Closed nidico closed 7 years ago
adrienverge
commented
7 years ago Hi @nidico,
You need to create a systemd config file (either in /etc/systemd/system or /usr/lib/systemd/system), for example openfortivpn.service. I'm not a systemd expert but I guess you would need:
[Install]
After=NetworkManager.serviceOnce done:
sudo systemctl daemon-reload
sudo systemctl start openfortivpn
sudo systemctl enable openfortivpn
nidico
commented
7 years ago For others looking at this: This isn't working (i.e. automatically restarting) for me as it is (though a similar systemd unit in general is). I haven't spend more time since and setup a cron job which restarts the systemd service if the connection is down.
r3tr0g4m3r
commented
6 years ago This is my service running at boot in CentOS 7.4: /usr/lib/systemd/system/openfortivpn.service
Description = OpenFortiVPN After=network-online.target multi-user.target Documentation=man:openfortivpn(1)
[Service] User=root Type=idle ExecStart = /usr/local/bin/openfortivpn -c /etc/openfortivpn/config KillSignal=SIGTERM
[Install] WantedBy=multi-user.target
deevictor
commented
3 years ago /etc/openfortivpn/config
Type=forking , otherwise systemd will show active status even if VPN connection is not established.
DimitriPapadopoulos
commented
3 years ago Type=forking doesn't look right here, because openfortivpn does not fork. Doesn't Type=simple work for you?
deevictor
commented
3 years ago my bad, the service is not start with forking or simple type, only with Type=idle as mentioned r3tr0g4m3r.
DimitriPapadopoulos
commented
3 years ago Type notify might be useful too as openfortivpn calls sd_notify() to notify systemd when the tunnel is up.
iKlsR
commented
3 years ago @DimitriPapadopoulos I was setting up this and when I switch to notify it gets stuck in this state until it fails, going back to simple works.
ploi@data-server:~$ /usr/bin/openfortivpn --version
1.6.0ploi@data-server:~/data.redacted.com/itch$ systemctl status openfortivpn.service
● openfortivpn.service - Forti VPN Api Service
Loaded: loaded (/etc/systemd/system/openfortivpn.service; enabled; vendor preset: enabled)
Active: activating (start) since Tue 2021-10-05 13:07:02 UTC; 19s ago
Docs: man:openfortivpn(1)
Main PID: 19945 (openfortivpn)
Tasks: 6 (limit: 1150)
CGroup: /system.slice/openfortivpn.service
├─19945 /usr/bin/openfortivpn -c /etc/openfortivpn/config
└─19960 /usr/sbin/pppd 38400 :1.1.1.1 noipdefault noaccomp noauth default-asyncmap nopcomp receive-all nodefaultroute nodetach lcp-max-config[Unit]
Description=OpenFortiVPN Service
After=network-online.target multi-user.target
Documentation=man:openfortivpn(1)
[Service]
User=root
Type=simple
# WorkingDirectory=/root
ExecStart=/usr/bin/openfortivpn -c /etc/openfortivpn/config
Restart=always
RestartSec=5
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=openfortivpn
KillSignal=SIGTERM
[Install]
WantedBy=multi-user.targetit gets stuck in this state until it fails
In which state? How does it fail?
iKlsR
commented
3 years ago With notify when I reload and restart I get
● openfortivpn.service - OpenFortiVPN Service
Loaded: loaded (/etc/systemd/system/openfortivpn.service; enabled; vendor preset: enabled)
Active: activating (start) since Tue 2021-10-05 13:05:26 UTC; 1s ago
Docs: man:openfortivpn(1)
Main PID: 19719 (openfortivpn)
Tasks: 7 (limit: 1150)
CGroup: /system.slice/openfortivpn.service
├─19719 /usr/bin/openfortivpn -c /etc/openfortivpn/config
└─19734 /usr/sbin/pppd 38400 :1.1.1.1 noipdefault noaccomp noauth default-asyncmap nopcomp receive-all nodefaultroute nodetach lcp-max-configas opposed to using simple
● openfortivpn.service - OpenFortiVPN Service
Loaded: loaded (/etc/systemd/system/openfortivpn.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-10-05 13:14:15 UTC; 25min ago
Docs: man:openfortivpn(1)
Main PID: 20310 (openfortivpn)
Tasks: 6 (limit: 1150)
CGroup: /system.slice/openfortivpn.service
├─20310 /usr/bin/openfortivpn -c /etc/openfortivpn/config
└─20325 /usr/sbin/pppd 38400 :1.1.1.1 noipdefault noaccomp noauth default-asyncmap nopcomp receive-all nodefaultroute nodetach lcp-max-configI see nothing useful in syslog or with journalctl, if I do hostname -I I can see the expected ip while it's in that state but I can't connect. I can't try to reproduce this now as I need the vpn running to capture some itch data but I will try again with notify tomorrow as I believe there was something in the logs yesterday when I was playing with this.
ploi@data-server:~$ sudo systemctl start openfortivpn.service
Job for openfortivpn.service failed because a timeout was exceeded.ploi@data-server:~$ /usr/bin/openfortivpn --version 1.6.0
Version 1.6.0 is pretty old and does not call sd_notify(). My recommendation would be to:
DimitriPapadopoulos
commented
3 years ago Also see #948.
requa3r0
commented
9 months ago The standard lease time for fortify vpn server side is 8 hours.
Has as anyone figured out how to automatically reconnect if the connection is lost or the lease time expires.
mrbaseman
commented
9 months ago @requa3r0 see the above discussion about how to start openfortivpn as a daemon. If your login needs a one time password or any other 2nd factor, it is simply not possible to automate the reconnect
kardoka
commented
9 months ago @mrbaseman If the connection is based on a username + password combination, is it possible to implement auto-reconnect?
requa3r0
commented
9 months ago @kardoka Really
this daemon reconnects for days...1 sec after the lease time is over.
requa3r0
commented
9 months ago @kardoka @mrbaseman Here:
[Unit] Description=openfortivpn-daemon After=network-online.target Wants=network-online.target systemd-networkd-wait-online.service
StartLimitIntervalSec=500 StartLimitBurst=5
[Service] Restart=on-failure RestartSec=5s
ExecStart=/usr/bin/openfortivpn
[Install] WantedBy=multi-user.target
What's the best practice in order to run openfortivpn as a system daemon, e.g. as a systemd unit? I'm particularly concerned about automatic reconnection in case of connection loss.