openfortivpn on MAC gets stuck
carbonem opened this issue · comments
Dear all,
I'm not an expert, so I hope you have some patience ;-)
I'm having an issue with connecting to my work VPN. Using openfortivpn works for other colleagues, so I guess the issue is with my machine.
Below find details on what the issue is. Can you please help me fixing this issue?
Machine: Apple M1 (2020)
OS: Sonoma (14.4.1)
`openfortivpn version: 1.21.0
openfortivpn config file:
set-dns = 0
pppd-use-peerdns = 1
host = sslvpn.mywork.mycountry
port = 443
username = myusername
command executed from shell
sudo openfortivpn -c config
output (where it gets stuck, sanitised from real ip addresses)
Password:
VPN account password:
INFO: Connected to gateway.
Please enter one-time password:
INFO: Authenticated.
INFO: Remote gateway has allocated a VPN.
Fri Apr 5 11:31:24 2024 : publish_entry SCDSet() failed: Success!
Fri Apr 5 11:31:24 2024 : publish_entry SCDSet() failed: Success!
Fri Apr 5 11:31:24 2024 : Using interface ppp0
Fri Apr 5 11:31:24 2024 : Connect: ppp0 <--> /dev/ttys001
INFO: Got addresses: [X], ns [Y.142.2, Y.142.3], ns_suffix [mywork.mycountry]
Fri Apr 5 11:31:24 2024 : local IP address X
Fri Apr 5 11:31:24 2024 : remote IP address Y.132.211
Fri Apr 5 11:31:24 2024 : primary DNS address Y.142.2
Fri Apr 5 11:31:24 2024 : secondary DNS address Y.142.3
Fri Apr 5 11:31:24 2024 : Committed PPP store
Fri Apr 5 11:31:24 2024 : Committed PPP store
at this point it gets stuck and nothing happens...if I hit ^C, then I get the following weird messages
^CINFO: Cancelling threads...
INFO: Cleanup, joining threads...
INFO: Interface ppp0 is UP.
INFO: Setting new routes...
WARN: Could not get current default route (Parsing /proc/net/route failed).
WARN: Protecting tunnel route has failed. But this can be working except for some cases.
WARN: Adding route table is incomplete. Please check route table.
INFO: Tunnel is up and running.
INFO: Setting ppp0 interface down.
INFO: Restoring routes...
Fri Apr 5 11:36:25 2024 : Hangup (SIGHUP)
Fri Apr 5 11:36:25 2024 : Modem hangup
Fri Apr 5 11:36:25 2024 : Connection terminated.
Fri Apr 5 11:36:25 2024 : LCP close (User request).
Fri Apr 5 11:36:25 2024 : Connect time 5.1 minutes.
Fri Apr 5 11:36:25 2024 : Sent 3800 bytes, received 14612 bytes.
INFO: pppd: The link was terminated by the modem hanging up.
INFO: Terminated pppd.
INFO: Closed connection to gateway.
INFO: Logged out.
I can confirm on my computer. openfortivpn 1.20.5 can connect, ask for the 2FA input, and then proceed to set up the PPP tunnel (I hope this is the right terminology). openfortivpn 1.21.0, started with the same arguments, asks for the 2FA input, but then proceeds to hang as in the comment above. I'll be more than happy to provide a log or any information needed to debug and find a solution.
First things first. Does option --pppd-accept-remote=0 help?
If not, are you able to build from sources? If so, there aren't many significant changes between 1.20.5 and 1.21.0:
v1.20.5...v1.21.0
I would try to revert some of these commits, build, and run - until I can identify which commit breaks openfortivpn:
The option --pppd-accept-remote=0 does indeed solve the issue -- thanks! Did the default behavior change between 1.20.5 and 1.21.0?
Where did you get openfortivpn from?
The README is clear about it:
Lines 172 to 180 in 70ddecd
I modified the Homebrew formulae myself:
Homebrew/homebrew-core@d88b7a1
In theory, openfortivpn for macOS should be built with --enable-legacy-pppd on macOS, which should make --pppd-accept-remote=0 the default, instead of --pppd-accept-remote=1. I am not familiar with Homebrew, but I suspect the above commit has not been taken into account to produce new Homebrew packages. You might have to wait for 1.22.0 (#1211) for the change to be integrated to Homebrew builds.
I use Macports, not homebrew. I'll check how to change the portfile to build with the --enable-legacy-pppd option and report back. If it all works, I'll submit a ticket to Macports about it.
Just checked and yes, compiling with --enable-legacy-pppd solves the issue. I'll notify Macports maintainers. I don't use Homebrew so I hope the changes you (@DimitriPapadopoulos) made are enough. Thank you for this wonderful piece of software and for helping identify the issue so quickly!