After connection stablished can't access any of the VPNs websites

Question

After connection stablished can't access any of the VPNs websites

rafaelcn opened this issue 10 months ago · comments

Rafael Campos Nunes commented 10 months ago

Hi, I'm on Fedora and when connecting to a given VPN it does create a network device (ppp0), updates the routes and also prepends information on the DNS file resolve.conf with new entries. The problem is that I can't seem to access any of the services over that VPN, whenever I try to access a website that should be accessible there's no route to it.

I even tried the tun branch version but to no avail, it still doesn't work. If you want I can provide some logs. I tried to use two versions of the openfortivpn, the first is the package provided by my operating system (Fedora 38) with version 1.19.0 and the other I compiled myself from the branch tun (revision v1.20.4+git5.gbeefa44).

I don't know the version of FortiOS on the other end of the VPN.

Dimitri Papadopoulos Orfanos · Answer 1 · Thu Jul 20 2023 22:38:39 GMT+0800 (China Standard Time)

Can you ping the IP address of the website but not the DNS name? Can you ping the DNS name?

Also please read Reporting issues. We'll see whether logs are needed after you answer the above questions.

Rafael Campos Nunes · Answer 2 · Thu Jul 20 2023 22:41:18 GMT+0800 (China Standard Time)

I can't do either, the only thing that resolves is the actual address of the VPN. I'll add more information as in the reporting issues section

Dimitri Papadopoulos Orfanos · Answer 3 · Thu Jul 20 2023 22:46:54 GMT+0800 (China Standard Time)

Have you built the latest openfortivpn version? Used the RPM package?

Rafael Campos Nunes · Answer 4 · Thu Jul 20 2023 23:07:23 GMT+0800 (China Standard Time)

Updated this information on the issue description

Dimitri Papadopoulos Orfanos · Answer 5 · Fri Jul 21 2023 03:07:00 GMT+0800 (China Standard Time)

Then I guess routing hasn't been properly set. It would be useful to see routes before/after running the VPN:

ip route

Rafael Campos Nunes · Answer 6 · Fri Jul 21 2023 07:28:50 GMT+0800 (China Standard Time)

They were, I verified the routes before and after the VPN starts and also initialized the openfortivpn on debug mode just to see what it did. The routes look a lot like the ones that are set up on my Windows machine when I connect using the official VPN client. Same thing with the resolv.conf file, it gets updated with two addresses for a nameserver and a search statement with lots of domains from the VPN.

Mihai Sorin Dobrescu · Answer 7 · Sat Jul 22 2023 13:52:26 GMT+0800 (China Standard Time)

Hi, I have a similar problem and more. It seems it connects, creates the routes, adds the DNS servers, but I can't access the services behind, no ping response, although the commercial version under Windows works for the same connection. Compared to the Windows version, it seems to generate the same setup. Also, It stays for some time connected, maybe 10-20 mins, then disconnects.

Mihai Sorin Dobrescu · Answer 8 · Sat Jul 22 2023 14:21:07 GMT+0800 (China Standard Time)

My system is a Gentoo-based distro, MocaccinoOS, we use openfortivpn 1.20.3.
I've tested under KDE Plasma, where the Network Manager integration seems to be the cause, as the CLI version works fine. Although seems similar to #1120, version 1.20.3 does not work for me either.

Dimitri Papadopoulos Orfanos · Answer 9 · Sun Jul 23 2023 04:04:48 GMT+0800 (China Standard Time)

@msdobrescu You do not have a similar problem if openfortivpn works from the command line. Please create a ticket against the KDE Network Manager integration.

Mihai Sorin Dobrescu · Answer 10 · Sun Jul 23 2023 11:24:45 GMT+0800 (China Standard Time)

Sorry, can't tell the cause - so it looked similar to me. My bad!
Here: https://bugs.kde.org/show_bug.cgi?id=472491

Mihai Sorin Dobrescu · Answer 11 · Sun Jul 23 2023 11:27:47 GMT+0800 (China Standard Time)

Can you confirm that it's exclusive issue of the KDE Network Manager integration? I use the OpenVPN client and it works fine.

