Virtual Private Networks (VPNs) are essential tools that help you securely connect to remote networks and protect your data from prying eyes. One such VPN is FortiClient’s SSL VPN, which can be accessed through a free and open-source client called OpenFortiVPN.

This tutorial will walk you through the installation, configuration, and usage of OpenFortiVPN, based on the resources available on CodePotions, Ubuntu Manpages, and the official GitHub repository.

Before you begin, ensure that you have the following:

  • A computer running a Linux distribution (Ubuntu, Debian, Fedora, etc.)
  • Access to a FortiClient SSL VPN server
  • Administrative privileges on your system

Installing OpenFortiVPN

To install OpenFortiVPN, follow these steps based on your Linux distribution:

On Linux Ubuntu, Linux Mint or Debian, run the following commands:

sudo apt-get update
sudo apt-get install openfortivpn

On Linux Fedora, execute these commands:

sudo dnf update
sudo dnf install openfortivpn

On other distributions, check the official documentation for installation instructions.

Configuring OpenFortiVPN

To configure OpenFortiVPN, you will need to create a configuration file. Follow these steps:

  1. Create a new file in your home directory called .openfortivpn/config:
mkdir -p ~/.openfortivpn
touch ~/.openfortivpn/config
  1. Open the configuration file with your favorite text editor, such as nano or vim:
nano ~/.openfortivpn/config
  1. Add the following lines to the configuration file, replacing the placeholders with the appropriate values:
host = <VPN_SERVER_ADDRESS>
port = <VPN_SERVER_PORT>
username = <YOUR_USERNAME>
password = <YOUR_PASSWORD>
  1. Save and close de file

Connecting to VPN

To connect to the VPN, run the following command:

sudo openfortivpn -c ~/.openfortivpn/config

If the connection is successful, you will see output similar to this:

INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
INFO:   Interface "ppp0" is UP.
INFO:   Tunnel is up and running.

To disconnect from the VPN, press Ctrl+C.

Troubleshooting

If you encounter issues, check the following:

  • Ensure that your VPN server address and port are correct in the configuration file.
  • Confirm that your username and password are valid.
  • Check your internet connection.
  • Review the logs for any error messages:
sudo openfortivpn -c ~/.openfortivpn/config --verbose

OpenFortiVPN Untrusted SSL Certificate

If you receive an error related to an untrusted SSL certificate, you can add the trusted certificate fingerprint to the configuration file. To do so, follow these steps:

Identify the certificate SHA-256 fingerprint in the error message. It should look like this:

ERROR:  Gateway certificate validation failed, and the certificate digest in not in the local whitelist. If you trust it, rerun with:
ERROR:      --trusted-cert <fingerprint>

Open your OpenFortiVPN configuration file and add the following line at the end of the file, replacing <fingerprint> with the actual fingerprint:

nano ~/.openfortivpn/config
trusted-cert = <fingerprint>

Save and close the file, reconnect to the VPN:

sudo openfortivpn -c ~/.openfortivpn/config

The client should now connect without any SSL certificate errors. Note that you should only add the trusted certificate fingerprint if you are sure that the certificate is genuine and trustworthy.

If you are still facing issues after checking the above points, consider reaching out to your network administrator or the OpenFortiVPN community for further assistance.

Connecting OpenFortiVPN Using Command Line Parameters

While using a configuration file is a convenient way to store your settings, you can also connect to the VPN using command line parameters. This method can be helpful for quick connections, testing, or when you don’t want to store sensitive information in a file.

To connect OpenFortiVPN using command line parameters, follow these steps:

Run the following command, replacing the placeholders with your VPN server information and credentials:

sudo openfortivpn <VPN_SERVER_ADDRESS>:<VPN_SERVER_PORT> -u <YOUR_USERNAME> -p <YOUR_PASSWORD>

For example:

sudo openfortivpn vpn.example.com:443 -u myusername -p mypassword

If you need to include the trusted-cert parameter because of an SSL certificate error, run the command with the --trusted-cert flag followed by the certificate fingerprint:

sudo openfortivpn <VPN_SERVER_ADDRESS>:<VPN_SERVER_PORT> -u <YOUR_USERNAME> -p <YOUR_PASSWORD> --trusted-cert <fingerprint>

For example:

sudo openfortivpn vpn.example.com:443 -u myusername -p mypassword --trusted-cert 0123456789abcdef0123456789abcdef01234567

If you prefer not to provide your password in the command, omit the -p flag, and OpenFortiVPN will prompt you for your password:

sudo openfortivpn vpn.example.com:443 -u myusername --trusted-cert 0123456789abcdef0123456789abcdef01234567

Remember that command line parameters, including your password, might be stored in your shell history. To avoid this, you can either clear your shell history or disable history logging temporarily before running the command.

Final Considerations

In this tutorial, we have covered the installation, configuration, and usage of OpenFortiVPN to connect to a FortiClient SSL VPN server. By using a configuration file or command line parameters, you can choose the method that best suits your needs and security preferences.

As a final note, consider the following points when using OpenFortiVPN:

  • Security: Be cautious when storing sensitive information, such as your password, in a configuration file. Ensure that the file has proper permissions and is not accessible by other users on your system. Alternatively, use the command line option to input your password when prompted.

  • Trusted Certificates: Only add a trusted certificate fingerprint to your configuration file or command line parameters if you are sure that the certificate is genuine and trustworthy. Verify the certificate with your network administrator if you have any doubts.

  • Connection Logs: Use the –verbose flag when troubleshooting connection issues or if you need more information about the VPN connection process.

  • Routing: Customize your routing preferences by using the –no-routes flag and manually adding required routes if you need more control over your network traffic.

By following the guidelines provided in this tutorial, you can securely and effectively use OpenFortiVPN to access remote networks and protect your data. Remember to keep your OpenFortiVPN client up-to-date and review the official documentation and community resources for any new features, improvements, or security updates.