Forticlient - Linux

Forticlient is available for multiple platforms but official downloads do not contain anything for linux (as of Apr 2017). Therefore here below you will find linux client provided by Arubacloud

Download, install and accept a license agreement

wget -q http://kb.arubacloud.com/files/tar-gz/forticlientsslvpn_linux_4-0-2281-tar.aspx -O fortisslvpn.tgz  
tar -xzf fortisslvpn.tgz && cd forticlientsslvpn && ./helper/setup.linux.sh

wget https://apt.iteas.at/iteas/pool/main/f/forticlient-sslvpn/forticlient-sslvpn_4.4.2332-1_amd64.deb
# Install 'dpkg -i' to default location
dpkg -i forticlient-sslvpn_4.4.2332-1_amd64.deb
cd /opt/forticlient-sslvpn

# Extract 'dpkg -x'
dpkg -x forticlient-sslvpn_4.4.2332-1_amd64.deb ./fortigate #specify location
cd ./fortigate/opt/forticlient-sslvpn/64bit

Ubuntu 18.04 LTS

wget -O - https://repo.fortinet.com/repo/ubuntu/DEB-GPG-KEY | sudo apt-key add - 
#Add the following line in /etc/apt/sources.list
deb [arch=amd64] https://repo.fortinet.com/repo/ubuntu/ /bionic multiverse 
sudo apt-get update 
sudo apt install forticlient

Other sources (not recommended but working), WARN! one of these is ver. 4.0.2333 not as the download states v4.4.x

• forticlient-sslvpn_4.4.2333-1_amd64.deb
• forticlient-sslvpn_4.4.2332-1_amd64.deb

Optional: Install 32bit libraries on 64bit system to run 32bit version

Enable the i386 architecture (as root user):

sudo dpkg --add-architecture i386 && sudo apt-get update

Install 32-bit libraries (as root user):

sudo apt-get install libc6:i386 libstdc++6:i386

Connect

Press Ctrl+C, Agree Their License (1st time only) & then connect to VPN by:

$ yes | ./forticlientsslvpn_cli --server sslvpn.server.com:10443 --vpnuser a_user > /dev/null

host sslvpn.server.com #= 195.11.11.11  #remote VPNServer public IP
host laptop-1          #= 10.200.100.11 #from   VPNClient pool, private IP

When connected you should see similar new entries in route, ppp0 interface and resolv.conf

$ watch -d "cat /etc/resolv.conf | grep -v \#"
nameserver	10.10.100.2   #<- new entry
nameserver	10.20.100.2   #<- new entry
nameserver 127.0.0.53
options edns0

$ watch -d route -n #do not resolve dns
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    600    0        0 wlp4s0
10.0.0.0        10.200.100.11   255.0.0.0       UG    0      0        0 ppp0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlp4s0
172.16.0.0      10.200.100.11   255.240.0.0     UG    0      0        0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp4s0
195.11.11.11    192.168.1.254   255.255.255.255 UGH   0      0        0 wlp4s0

$ watch -d route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    600    0        0 wlp4s0
10.0.0.0        laptop-1        255.0.0.0       UG    0      0        0 ppp0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 wlp4s0
172.16.0.0      laptop-1        255.240.0.0     UG    0      0        0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp4s0
edge_vpn_fw     _gateway        255.255.255.255 UGH   0      0        0 wlp4s0

watch -d ip address #below this is what will be added
9: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1354 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet 10.200.100.11 peer 1.1.1.1/32 scope global ppp0
       valid_lft forever preferred_lft forever

GUI

If you wish run with GUI you may need to install

sudo apt-get install libgtk2.0-0:i386

Troubleshooting

Error: Peer's certificate is not valid. action is 1

Disable the check

Edit forticlientsslvpn/helper/config file and set invalid_peer_cert_action=0

sed -n -E 's/^(invalid_peer_cert_action=).*$/\10/p' config    #test
sed -i -E 's/^(invalid_peer_cert_action=).*$/\10/g' config    #substitute

Upload required certificate

Your endpoint SSL certificate is not trusted by your local machine. Firstly, create trustedstore hidden directory

$ mkdir ~/.fctsslvpn_trustca

Secondly locate trusted stores on your machine and copy to Forticlient trustedstores location

$ locate cacert
$ cp /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts ~/.fctsslvpn_trustca
$ cp /opt/Citrix/ICAClient/keystore/cacerts/QuoVadis_Root_CA*   ~/.fctsslvpn_trustca