Rafael Campos Nunes · Answer 12 · Mon Jul 24 2023 02:25:17 GMT+0800 (China Standard Time)

@DimitriPapadopoulos any thoughts on how can I make any discovery about this problem? I can provide the log output from pppd and also the route/interface output.

Dimitri Papadopoulos Orfanos · Answer 13 · Mon Jul 24 2023 03:09:34 GMT+0800 (China Standard Time)

You could try FortiClient in addition to openfortivpn and compare routing after starting either VPN. Possible issues:

openfortivpn does not have support for IPv6 (#112)
other routing issue you may not have not noticed.

Perhaps a detailed log (-v -v -v) might help here, but I suspect looking at routing after starting FortiClient and openfortivpn could provide better clues.

Rafael Campos Nunes · Answer 14 · Mon Jul 24 2023 04:10:45 GMT+0800 (China Standard Time)

I know for sure that I won't be using IPv6 and the official client doesn't work for some reason, it fails with the error Config routing table failed which I assumed was because it didn't require any root permissions but the vpn program from the official client requires and fails for the same reason. Either way, it is another product and I was happy when the openfortivpn client connected to the VPN successfully.

I have the routing table from both programs (one in Linux and the other in Windows) and I'll compare them). What would be the other routing issue from what I told you about?

Rafael Campos Nunes · Answer 15 · Mon Jul 24 2023 04:15:50 GMT+0800 (China Standard Time)

I was worried that my requests were not being forwarded through the ppp0 interface created by openfortivpn so is there any way of debugging that? can I use iptables in some way to get more information about this problem?

Martin Hecht · Answer 16 · Mon Jul 24 2023 18:04:43 GMT+0800 (China Standard Time)

It could be the firewall, which doesn't allow the traffic that you would expect - either that your local iptables doesn't allow traffic to the ppp0 device, or the Fortigate at the other end of the tunnel. But if nothing is allowed per policy on the Fortigate, it wouldn't even push the routes.

Maybe endpoit detection is active and the Fortigate only allows specific clients (e.g. official windows Forticlient instances) - I have no experience, but I know this feature has been added to FortiOS

Dimitri Papadopoulos Orfanos · Answer 17 · Mon Jul 24 2023 19:51:13 GMT+0800 (China Standard Time)

Indeed, endpoint detection might be the issue here. Have you tried FortiClient?

Rafael Campos Nunes · Answer 18 · Mon Jul 24 2023 20:44:29 GMT+0800 (China Standard Time)

@DimitriPapadopoulos, yes I tried as I wrote in the previous comment. So I happen to connect to the endpoint successfully and I do have routes configured just right. @mrbaseman I tried to disable the firewall before and even change the selinux policy to permissive but it didn't work as I was expecting. I'll try to disable the firewall and then have a look at the IP tables and maybe add a rule to the VPN interface created by openfortivpn (?).

I even tried to reverse engineer the official client to see where the failure point was being thrown and I'm leaning towards the conclusion of the client not having the right set of permissions to configure routes or whatever it actually tries to do (it's very hard to read disassembled code)

Dimitri Papadopoulos Orfanos · Answer 19 · Mon Jul 24 2023 20:50:49 GMT+0800 (China Standard Time)

The Windows client relies on IPSec by default, while the Linux client is an SSL VPN. Perhaps VPN SSL is not enabled on that VPN server.

I was happy when the openfortivpn client connected to the VPN successfully.

What happened since then? Upgrade of the VPN server? Upgrade of your own Linux machine?

Rafael Campos Nunes · Answer 20 · Mon Jul 24 2023 21:16:00 GMT+0800 (China Standard Time)

I meant that I was happy that openfortivpn was able to connect to the VPN server as the official client couldn't. Even though I connect to the VPN server successfully I'm unable to access any of the websites over that VPN for some reason.

