Client for PPP+SSL VPN tunnel services
C Shell M4 C++ Other
Clone or download
martinetd and DimitriPapadopoulos gcc 8: fix -Wstring-truncation warnings
New warnings introduced with recent of version of GCC need ignoring
or fixing.
This is an attempt to fix them.
Latest commit e6d1917 Jun 1, 2018

README.md

openfortivpn

openfortivpn is a client for PPP+SSL VPN tunnel services.
It spawns a pppd process and operates the communication between the gateway and this process.

It is compatible with Fortinet VPNs.


Examples

  • Simply connect to a VPN:

    openfortivpn vpn-gateway:8443 --username=foo
    
  • Connect to a VPN using an authentication realm:

    openfortivpn vpn-gateway:8443 --username=foo --realm=bar
    
  • Don't set IP routes and don't add VPN nameservers to /etc/resolv.conf:

    openfortivpn vpn-gateway:8443 -u foo -p bar --no-routes --no-dns
    
  • Using a config file:

    openfortivpn -c /etc/openfortivpn/my-config
    

    With /etc/openfortivpn/my-config containing:

    host = vpn-gateway
    port = 8443
    username = foo
    password = bar
    set-routes = 0
    set-dns = 0
    # X509 certificate sha256 sum, trust only this one!
    trusted-cert = e46d4aff08ba6914e64daa85bc6112a422fa7ce16631bff0b592a28556f993db
    

Installing

Installing existing packages

Some Linux distibutions provide openfortivpn packages:

On macOS both Homebrew and MacPorts provide an openfortivpn package. Either install Homebrew then install openfortivpn:

# Install 'Homebrew'
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

# Install 'openfortivpn'
brew install openfortivpn

or install MacPorts then install openfortivpn:

# Install 'openfortivpn'
sudo port install openfortivpn

Building and installing from source

For other distros, you'll need to build and install from source:

  1. Install build dependencies.

    • RHEL/CentOS/Fedora: gcc automake autoconf openssl-devel pkg-config
    • Debian/Ubuntu: gcc automake autoconf libssl-dev pkg-config
    • Arch Linux: gcc automake autoconf openssl pkg-config
    • Gentoo Linux: net-dialup/ppp pkg-config
    • openSUSE: gcc automake autoconf libopenssl-devel pkg-config
    • macOS(Homebrew): automake autoconf openssl@1.0 pkg-config

    On Linux, if you manage your kernel yourself, ensure to compile those modules:

    CONFIG_PPP=m
    CONFIG_PPP_ASYNC=m
    

    On macOS, install 'Homebrew' to install the build dependencies:

    # Install 'Homebrew'
    /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
    
    # Install Dependencies
    brew install automake autoconf openssl@1.0 pkg-config
    
    # You may need to make this openssl available to compilers
    export LDFLAGS="-L/usr/local/opt/openssl/lib $LDFLAGS"
    export CPPFLAGS="-I/usr/local/opt/openssl/include $CPPFLAGS"
  2. Build and install.

    ./autogen.sh
    ./configure --prefix=/usr/local --sysconfdir=/etc
    make
    sudo make install

    If you need to specify the openssl location you can set the $PKG_CONFIG_PATH environment variable.


Running as root?

openfortivpn needs elevated privileges at three steps during tunnel set up:

  • when spawning a /usr/sbin/pppd process;
  • when setting IP routes through VPN (when the tunnel is up);
  • when adding nameservers to /etc/resolv.conf (when the tunnel is up).

For these reasons, you may need to use sudo openfortivpn.
If you need it to be usable by non-sudoer users, you might consider adding an entry in /etc/sudoers.

For example: visudo -f /etc/sudoers.d/openfortivpn

Cmnd_Alias  OPENFORTIVPN = /usr/bin/openfortivpn

%adm       ALL = (ALL) OPENFORTIVPN

Warning: Make sure only trusted users can run openfortivpn as root!
As described in #54, a malicious user could use --pppd-plugin and --pppd-log options to divert the program's behaviour.


Contributing

Feel free to make pull requests!

C coding style should follow the Linux kernel Documentation/CodingStyle.