openfortivpn is used to establish VPN tunnels on linux and compatible with Fortinet VPNs.
Installation
openfortivpn is included in notable linux distributions and can be installed via packet manager:
Fedora:
Info | ||
---|---|---|
| ||
root@fedora:~# dnf install openfortivpn |
Ubuntu:
Info | ||
---|---|---|
| ||
root@ubuntu:~# apt install openfortivpn |
Debian:
Info | ||
---|---|---|
| ||
root@debian:~# apt install openfortivpn |
Configuration
When starting openfortivpn the following config file is used and should look something like this for the standard vpn tunnel:
Codeblock | ||
---|---|---|
| ||
#### config file for openfortivpn, see man openfortivpn(1) ### # # host = destination adress VPN-Gateway # port = destination port # realm = realm / name of the vpn tunnel # username = username (CIT-Account) # password = password # ca-file = certificate chain host = vpngate.frankfurt-university.de port = 443 realm = pub-all username = <CIT-Account> password = <PASSWORD> ca-file = /etc/openfortivpn/chain.txt |
Note: realm = pub-all is used for the standard vpn tunnel and is used in most cases but it may differ when using a different tunnel.The ca-file includes the certificate chain of DFN-Verein Global Issuing CA (pem file) and can be downloaded via: Anker
Config files for additional tunnels may be created with freely selected names in the same place. NOTE: Depending on the Linux distribution the config files may differ from
/etc/openfortivpn
or may be created manually.
The next step is to add the certificate (chain) to the trusted certificates (systemwide).
Fedora
The ca-file includes the certificate chain o GEANT OV RSA CA 4 CA (pem file) and can be downloaded here.
Now execute:
|
Debian/Ubuntu
The ca-file includes the certificate GEANT OV RSA CA 4 CA (pem file) and can be downloaded here. Please note: Debian expects the file to end with .crt. Otherwise it wont process the file and just skipps it.
Now execute:
|
Establish the connection
start the tunnel via
Codeblock |
---|
[root@pc ]# openfortivpn |
Root privileges (respectively sudo) are needed because a (ppp)-interface is created (see here section Running as root?). When using different tunnels via configuration files the following parameter is used:
Codeblock |
---|
[root@pc ]# openfortivpn -c /etc/openfortivpn/<my_tunnel_configfile> |
Additional parameters and explanatary notes may be found via the MAN-pages.
NetworkManager-Addon
Openfortivpn can also be used via NetworkManager. The following packets are required and need to be installed:
Fedora:
Info | ||
---|---|---|
| ||
|
Ubuntu:
Info | ||
---|---|---|
| ||
|
Debian:
Info | ||
---|---|---|
| ||
|
Afterwards a new NetworkManager-profile (type fortisslvpn) can be created.
The configuration should look something like this:
Option | Value | Description |
---|---|---|
Gateway | vpngate.frankfurt-university.de:443 | Gateway address. |
User name | Your CIT-Account | |
Password | Your Cit-Account Password |
path to the CA Certificate you already downloaded earlier in this guide.
see CA Certificateclick on "Advanced" to enter the "Realm":
In most cases the realm is pub-all but it may differ when using a different tunnel. Note: Option "Use only for resources on this connection" from IPv4 → Routes must be disabled.
The next step is to add the certificate (chain) to the trusted certificates (systemwide).
Fedora
The ca-file includes the certificate chain o GEANT OV RSA CA 4 CA (pem file) and can be downloaded here.
Now execute:
|
Debian/Ubuntu
The ca-file includes the certificate GEANT OV RSA CA 4 CA (pem file) and can be downloaded here. Please note: Debian expects the file to end with .crt. Otherwise it wont process the file and just skipps it.
Now execute:
|
Afterwards the connection can be established when you click on the corresponding entry in the NetworkManager menu.
Seiteneigenschaften | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
|