openfortivpn is used to establish VPN tunnels on linux and compatible with Fortinet VPNs.
openfortivpn is included in notable linux distributions and can be installed via packet manager:
When starting openfortivpn the following config file is used and should look something like this for the standard vpn tunnel:
#### config file for openfortivpn, see man openfortivpn(1) ### # # host = destination adress VPN-Gateway # port = destination port # realm = realm / name of the vpn tunnel # username = username (CIT-Account) # password = password # ca-file = certificate chain host = vpngate.frankfurt-university.de port = 443 realm = pub-all username = <CIT-Account> password = <PASSWORD> ca-file = /etc/openfortivpn/chain.txt
Note: realm = pub-all is used for the standard vpn tunnel and is used in most cases but it may differ when using a different tunnel.
The ca-file includes the certificate chain of DFN-Verein Global Issuing CA (pem file) and can be downloaded via:
Config files for additional tunnels may be created with freely selected names in the same place. NOTE: Depending on the Linux distribution the config files may differ from
/etc/openfortivpn or may be created manually.
Establish the connection
start the tunnel via
[root@pc ]# openfortivpn
Root privileges (respectively sudo) are needed because a (ppp)-interface is created (see here section Running as root?). When using different tunnels via configuration files the following parameter is used:
[root@pc ]# openfortivpn -c /etc/openfortivpn/<my_tunnel_configfile>
Additional parameters and explanatary notes may be found via the MAN-pages.
Openfortivpn can also be used via NetworkManager. The following packets are required and need to be installed:
Afterwards a new NetworkManager-profile (type fortisslvpn) can be created.
The configuration should look something like this:
|User name||Your CIT-Account|
|Password||Your Cit-Account Password|
path to the CA Certificate you already downloaded earlier in this guide.
see CA Certificate
click on "Advanced" to enter the "Realm":
In most cases the realm is pub-all but it may differ when using a different tunnel. Note: Option "Use only for resources on this connection" from IPv4 → Routes must be disabled.
Afterwards the connection can be established when you click on the corresponding entry in the NetworkManager menu.