Connection to server running openfortivpn closes after startup of tunnel

[synbitz]

Hello, hoping you can guide me in the right direction with my issue. I'm using openfortivpn and before just forticlient sslvpn for linux. I need to open some tunnels to fortigate vpns but once it opens a tunnel my SSH connection to the server is lost. I can't reach the server anymore which is an issue. I've ran with --no-route and --nopeerdns tags and when I did that I did not get disconnected but, the tunnel didn't work ( I assume because the correct routes and nameservers didn't get added)

When I run this package on a local desktop with ubuntu 16.04 everything is fine

any idea how I can make the previous routes not be forgotten when starting openfortivpn? I think this is my issue

[synbitz]

I've tried --half-internet-routes=1 but it didn't work to keep my ssh connection open if it helps to know the server is sitting on an AWS vps. I want to open multiple VPN tunnels at the same time ( a few ) and use ansible to perform some tasks on the servers behind the tunnel

[DimitriPapadopoulos]

I'm not sure I understand the details. Perhaps you can provide the following information:

• Which version of openfortivpn are you running?
• Can you send the error log? Run openfortivpn -v and edit to remove sensitive information if needed.
• Can we focus on a single tunnel case first? When it works we can discuss multiple tunnels.

[mrbaseman]

Do I understand correctly, that you are connected via ssh to a server on AWS and you run openfortivpn there, on the remote side? And the problem is that your ssh connection stops working when openfortivpn configures the routes? You can try to configure a host route to your ssh client first. ssh defines some environment variables, e.g. SSH_CLIENT which contains the client IP and the ports used. With this information you can configure a host route that helps keeping your ssh connection running. If you need further assistance, the output of route -n before and (if possible to obtain somehow via scripting) after starting openfortivpn

[synbitz]

@DimitriPapadopoulos The tunnel works when I run it locally from my desktop. It probably works too when I run it on the VPS but I get disconnected so I can't check any logs. Running openfortivpn 1.6.0.

@mrbaseman that i's my issue indeed. I connect with ssh to my vps. On the vps I run openfortivpn. At startup, once it comes to "adding routes" a few seconds later my SSH connection to the VPS is lost and the only way I can get back in is rebooting the machine.

So I should be able to ... add a route for my SSH client on the VPS? I'll look into SSH_CLIENT.

Before I found openfortivpn I was using forticlient-sslvpn_4.4.2333-1_amd64. I had build some EXPECT scripts and a wrapper to open multiple instances. But once I set it up on a server I had this issue that my own ssh connection gets dropped so hoping that openfortivpn would be a better tool. and the parameter --half-internet-routes=1 seemed like the thing I needed. but it had the same behaviour sadly. --no-routes helped but then I couldn't reach any of the servers behind the tunnel ( because obviously the routes for it were not added )

So yeah i'll look into SSH_CLIENT...

[DimitriPapadopoulos]

I understand now, thanks for the explanations.

The VPN is disconnecting SSH by design. You'll have to define a specific route for SSH manually.

[DimitriPapadopoulos]

For example you could use --no-routes and set all routes manually.

[mrbaseman]

A host route for the ssh connection should be sufficient.

Anyhow, since your goal is to open several tunnels at the same time you probably have to configure routes manually. Otherwise you would probably end up with a setup in which you connect the second tunnel through the first one, and the third through the second and the first one etc.

If the host route approach doesn't work and you want to figure out which routes would be configured, and if you have persistent logs across reboots on your server, you could use --use-syslog -v and find the routes that openfortivpn configures after the next reboot in your syslog files. If logs are not persistent, maybe just redirect the output using shell redirection openfortivpn -v > output.log and inspect that file after the next reboot. Then you should have the information that you need to set up the routes manually.

[synbitz]

@mrbaseman Thanks I will have a look at setting the routes manually after the vpn connection is established. This seems to be the best solution.