adrienverge / openfortivpn

Client for PPP+TLS VPN tunnel services
GNU General Public License v3.0
2.74k stars 321 forks source link

Why 403 Forbidden using --cookie-on-stdin ? #1251

Open jordan-bravo opened 3 weeks ago

jordan-bravo commented 3 weeks ago

I'm trying to connect with a cookie I got from logging in via SSO and it's falling with ERROR: Could not get VPN configuration (HTTP status code). Looking at the verbose output, it seems to be failing with 403 Forbidden.

My SAML login seems to be successful so I'm fairly certain my SVPNCOOKIE value is correct. Any suggestions on how to further troubleshoot this?

Here is the verbose output:

❯ echo "<redacted>" | sudo openfortivpn -v -v -v <reacted>.edge.prod.fortisase.com:443 --cookie-on-stdin
DEBUG:  ATTENTION: the output contains sensitive information such as the THE CLEAR TEXT PASSWORD.
DEBUG:  openfortivpn 1.22.1
DEBUG:  revision unavailable
WARN:   Could not load configuration file "/etc/openfortivpn/config" (No such file or directory).
DEBUG:  Configuration host = "<reacted>.edge.prod.fortisase.com"
DEBUG:  Configuration realm = ""
DEBUG:  Configuration port = "443"
DEBUG:  Configuration password = ""
DEBUG:  Resolving gateway host ip
DEBUG:  Establishing TLS connection
DEBUG:  server_addr: 154.52.6.113
DEBUG:  server_port: 443
DEBUG:  gateway_ip: 154.52.6.113
DEBUG:  gateway_port: 443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Set SNI for TLS handshake: <reacted>.edge.prod.fortisase.com
DEBUG:  Gateway certificate validation succeeded.
INFO:   Connected to gateway.
DEBUG:  Cookie: SVPNCOOKIE=<redacted>
INFO:   Authenticated.
DEBUG:  Cookie: SVPNCOOKIE=<redacted>
DEBUG:  http_send:
GET /remote/index HTTP/1.1
Host: <reacted>.edge.prod.fortisase.com:443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: identity
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: SVPNCOOKIE=<redacted>
Content-Length: 0

DEBUG:  http_receive:
HTTP/1.1 403 Forbidden
Date: Tue, 29 Oct 2024 17:42:39 GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https:  'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000

147
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /remote/index
on this server.<P>
<P>Additionally, a 400 Bad Request
error was encountered while trying to use an ErrorDocument to handle the request.
</BODY></HTML>

0

DEBUG:  http_send:
GET /remote/fortisslvpn HTTP/1.1
Host: <reacted>.edge.prod.fortisase.com:443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: identity
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: SVPNCOOKIE=<redacted>
Content-Length: 0

DEBUG:  http_receive:
HTTP/1.1 403 Forbidden
Date: Tue, 29 Oct 2024 17:42:39 GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https:  'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000

14d
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /remote/fortisslvpn
on this server.<P>
<P>Additionally, a 400 Bad Request
error was encountered while trying to use an ErrorDocument to handle the request.
</BODY></HTML>

0

INFO:   Remote gateway has allocated a VPN.
DEBUG:  server_addr: 154.52.6.113
DEBUG:  server_port: 443
DEBUG:  gateway_ip: 154.52.6.113
DEBUG:  gateway_port: 443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Set SNI for TLS handshake: <reacted>.edge.prod.fortisase.com
DEBUG:  Gateway certificate validation succeeded.
DEBUG:  Retrieving configuration
DEBUG:  http_send:
GET /remote/fortisslvpn_xml HTTP/1.1
Host: <reacted>.edge.prod.fortisase.com:443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: identity
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: SVPNCOOKIE=<redacted>
Content-Length: 0

DEBUG:  http_receive:
HTTP/1.1 403 Forbidden
Date: Tue, 29 Oct 2024 17:42:42 GMT
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https:  'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000

151
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /remote/fortisslvpn_xml
on this server.<P>
<P>Additionally, a 400 Bad Request
error was encountered while trying to use an ErrorDocument to handle the request.
</BODY></HTML>

ERROR:  Could not get VPN configuration (HTTP status code).
INFO:   Closed connection to gateway.
DEBUG:  server_addr: 154.52.6.113
DEBUG:  server_port: 443
DEBUG:  gateway_ip: 154.52.6.113
DEBUG:  gateway_port: 443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Set SNI for TLS handshake: <reacted>.edge.prod.fortisase.com
DEBUG:  Gateway certificate validation succeeded.
DEBUG:  http_send:
GET /remote/logout HTTP/1.1
Host: <reacted>.edge.prod.fortisase.com:443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: identity
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: SVPNCOOKIE=<redacted>
Content-Length: 0

DEBUG:  http_receive:
HTTP/1.1 307 Temporary Redirect
Date: Tue, 29 Oct 2024 17:42:45 GMT
Set-Cookie:  SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict
Location: https://login.microsoftonline.com/253415b6-4c2c-4044-9f44-436b6de06ef6/saml2?SAMLRequest=<redacted>&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=<redacted>
Content-Length: 0
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https:  'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000

INFO:   Logged out.