev wlp3s0 DEBUG: ip route add to 187.72.XXX.XXX/255.255.XXX.XXX via 192.168.XXX.XXX dev wlp3s0 DEBUG: ip route add to 10.220.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.100.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.210.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.221.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.222.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.223.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.224.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.223.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.222.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.240.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.228.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.230.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.238.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.223.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.210.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.26.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.228.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.228.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.228.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.66.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.66.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.66.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 200.218.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.209.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 200.198.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 189.9.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 189.9.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 200.19.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 200.19.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 200.19.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 200.19.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 191.239.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 200.175.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 198.18.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.228.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.232.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 187.72.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 189.125.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 187.72.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 187.72.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 189.125.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 187.72.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 189.125.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 104.41.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 18.231.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 200.242.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.222.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.11.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 189.87.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 189.9.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.11.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 189.87.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 104.18.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 104.18.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 104.19.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0 DEBUG: ip route add to 200.19.XXX.XXX/255.255.XXX.XXX dev ppp0 INFO: Adding VPN nameservers... DEBUG: Attempting to modify /etc/resolv.conf directly. DEBUG: Adding "nameserver 10.210.XXX.XXX", to /etc/resolv.conf. DEBUG: Adding "nameserver 10.100.XXX.XXX", to /etc/resolv.conf. DEBUG: dns_suffix already present in /etc/resolv.conf. INFO: Tunnel is up and running. DEBUG: pppd ---> gateway (42 bytes) DEBUG: pppd ---> gateway (203 bytes) DEBUG: pppd ---> gateway (203 bytes) DEBUG: pppd ---> gateway (203 bytes) DEBUG: pppd ---> gateway (42 bytes) DEBUG: pppd ---> gateway (70 bytes) DEBUG: pppd ---> gateway (70 bytes) DEBUG: pppd ---> gateway (203 bytes) DEBUG: pppd ---> gateway (42 bytes) DEBUG: pppd ---> gateway (70 bytes) DEBUG: pppd ---> gateway (70 bytes) DEBUG: pppd ---> gateway (70 bytes) DEBUG: pppd ---> gateway (70 bytes) DEBUG: pppd ---> gateway (203 bytes) DEBUG: pppd ---> gateway (203 bytes) DEBUG: pppd ---> gateway (203 bytes) DEBUG: pppd ---> gateway (203 bytes) ```

firewall configuration

``` $ firewall-cmd --list-all FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: wlp3s0 sources: services: dhcpv6-client mdns samba-client ssh ports: 1025-65535/udp 1025-65535/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: ```

DimitriPapadopoulos commented 1 year ago

That's the code that emits the DEBUG: Route not found message, which looks suspect:

    if (rtfound == 0) {
        // should not occur anymore unless there is no default route
        log_debug("Route not found.\n");

By the way, are you able to ping the DNS servers 10.210.XXX.XXX and 10.100.XXX.XXX?

rafaelcn commented 1 year ago

Yes, both of them are accessible by ping just fine. Interestingly, the address from that route not found debug message is shown when I try to find it with ip route show | grep "187.72.XXX.XXX". And it shows that the address is accessible from the default gateway of my network.

$ ip route show | grep "187.72.XXX.XXX"
187.72.XXX.XXX via 192.168.0.1 dev wlp3s0
pkubaj commented 1 year ago

I use version 1.20.5 on FreeBSD 14.0-CURRENT. FreeBSD obviously does not use NetworkManager and the same issue happens as well, with openfortivpn starting from the command line.

DimitriPapadopoulos commented 1 year ago

@pkubaj Routing is handled differently on FreeBSD, so I doubt you experience the "same issue". Open a different ticket if needed.

klaverjan commented 10 months ago

I am also on Fedora39 using the RPM.

I've noticed that after the VPN is established it adds 2 static routes for the VPN gateway via the established tunnel.

Deleting the 2 offending routes after establishing the connection fixes the problem.

Below output is from "route -n"

197.234.XXX.XXX 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 <---- Incorrect static route. 197.234.XXX.XXX 172.31.X.X 255.255.255.255 UGH 50 0 0 wlp0s20f3 <---- Correct route via wireless interface. 197.234.XXX.XXX 0.0.0.0 255.255.255.255 UH 50 0 0 ppp0 <---- Incorrect static route.

Doing "route del -host 197.234.XXX.XXX dev ppp0" twice removes the offending routes and the VPN starts working.

DimitriPapadopoulos commented 10 months ago

@klaverjan Are you connecting from NetworkManager or directly from the command line by running openfortivpn?

klaverjan commented 10 months ago

Hi @DimitriPapadopoulos

@klaverjan Are you connecting from NetworkManager or directly from the command line by running openfortivpn?

I am using NetworkManager.

klaverjan commented 10 months ago

Hi @DimitriPapadopoulos

@klaverjan Are you connecting from NetworkManager or directly from the command line by running openfortivpn?

I am using NetworkManager.

Running the below from the command line works correctly, so the issue seems to be NM-Related.

Hopefully the work-around is helpful in the mean time.

[root /tmp]# /usr/bin/openfortivpn -c /tmp/forti.config --no-dns --pppd-use-peerdns=1 197.234.XXX.XXX:10443 --trusted-cert d3335ec2d2a3d88583f456178553757da4759096d*** INFO: Connected to gateway. INFO: Authenticated. INFO: Remote gateway has allocated a VPN. Using interface ppp0 Connect: ppp0 <--> /dev/pts/0 INFO: Got addresses: * INFO: Negotiation complete. local IP address * remote IP address ** primary DNS address *** secondary DNS address *** INFO: Interface ppp0 is UP. INFO: Setting new routes... INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Route to gateway exists already. INFO: Tunnel is up and running.

rafaelcn commented 10 months ago

I'm enjoying quite a lot of these other comments about the same problem. Gonna try to connect again in a few hours and try to do what you did @klaverjan.

ElhanM commented 6 months ago

Similar problem here. I am on Linux Mint. Worked fine for a few days then just stopped working suddenly.