Let me show you the debug information for the openfortivpn client. Don't worry because all of the personal information is redacted in some way.

openfortivpn -v

DEBUG:  openfortivpn 1.19.0
DEBUG:  revision unavailable
DEBUG:  Loaded configuration file "/etc/openfortivpn/config".
DEBUG:  Loaded password from configuration file "/etc/openfortivpn/config"
DEBUG:  Configuration host = "teletrabalho.someplace.com.br"
DEBUG:  Configuration realm = ""
DEBUG:  Configuration port = "443"
DEBUG:  Configuration username = "user.name"
DEBUG:  Resolving gateway host ip
DEBUG:  Establishing ssl connection
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 131072
DEBUG:  server_addr: 187.72.XXX.XXX
DEBUG:  server_port: 443
DEBUG:  gateway_addr: 187.72.XXX.XXX
DEBUG:  gateway_port: 443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Gateway certificate validation succeeded.
INFO:   Connected to gateway.
DEBUG:  Empty cookie.
Two-factor authentication token: 
DEBUG:  Cookie: SVPNCOOKIE=<redacted>
INFO:   Authenticated.
DEBUG:  Cookie: SVPNCOOKIE=<redacted>
INFO:   Remote gateway has allocated a VPN.
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 131072
DEBUG:  server_addr: 187.72.XXX.XXX
DEBUG:  server_port: 443
DEBUG:  gateway_addr: 187.72.XXX.XXX
DEBUG:  gateway_port: 443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Gateway certificate validation succeeded.
DEBUG:  Retrieving configuration
DEBUG:  found dns suffix b.br;s.com.br;h.com.br;s.c.br;c.com.br in xml config
DEBUG:  found dns server 10.210.XXX.XXX in xml config
DEBUG:  found dns server 10.100.XXX.XXX in xml config
DEBUG:  Establishing the tunnel
DEBUG:  ppp_path: /usr/sbin/pppd
DEBUG:  Switch to tunneling mode
DEBUG:  Starting IO through the tunnel
DEBUG:  pppd_read thread
DEBUG:  ssl_read thread
DEBUG:  ssl_write thread
DEBUG:  if_config thread
Using interface ppp0
Connect: ppp0 <--> /dev/pts/5
DEBUG:  pppd ---> gateway (16 bytes)
DEBUG:  pppd_write thread
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  gateway ---> pppd (16 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  pppd ---> gateway (17 bytes)
DEBUG:  pppd ---> gateway (18 bytes)
DEBUG:  pppd ---> gateway (16 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  gateway ---> pppd (6 bytes)
DEBUG:  gateway ---> pppd (17 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  pppd ---> gateway (6 bytes)
DEBUG:  pppd ---> gateway (6 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  gateway ---> pppd (24 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  gateway ---> pppd (6 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
INFO:   Got addresses: [172.20.XXX.XXX], ns [10.210.XXX.XXX, 10.100.XXX.XXX], ns_suffix [b.br;s.com.br;h.com.br;s.c.br;c.com.br]
INFO:   Negotiation complete.
DEBUG:  Got Address: 172.20.XXX.XXX
DEBUG:  if_config: not ready yet...
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  Got Address: 172.20.XXX.XXX
DEBUG:  if_config: not ready yet...
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  Got Address: 172.20.XXX.XXX
DEBUG:  if_config: not ready yet...
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  Got Address: 172.20.XXX.XXX
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  if_config: not ready yet...
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  Got Address: 172.20.XXX.XXX
DEBUG:  if_config: not ready yet...
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  Got Address: 172.20.XXX.XXX
DEBUG:  if_config: not ready yet...
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  Got Address: 172.20.XXX.XXX
DEBUG:  if_config: not ready yet...
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  Got Address: 172.20.XXX.XXX
DEBUG:  if_config: not ready yet...
DEBUG:  gateway ---> pppd (12 bytes)
DEBUG:  pppd ---> gateway (12 bytes)
DEBUG:  gateway ---> pppd (16 bytes)
DEBUG:  pppd ---> gateway (16 bytes)
DEBUG:  gateway ---> pppd (6 bytes)
INFO:   Negotiation complete.
DEBUG:  pppd ---> gateway (6 bytes)
local  IP address 172.20.XXX.XXX
remote IP address 169.254.XXX.XXX
DEBUG:  pppd ---> gateway (42 bytes)
DEBUG:  Got Address: 172.20.XXX.XXX
DEBUG:  Interface Name: ppp0
DEBUG:  Interface Addr: 172.20.XXX.XXX
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
DEBUG:  ip route show to 0.0.XXX.XXX/0.0.XXX.XXX dev !ppp0
DEBUG:  ip route show to 187.72.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  Route not found.
DEBUG:  ip route show to 187.72.XXX.XXX/255.255.XXX.XXX dev !ppp0
DEBUG:  Setting route to vpn server...
DEBUG:  ip route show to 187.72.XXX.XXX/255.255.XXX.XXX via 192.168.XXX.XXX dev wlp3s0
