Closed jdshaeffer closed 5 years ago
DimitriPapadopoulos
commented
5 years ago Yes, it could be an answer.
That said how doesn't forticlientsslvpn_cliwork ? In my use case the graphical forticlientsslvpn does work but used to be disconnected more often than openfortivpn.
Both forticlientsslvpn and openfortivpn might fail over fragile networks - when Wi-Fi connections fail or DHCP leases are re-negotiated every few minutes. That's what experienced again during my last trip...
jdshaeffer
commented
5 years ago Thanks. I'm still pretty new to the project, but from what I understand, the forticlientsslvpn script restarts the client after every time it fails to connect and waits an incrementally longer period of time before sending another request. However the biggest issue, I believe, is that after launching the VPN, scripts are unable to make HTTP requests to our machines behind the VPN, which is an absolute requirement in the project.
What you said about failing over fragile networks - that also might be an issue we have. The server that runs the scripts isn't itself connected to the VPN, heck it's not even connected to the internet.
DimitriPapadopoulos
commented
5 years ago In my case we use a token with one-time codes, so restarting the VPN automatically is not an option. Very frustrating...
As for not being able to reach HTTP servers behind the VPN: this doesn't mean the VPN isn't working properly. Most probably the parameters of the VPN appliance are not compatible with what you want to do. That's a routing issue. I can perfectly reach HTTP servers behind our VPN appliance using both openfortivpn and forticlientsslvpn. What I don't understand in your case: The scripts that make HTTP requests run on a server, but how is this server related to the VPN client software? Does the VPN client software run on the server? On some other computer? And how exactly are HTTP servers "behind" the VPN appliance?
jdshaeffer
commented
5 years ago Man I wish my manager could talk to you haha
Can I research these questions thoroughly and come back to you later with some good answers? Thanks so much for the assistance so far.
mrbaseman
commented
5 years ago the routing table (output of route -n) before and after opening the vpn connection and the IP of the HTTP servers might help understanding what happens. You don't have to post it here, I'm just mentioning what you could look at to resolve your problem.
It could well be that the HTTP servers are in a DMZ zone, which is accessible from the internet and from the wired network behind the Fortigate, but perhaps not from the network which is assigned to the VPN clients. This may be by intention, or there is just a firewall rule missing (maybe simply because nobody has asked for it so far).
jdshaeffer
commented
5 years ago Sorry I've been mia from this thread. The problem isn't as urgent as it was, but I'll still attempt to clarify our situation and answer some of your questions.
We use a VPN to connect to a server that contains certain software which is important for internal testing in our company. Said software is on a server that can only be accessed if connected to a VPN. On my local machine I can access that server via SSH only if I'm connected to our VPN, which I can do successfully through the Forticlient GUI. I can run successful tests locally and it all works fine.
We are enhancing an AngularJS app as an internal tool that will automate all of this. All the code for this app is on a different remote server. We SSH into it to get our work done. There is no need to be connected to a VPN to connect to this server. This server isn't connected to the internet for security reasons. In the app, a user can configure tests and send them to the 1st server, the one that can only be accessed via VPN, so the tests can run. We attempt to connect to the VPN from the app via the forticlientsslvpn and pexpect, a Python tool that spawns the command.
We have noticed that the forticlientsslvpn is flaky and works on and off. I couldn't tell you exactly why. About the HTTP requests thing, I only mentioned that because a previous intern left this comment for me, "Open issue: Forticlient CLI not working, ... after launching the VPN, scripts are unable to make HTTP requests to machines behind the VPN." I've asked others about this but they're not sure about what he meant.
Again, it's not a major problem at the moment. We've ultimately decided to copy the code from the VPN-required server and put it on a different server that doesn't require VPN in hopes of avoiding this altogether.
Sorry for the long response and lack of detail, I'm afraid it won't be much help if you want to continue trying to help. Let me know if you want to know more. Either way, I appreciate it.
mrbaseman
commented
5 years ago Well, based on this information I would recommend that you should describe your workflow to all the responsible people who are running the infrastructure that you use and ask them for possible solutions. You probably have to talk to
All this should fit to your workflow. Without detailed information about the network configurations etc. it's difficult to help, but if you involve all these people who know the details about their devices, the preferred solution probably becomes obvious quite quickly.
jdshaeffer
commented
5 years ago Thanks, I'll look into that. Closing for now.
My apologies if this is a very novice question. We're currently using forticlientsslvpn_cli on our project and it doesn't work most of the time. Looking for solutions. Would openfortivpn be an answer?