Setting up OpenFortiVPN for Mac or Linux

Topic

Openfortivpn is a command line VPN client to replace the OSX version of the FortiClient that is unreliable in that OS. It can also be used in Linux where there is no official client.

Prerequisites

OSX

  • Homebrew
  • Openssl

Linux

  • All dependencies will be installed if you use your package manager. 
  • Otherwise, see https://github.com/adrienverge/openfortivpn

Instructions

On Mac, use this Terminal command: brew install openfortivpn
On Linux, depending on the distro, you can use your package manager and install or pull and build from here: https://github.com/adrienverge/openfortivpn

Config


You will need to know the hash for the trusted cert. To get this, connect without using a trusted cert, and the client will tell you what to add to your config. 

openfortivpn.config (you can name this whatever you want)
host = gonzagavpn.gonzaga.edu
port = 443
username = (your username without @gonzaga.edu)

sudo openfortivpn -c openfortivpn.config 

You must use sudo for this, as the client needs root level kernel access for networking changes and needs to be able to write to resolv.conf. 

Once you try to connect, you will get a line like: 
trusted-cert = af235d3f42a76e89dc2abb07604fcd344c4cb2f2baf93611b290e574e8c78f7b
Add this to the bottom of the config, and rerun the client. 

Connect again and pay attention for your Authenticator push. It happens quickly most of the time, and it times out relatively quickly. 

Note: if you don't want to type in your password each time, you can use a pinentry program. On my Mac, I add my password to it, then add
pinentry=pinentry-mac in my config file. Using pinentry is beyond the scope of this article. 

You can also just put your password in the file
password = This is a bad idea. 
Please do not do this unless the disk the file is on is encrypted, and even then, proceed with caution. This stores your GU password in plain text. 

Additional Notes: openfortivpn edits resolv.conf - if this is not how you are doing DNS resolution, you will have to set up a method to edit your DNS entries yourself. In Mac, only CLI things use resolv.conf and GUI things use scutil. As a Mac will ignore DNS entries that don't work, I just added 147.222.0.15 and 147.222.4.15 to my network config in System Preferences and gonzaga.edu as the search domain. With 8.8.8.8 as my first DNS entry there, this works fine on or off VPN. 

Need more help?

Please reach out directly to Ryanne Jones at jonesr@gonzaga.edu

100% helpful - 1 review

Details

Article ID: 119
Created
Thu 8/5/21 8:41 AM
Modified
Tue 3/21/23 3:26 PM