Run the connection command

$ yes | ./forticlientsslvpn_cli --server sslvpn.server.com:10443 --vpnuser a_user > /dev/null
STATUS::Setting up the tunnel
STATUS::Connecting...
NOTICE::ing /home/a_user/.fctsslvpn_trustca
NOTICE::oVadis_Root_CA_2.crt => d7e8dc79.0
WARNING: cacerts does not contain a certificate or CRL: skipping
NOTICE::oVadis_Root_CA_3.crt => 76faf6c0.0
STATUS::Login succeed
STATUS::Starting PPPd
STATUS::Initializing tunnel
STATUS::Connecting to server
STATUS::Connected
STATUS::Tunnel running

Logs

tail -f /opt/forticlient-sslvpn/64bit/helper/forticlientsslvpn.log

Error: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory

Fedora or newer Red Hat, CentOS:

sudo dnf install glibc.i686

Error: error while loading shared libraries: libstdc++.so.6

sudo dnf install linstdc++.i686

Forticlient (VPN client only) - Windows

The FortiNet.com does not provide or develop Linux client therefore the best is to use openfortigui project. But if you have to use Windows, best you can do is to download the official client and install only basic set of features, so only VPN client gets installed. Follow the steps below:

This has worked with version 5.6.6.1167, downloaded in May 2018

1. Download FortiClientOnlineInstaller.exe file, FortiClient 5.6 for Windows (Win7 or higher supported) from official website
2. Run installer until you see "Welcome to the FortiClient Setup Wizard"
3. The installer has downloaded .msi (image) into C:\programdata\Applications\Cache
4. Open cli with Administration privileges and run FortiClient.msi /quiet /norestart INSTALLLEVEL=1 . Quiet is optional, don't use if you wish to see the progress and features being installed.
5. FortiClinet application should appear on a list of installed programs
6. Run FortiClient from Start

This is a feature set controlled by MSI, INSTALLLEVEL switch

Feature Name                  Install level
Feature_Core                  1
Feature_Basic                 1
Feature_AntiVirus             5
Feature_WebFilter             5
Feature_VPN                   3
Feature_SSLVPN                1
Feature_WanAcceleration       5
Feature_EndPointNAC           3
Feature_Firewall              5
Feature_Vulnerability         5
Feature_SingleSignOnMobility  3

The default install level when running msiexec is 100, which means all features are installed. If you do install software to modify the default install level of the Features in the .MSI file, you could then create custom installers by adjusting the install level of unwanted features above a threshold.

openfortivpn

Fortinet client for PPP+SSL VPN tunnel services. openfortivpn is a client for PPP+SSL VPN tunnel services. It spawns a pppd process and operates the communication between the gateway and this process. It is compatible with Fortinet VPNs.

# All commands below run on Ubuntu 18.04

$ apt-cache madison openfortivpn 
openfortivpn | 1.6.0-1build1 | http://gb.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

# https://packages.ubuntu.com/eoan/amd64/openfortivpn/download #latest Ubuntu version
wget http://es.archive.ubuntu.com/ubuntu/pool/universe/o/openfortivpn/openfortivpn_1.10.0-1_amd64.deb

# install
sudo dpkg -i openfortivpn_1.10.0-1_amd64.deb

$ which openfortivpn 
/usr/bin/openfortivpn

# shows where files are installed
dpkg -x openfortivpn_1.10.0-1_amd64.deb root ; tree $_ ; rm -rf $_
root
├── etc
│   └── openfortivpn
│       └── config
└── usr
    ├── bin
    │   └── openfortivpn
    └── share
        ├── doc
        │   └── openfortivpn
        │       ├── changelog.Debian.gz
        │       ├── copyright
        │       └── README.md.gz
        ├── man
        │   └── man1
        │       └── openfortivpn.1.gz
        └── openfortivpn
            └── config.template

Connect

sudo vi /etc/openfortivpn/config
# config file for openfortivpn, see man openfortivpn(1)
host = 2.2.2.2
port = 39953
username = user1
#password =
trusted-cert = 6c6*****fa8a58

$ sudo openfortivpn
VPN account password: ***
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
Using interface ppp0
Connect: ppp0 <--> /dev/pts/10
INFO:   Got addresses: [10.200.100.11], ns [10.10.100.2, 10.20.100.2]
INFO:   negotiation complete
INFO:   Got addresses: [10.200.100.11], ns [10.10.100.2, 10.20.100.2]
INFO:   negotiation complete
INFO:   negotiation complete
local  IP address 10.200.100.11   #<-- pppd interface assigned with VPNClient IP from pool
remote IP address 192.0.2.1
primary   DNS address 10.10.100.2
secondary DNS address 10.20.100.2
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
WARN:   Route to vpn server exists already.
INFO:   Adding VPN nameservers...
INFO:   Tunnel is up and running.

