half-internet-routes not working anymore?

[initnull]

Hi, recently not sure which version it startet openfortivpn insists on setting a default route though the VPN. half-internet-routes = 1 used to prevent this, only it doesn't anymore. I need routes for the VPN subnets but NOT a default route. Setting a default route breaks all normal inet traffic. As a workaround I'm setting the routes manually via a pppd ip-up script now which is clumsy because they might change. I'd much appreciate a fix for this issue TIA Michael

[DimitriPapadopoulos]

I cannot recall the details of routing any more. Usually, openfortivpn follows the instructions sent by the VPN gateway. Most gateways instruct the client to route all traffic through the tunnel. Are you certain the issue you're experiencing is caused by a change in openfortivpn and not a change in the VPN gateway?

Meanwhile, as a workaround, you may handle routing yourself: https://github.com/adrienverge/openfortivpn/wiki#how-to-add-specific-routes-using-pppd

The most recent possibly related change appears to be https://github.com/adrienverge/openfortivpn/pull/617. It would help if you could identify the change that breaks openfortivpn for you.

[initnull]

Most gateways instruct the client to route all traffic through the tunnel.

So, running in -v mode:

input type="hidden" NAME="text6" VALUE="10.1.0.0/255.255.0.0,10.3.0.0/255.255.0.0,10.0.0.0/255.255.255.0,192.168.4.4/255.255.255.255,0.0.0.0/0.0.0.0"

[...]sslvpn-tunnel ver='2' dtls='1' patch='1'[...] addr ip='0.0.0.0' mask='0.0.0.0' /

So that damn ftgt seems to push it's own default route. Not helpful, unwanted most of all not working...

[DimitriPapadopoulos]

As an alternative, you may try OpenConnect. You need to compile the latest sources yourself for Fortinet support. The benefit is that OpenConnect calls an external script to set routing and DNS parameters. The standard script follows the instructions sent by the VPN gateway, usually rerouteing all network traffic through the VPN: https://gitlab.com/openconnect/vpnc-scripts Alternative scripts, on the other hand, try to minimize the traffic routed through the VPN: https://github.com/dlenski/vpn-slice

That, or follow the instructions on the openfortivpn wiki: https://github.com/adrienverge/openfortivpn/wiki#how-to-add-specific-routes-using-pppd

[mrbaseman]

If the Fortigate pushes its own default route or not, is configurable for each vpn on the Fortigate. The half-internet-routes option should not change much in the routing, it just avoids removing the existing default route and adding a new one through the tunnel. Instead it adds two routes with a /1 netmask.

I had a look at the commits of #617 but I believe they don't change if half-internet-routes or a default route are configured, just details of how exactly these routes are set up. But maybe it's not the routing code, but config parsing which is handled differently in newer versions.

I must admit that I don't get the point what exactly is broken. Is the half-internet-routes option not honored anymore, if so, on the command line or from the config file, or both? Does the option change something in how the routes are configured in your setup? What's the difference, and what is your expectation how it should be - or what was different in former versions? If you can't figure out the commit or the version when it got broken, at least a working version and one which is "broken" could help narrowing down the problem.

[initnull]

FWIW - I got the fortigate to do propper split tunneling as they call it. No more meddling with my default route anymore thank you very much ;) This article helped a lot: Enabling-split-tunnel-feature-for-SSL-VPN

I didn't set it up in the first place. Just to be clear xD

Thanks for all posts and hints here. Sadly not everyone is in the lucky situation to have admin access to the vpn partner. :)

Back to the issue at hand. Sorry I was very busy, so it took a while to reply.

Is the half-internet-routes option not honored anymore if so, on the command line or from the config file, or both?

It doesn't make a difference if I set it in the config file or on the command line. routes are extacly the same. Version: 1.17.1-1 as in debian sid Now that my VPN connection does not set a default route anymore i don't have a real test partner to check with though. I don't recall what it did when it was working. I just had no reason to look. :) And I don't want to "break" the fortigate again...

what is your expectation how it should be

Well actually I expect the option to just ignore a default route if set by the vpn as this is what I needed and the option name suggested. As I understood it anyways

According to the man page: "Set if openfortivpn should add two 0.0.0.0/1 and 128.0.0.0/1 routes with higher priority instead of replacing the default route." Which doesn't seem to be very helpful at all. But as I said I can't see any difference setting it or not.