Run as system daemon

[nidico]

What's the best practice in order to run openfortivpn as a system daemon, e.g. as a systemd unit? I'm particularly concerned about automatic reconnection in case of connection loss.

[adrienverge]

Hi @nidico,

You need to create a systemd config file (either in /etc/systemd/system or /usr/lib/systemd/system), for example openfortivpn.service. I'm not a systemd expert but I guess you would need:

[Install]
After=NetworkManager.service

Once done:

sudo systemctl daemon-reload
sudo systemctl start openfortivpn
sudo systemctl enable openfortivpn

[nidico]

For others looking at this: This isn't working (i.e. automatically restarting) for me as it is (though a similar systemd unit in general is). I haven't spend more time since and setup a cron job which restarts the systemd service if the connection is down.

[r3tr0g4m3r]

This is my service running at boot in CentOS 7.4:
/usr/lib/systemd/system/openfortivpn.service

Description = OpenFortiVPN
After=network-online.target multi-user.target
Documentation=man:openfortivpn(1)

[Service]
User=root
Type=idle
ExecStart = /usr/local/bin/openfortivpn -c /etc/openfortivpn/config
KillSignal=SIGTERM

[Install]
WantedBy=multi-user.target

[deevictor]

/etc/openfortivpn/config

Type=forking , otherwise systemd will show active status even if VPN connection is not established.

[DimitriPapadopoulos]

Type=forking doesn't look right here, because openfortivpn does not fork. Doesn't Type=simple work for you?

[deevictor]

my bad, the service is not start with forking or simple type, only with Type=idle as mentioned r3tr0g4m3r.

[DimitriPapadopoulos]

Type notify might be useful too as openfortivpn calls sd_notify() to notify systemd when the tunnel is up.

[iKlsR]

@DimitriPapadopoulos I was setting up this and when I switch to notify it gets stuck in this state until it fails, going back to simple works.

ploi@data-server:~$ /usr/bin/openfortivpn --version
1.6.0

ploi@data-server:~/data.redacted.com/itch$ systemctl status openfortivpn.service
● openfortivpn.service - Forti VPN Api Service
   Loaded: loaded (/etc/systemd/system/openfortivpn.service; enabled; vendor preset: enabled)
   Active: activating (start) since Tue 2021-10-05 13:07:02 UTC; 19s ago
     Docs: man:openfortivpn(1)
 Main PID: 19945 (openfortivpn)
    Tasks: 6 (limit: 1150)
   CGroup: /system.slice/openfortivpn.service
           ├─19945 /usr/bin/openfortivpn -c /etc/openfortivpn/config
           └─19960 /usr/sbin/pppd 38400 :1.1.1.1 noipdefault noaccomp noauth default-asyncmap nopcomp receive-all nodefaultroute nodetach lcp-max-config

[Unit]
Description=OpenFortiVPN Service
After=network-online.target multi-user.target
Documentation=man:openfortivpn(1)

[Service]
User=root
Type=simple
# WorkingDirectory=/root
ExecStart=/usr/bin/openfortivpn -c /etc/openfortivpn/config
Restart=always
RestartSec=5
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=openfortivpn
KillSignal=SIGTERM

[Install]
WantedBy=multi-user.target

[DimitriPapadopoulos]

it gets stuck in this state until it fails

In which state? How does it fail?

[iKlsR]

With notify when I reload and restart I get

● openfortivpn.service - OpenFortiVPN Service
   Loaded: loaded (/etc/systemd/system/openfortivpn.service; enabled; vendor preset: enabled)
   Active: activating (start) since Tue 2021-10-05 13:05:26 UTC; 1s ago
     Docs: man:openfortivpn(1)
 Main PID: 19719 (openfortivpn)
    Tasks: 7 (limit: 1150)
   CGroup: /system.slice/openfortivpn.service
           ├─19719 /usr/bin/openfortivpn -c /etc/openfortivpn/config
           └─19734 /usr/sbin/pppd 38400 :1.1.1.1 noipdefault noaccomp noauth default-asyncmap nopcomp receive-all nodefaultroute nodetach lcp-max-config

as opposed to using simple

● openfortivpn.service - OpenFortiVPN Service
   Loaded: loaded (/etc/systemd/system/openfortivpn.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-10-05 13:14:15 UTC; 25min ago
     Docs: man:openfortivpn(1)
 Main PID: 20310 (openfortivpn)
    Tasks: 6 (limit: 1150)
   CGroup: /system.slice/openfortivpn.service
           ├─20310 /usr/bin/openfortivpn -c /etc/openfortivpn/config
           └─20325 /usr/sbin/pppd 38400 :1.1.1.1 noipdefault noaccomp noauth default-asyncmap nopcomp receive-all nodefaultroute nodetach lcp-max-config

I see nothing useful in syslog or with journalctl, if I do hostname -I I can see the expected ip while it's in that state but I can't connect. I can't try to reproduce this now as I need the vpn running to capture some itch data but I will try again with notify tomorrow as I believe there was something in the logs yesterday when I was playing with this.

ploi@data-server:~$ sudo systemctl start openfortivpn.service
Job for openfortivpn.service failed because a timeout was exceeded.

[DimitriPapadopoulos]

ploi@data-server:~$ /usr/bin/openfortivpn --version
1.6.0

Version 1.6.0 is pretty old and does not call sd_notify(). My recommendation would be to:

• use exec with openfortivpn binaries that do not call sd_notify() (versions prior to 1.8.0),
• use notify with openfortivpn binaries that do call sd_notify() (versions 1.8.0 and newer built with systemd support).

[DimitriPapadopoulos]

Also see #948.

[requa3r0]

The standard lease time for fortify vpn server side is 8 hours.

Has as anyone figured out how to automatically reconnect if the connection is lost or the lease time expires.

[mrbaseman]

@requa3r0 see the above discussion about how to start openfortivpn as a daemon. If your login needs a one time password or any other 2nd factor, it is simply not possible to automate the reconnect

[kardoka]

@mrbaseman If the connection is based on a username + password combination, is it possible to implement auto-reconnect?

[requa3r0]

@kardoka Really

this daemon reconnects for days...1 sec after the lease time is over.

[requa3r0]

@kardoka @mrbaseman
Here:

[Unit]
Description=openfortivpn-daemon
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

StartLimitIntervalSec=500
StartLimitBurst=5

[Service]
Restart=on-failure
RestartSec=5s

ExecStart=/usr/bin/openfortivpn

[Install]
WantedBy=multi-user.target