^CINFO:   Cancelling threads...  #<-- Stop tunnel Ctrl^C
INFO:   Setting ppp interface down.
INFO:   Restoring routes...
INFO:   Removing VPN nameservers...
Hangup (SIGHUP)
Modem hangup
Connect time 0.2 minutes.
Sent 2573 bytes, received 4943 bytes.
Connection terminated.
INFO:   pppd: The link was terminated by the modem hanging up.
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
INFO:   Logged out.

OpenFortiGUI

OpenFortiGUI v0.8.1 contains openfortivpn core v1.10.0, so all is good.

Install

lsb_release -c # get Ubuntu conde name, link below is for Ubuntu 18.04
wget https://apt.iteas.at/iteas/pool/main/o/openfortigui/openfortigui_0.8.1-1_amd64_bionic.deb

# Package content
dpkg -x openfortigui_0.8.1-1_amd64_bionic.deb root ; tree $_ ; rm -rf $_
root
├── etc
│   └── sudoers.d
│       └── openfortigui
└── usr
    ├── bin
    │   └── openfortigui
    └── share
        ├── applications
        │   └── openfortigui.desktop
        ├── doc
        │   └── openfortigui
        │       ├── changelog.Debian.gz
        │       └── copyright
        ├── pixmaps
        │   └── openfortigui.png
        └── polkit-1
            └── actions
11 directories, 6 files

# Install and possible dependencies issues
sudo dpkg -i openfortigui_0.8.1-1_amd64_bionic.deb 

# Open from Dash/Start applet
openfortigui.desktop

Known issues

Issue with openfortigui_0.8.0-1_amd64_bionic.deb version

dpkg: dependency problems prevent configuration of openfortigui:
 openfortigui depends on libqt5keychain1 (>= 0.7.0); however:
  Package libqt5keychain1 is not installed.

# Fix dependencies
apt --fix-broken install

Logs and troubleshooting

tail -f ~/.openfortigui/logs/openfortigui.log 
Aug 7 00:02:25 openfortiGUI::Debug: 1565132545338 bytes avail:: 38
Aug 7 00:02:27 openfortiGUI::Debug: 1565132547941 bytes avail:: 75
Aug 7 00:02:31 openfortiGUI::Debug: 1565132551545 bytes avail:: 76
Aug 7 00:02:31 openfortiGUI::Debug: 1565132551746 bytes avail:: 76
Aug 7 00:02:32 openfortiGUI::Debug: 1565132552785 bytes avail:: 37

tail -f ~/.openfortigui/logs/vpn/ppawl.log 
DEBUG:  pppd ---> gateway (88 bytes)
DEBUG:  pppd ---> gateway (88 bytes)
DEBUG:  gateway ---> pppd (255 bytes)
DEBUG:  gateway ---> pppd (443 bytes)
DEBUG:  pppd ---> gateway (88 bytes)
DEBUG:  gateway ---> pppd (443 bytes)
DEBUG:  pppd ---> gateway (78 bytes)
DEBUG:  gateway ---> pppd (142 bytes)
DEBUG:  pppd ---> gateway (98 bytes)

tail -f /var/log/openfortigui.log 
rcvd [IPCP ConfReq id=0x66 <addrs 2.2.2.2 10.200.100.11>] #server, clientIP
sent [IPCP ConfRej id=0x66 <addrs 2.2.2.2 10.200.100.11>]
rcvd [IPCP ConfReq id=0x67]
sent [IPCP ConfAck id=0x67]
local  IP address 10.251.253.17
remote IP address 192.0.2.1
primary   DNS address 10.10.100.2
secondary DNS address 10.20.100.2
Script /etc/ppp/ip-up started (pid 27495)
Script /etc/ppp/ip-up finished (pid 27495), status = 0x0

References

• openfortivpn CLI Open Source Fortinet compatibile client (Github)
• OpenFortiGUI GUI Open Source Fortinet compatibile client
• OpenFortiGUI Github
• [1] Expect bash script