DEBUG:  ip route add to 187.72.XXX.XXX/255.255.XXX.XXX via 192.168.XXX.XXX dev wlp3s0
DEBUG:  ip route add to 10.220.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.100.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.210.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.221.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.222.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.223.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.224.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.223.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.222.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.240.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.228.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.230.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.238.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.223.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.210.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.26.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.228.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.228.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.228.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.66.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.66.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.66.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 200.218.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.209.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 200.198.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 189.9.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 189.9.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 200.19.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 200.19.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 200.19.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 200.19.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 191.239.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 200.175.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 198.18.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.228.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.232.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 187.72.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 189.125.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 187.72.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 187.72.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 189.125.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 187.72.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 189.125.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 104.41.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 18.231.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 200.242.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.0.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.222.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.11.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 189.87.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 189.9.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 192.168.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.11.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 189.87.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 104.18.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 104.18.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 104.19.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 177.54.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 10.219.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 172.21.XXX.XXX/255.255.XXX.XXX dev ppp0
DEBUG:  ip route add to 200.19.XXX.XXX/255.255.XXX.XXX dev ppp0
INFO:   Adding VPN nameservers...
DEBUG:  Attempting to modify /etc/resolv.conf directly.
DEBUG:  Adding "nameserver 10.210.XXX.XXX", to /etc/resolv.conf.
DEBUG:  Adding "nameserver 10.100.XXX.XXX", to /etc/resolv.conf.
DEBUG:  dns_suffix already present in /etc/resolv.conf.
INFO:   Tunnel is up and running.
DEBUG:  pppd ---> gateway (42 bytes)
DEBUG:  pppd ---> gateway (203 bytes)
DEBUG:  pppd ---> gateway (203 bytes)
DEBUG:  pppd ---> gateway (203 bytes)
DEBUG:  pppd ---> gateway (42 bytes)
DEBUG:  pppd ---> gateway (70 bytes)
DEBUG:  pppd ---> gateway (70 bytes)
DEBUG:  pppd ---> gateway (203 bytes)
DEBUG:  pppd ---> gateway (42 bytes)
DEBUG:  pppd ---> gateway (70 bytes)
DEBUG:  pppd ---> gateway (70 bytes)
DEBUG:  pppd ---> gateway (70 bytes)
DEBUG:  pppd ---> gateway (70 bytes)
DEBUG:  pppd ---> gateway (203 bytes)
DEBUG:  pppd ---> gateway (203 bytes)
DEBUG:  pppd ---> gateway (203 bytes)
DEBUG:  pppd ---> gateway (203 bytes)

