search

theinvisible / openfortigui

VPN-GUI to connect to Fortigate-Hardware, based on openfortivpn
https://hadler.me/linux/openfortigui/
GNU General Public License v3.0
491 stars 54 forks source link

OTP prompt not appearing #179

Open digitalkram opened 2 years ago

digitalkram commented 2 years ago

Hello,

This might be a duplicate of #107. But as I am not 100% sure I do not want to hijack issue #107. If feasible this one can be closed and be further discussed in #107....

This report refers to version openFortiGUI 0.9.8-dev from the iteas repo.

We were using the above version without issues while the OTP came from the FortiToken Mobile app. Now our organization switched FortiVPN from FortiToken Mobile to Microsoft SSO (to harmonize the methods used within the organization).

With this new OTP mechanism connecting VPN openfortigui fails while it still works with openfortivpn from the cli.

GUI log:

─▶ $  cat logs/openfortigui.log
[...]
Sept. 19 11:39:00 openfortiGUI::Debug: VPN process  "<vpn name>"  error occurred!
Sept. 19 11:39:00 openfortiGUI::Debug: VPN process  "<vpn name>"  finished!
─▶ $

VPN log:

└─▶ $  cat logs/vpn/<vpn name>.log 
Sept. 19 11:38:59 INFO:   Start tunnel.
DEBUG:  SO_KEEPALIVE: 0
DEBUG:  SO_SNDBUF: 6
DEBUG:  SO_RCVBUF: 60
DEBUG:  server_addr: 178.15.58.20
DEBUG:  server_port: 443
DEBUG:  gateway_addr: 178.15.58.20
DEBUG:  gateway_port: 443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Gateway certificate validation succeeded.
INFO:   Connected to gateway.

openfortivpn cli log:

└─▶ $  sudo openfortivpn
VPN account password: 
INFO:   Connected to gateway.
Please enter one-time password:
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
Using interface ppp0
Connect: ppp0 <--> /dev/pts/3
INFO:   Got addresses: [xx.x.xxx.x], ns [xx.x.x.xx, xx.x.x.xx]
INFO:   negotiation complete
INFO:   negotiation complete
local  IP address 10.6.230.7
remote IP address 192.0.2.1
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
WARN:   Route to gateway exists already.
INFO:   Adding VPN nameservers...
INFO:   Tunnel is up and running.

Similar to #107 it hangs at INFO: Connected to gateway.

As seen in the openfortivpn log the OTP request string in our case is Please enter one-time password: which afaict is the default one. I tried messing around with Always ask for OTP and OTP prompt string to no avail. And due to the correct OTP request string that's probably expected. So obviously question here is more why it hangs there when called by GUI and not when called via cli.

Debug is ticked in the VPN settings already. Is there a way to pass -v to the call of openfortivpn to get more logs?

Thanks and cheers