firewall configuration

$ firewall-cmd --list-all
FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp3s0
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 1025-65535/udp 1025-65535/tcp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Dimitri Papadopoulos Orfanos · Answer 21 · Tue Jul 25 2023 04:24:45 GMT+0800 (China Standard Time)

That's the code that emits the DEBUG: Route not found message, which looks suspect:

	if (rtfound == 0) {
		// should not occur anymore unless there is no default route
		log_debug("Route not found.\n");

By the way, are you able to ping the DNS servers 10.210.XXX.XXX and 10.100.XXX.XXX?

Rafael Campos Nunes · Answer 22 · Tue Jul 25 2023 09:20:39 GMT+0800 (China Standard Time)

Yes, both of them are accessible by ping just fine. Interestingly, the address from that route not found debug message is shown when I try to find it with ip route show | grep "187.72.XXX.XXX". And it shows that the address is accessible from the default gateway of my network.

$ ip route show | grep "187.72.XXX.XXX"
187.72.XXX.XXX via 192.168.0.1 dev wlp3s0

Piotr Kubaj · Answer 23 · Thu Jul 27 2023 16:14:57 GMT+0800 (China Standard Time)

I use version 1.20.5 on FreeBSD 14.0-CURRENT. FreeBSD obviously does not use NetworkManager and the same issue happens as well, with openfortivpn starting from the command line.

Dimitri Papadopoulos Orfanos · Answer 24 · Thu Jul 27 2023 17:39:28 GMT+0800 (China Standard Time)

@pkubaj Routing is handled differently on FreeBSD, so I doubt you experience the "same issue". Open a different ticket if needed.

klaverjan · Answer 25 · Wed Nov 29 2023 15:11:12 GMT+0800 (China Standard Time)

I am also on Fedora39 using the RPM.

I've noticed that after the VPN is established it adds 2 static routes for the VPN gateway via the established tunnel.

Deleting the 2 offending routes after establishing the connection fixes the problem.

Below output is from "route -n"

197.234.XXX.XXX 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 <---- Incorrect static route.
197.234.XXX.XXX 172.31.X.X 255.255.255.255 UGH 50 0 0 wlp0s20f3 <---- Correct route via wireless interface.
197.234.XXX.XXX 0.0.0.0 255.255.255.255 UH 50 0 0 ppp0 <---- Incorrect static route.

Doing "route del -host 197.234.XXX.XXX dev ppp0" twice removes the offending routes and the VPN starts working.

Dimitri Papadopoulos Orfanos · Answer 26 · Wed Nov 29 2023 17:20:42 GMT+0800 (China Standard Time)

@klaverjan Are you connecting from NetworkManager or directly from the command line by running openfortivpn?

klaverjan · Answer 27 · Wed Nov 29 2023 18:37:08 GMT+0800 (China Standard Time)

Hi @DimitriPapadopoulos

@klaverjan Are you connecting from NetworkManager or directly from the command line by running openfortivpn?

I am using NetworkManager.

klaverjan · Answer 28 · Wed Nov 29 2023 18:53:19 GMT+0800 (China Standard Time)

Hi @DimitriPapadopoulos

@klaverjan Are you connecting from NetworkManager or directly from the command line by running openfortivpn?

I am using NetworkManager.

Running the below from the command line works correctly, so the issue seems to be NM-Related.

Hopefully the work-around is helpful in the mean time.

[root /tmp]# /usr/bin/openfortivpn -c /tmp/forti.config --no-dns --pppd-use-peerdns=1 197.234.XXX.XXX:10443 --trusted-cert d3335ec2d2a3d88583f456178553757da4759096d***************
INFO: Connected to gateway.
INFO: Authenticated.
INFO: Remote gateway has allocated a VPN.
Using interface ppp0
Connect: ppp0 <--> /dev/pts/0
INFO: Got addresses: *********
INFO: Negotiation complete.
local IP address *****
remote IP address ******
primary DNS address ***********
secondary DNS address ***********
INFO: Interface ppp0 is UP.
INFO: Setting new routes...
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Route to gateway exists already.
INFO: Tunnel is up and running.

Rafael Campos Nunes · Answer 29 · Thu Nov 30 2023 01:05:11 GMT+0800 (China Standard Time)

I'm enjoying quite a lot of these other comments about the same problem. Gonna try to connect again in a few hours and try to do what you did @klaverjan.