Inhaltsverzeichnis

Connect via VPN on Linux

This wiki page is incomplete and not adjusted for the configuration of OTH Regensburg. An up-to-date guide with configuration parameters for OTH Regensburg will soon be published.
Linux systems are not officially supported by OTH. Therefore this wiki page is just support for self-help. If you have issues you will only receive conditional support from the data center service team at OTH.
This wiki page was created using insert Linux distribution and Forticlient 4.4 for Linux. Until the start of the semester Linux user only receive boarding aid with external links.

Step 1: FortiClient Download

For the download a login with the OTH credentials is necessary - The username has to be entered with the following form: abc12345@hs-regensburg.de

* Forticlient rpm download for 64-bit Systeme
* Forticlient deb download for 64-bit Systeme

Step 2: FortiClient installation & configuration

Offical Documentation for FortiClient Linux

Configuration parameters:

Alternative: open-source-client openfortivpn

Alternatively, it is possible to use the open-source client openfortivpn. Here the content of the required config file (/etc/openfortivpn/config):

host = sslvpn.oth-regensburg.de
realm = vpn-default
port = 443
trusted-cert = 364fb4fa107e591626b3919f0e7f8169e9d2097974f3e3d55e56c7c756a1f94a
username = abc12345
password = meinpasswort

The certificate should be used to prevent man-in-the-middle attacks. The value of “trusted-cert” within the config file is identical to the SHA-256 hash of the server certificate. A simple verification of the certificate and its signatures is for example possible using your browser by opening https://sslvpn.oth-regensburg.de and inspecting the details of the certificate (z.B. lock icon left to the address bar in Firefox → More information → Show certificate). This should happen automatically if you import the DFN-certificate globally.

You can use the “--persistent=<interval seconds>” command line option to make openfortivpn reconnect automatically on connection loss.

Important note: In order for the client to work “pppd” must be installed.
For pppd Versions > 2.5.0, you may need to additionally add the “--pppd-accept-remote” command line option to openfortivpn. See this issue on openfortivpn's github for more information.

If you fail to mount network drives from fs.hs-regensburg.de while connected with openfortivpn:

This is likely because you have IPv6 enabled in your remote LAN and your system is set to prefer IPv6.
A workaround is to add a host entry to /etc/hosts, forcing IPv4 for fs.hs-regensburg.de:

127.0.0.1       localhost
::1             localhost
127.0.1.1       schwalbe.localdomain schwalbe

194.95.106.39   fs.hs-regensburg.de

Also, you could use the IPv4 address instead of the hostname in your mount call.

This happens because fs.hs-regensburg.de provides an IPv6 address, but as of now IPv6 isn't supported by the OTH network and also not by openfortivpn. So the IPv6 traffic is not routed through the VPN and the mount fails.

You can check if your system tries to use IPv6 by pinging or mounting with debug output enabled:

$ ping fs.hs-regensburg.de
PING fs.hs-regensburg.de(fs.hs-regensburg.de (2001:638:a01:8013::39)) 56
Datenbytes

$ mount -t cifs -v //fs.hs-regensburg.de/storage HS -o domain=hs-regensburg.de,username=abc12345
mount.cifs kernel mount options: ip=2001:638:a01:8013::39,unc=\\2001:638:a01:8013::39\storage,user=abc12345,domain=hs-regensburg.de,pass=********
mount error(101): Network is unreachable

You can check the IPv6 status of your environment with a service like https://ipv6-test.com/.

Also see the german or english articles for using the network drives with linux.

Alternative: configuration using NetworkManager and NetworkManager-fortisslvpn

Another possibility to establish a VPN connnection offers NetworkManager by the Gnome project.

In order to use Fortinet SSL-VPN the extension NetworkManager-fortisslvpn must be installed with the package manager of your choice. By doing so, the package openfortivpn will be installed as well.

The following example uses Fedora with Dandified YUM package manager.

sudo dnf install NetworkManager-ppp NetworkManager-fortisslvpn

In Ubuntu 20.04 NetworkManager is used as default applciation. Additionally, the following extensions must be be installed:

sudo apt install network-manager-fortisslvpn network-manager-fortisslvpn-gnome

Now, one has to create the VPN connection and subsequently add the appropriate connection parameters. Please note: the username must be adjusted.

nmcli con add type vpn vpn-type org.freedesktop.NetworkManager.fortisslvpn con-name OTH
nmcli con mod OTH vpn.data "gateway = sslvpn.oth-regensburg.de:443, otp-flags = 0, password-flags = 1, realm = vpn-default, trusted-cert = 79ccacdce687d5e24370ab15aa4d02bd11556ff143b1366b772afaed7044e223, user = abc12345"

The VPN connection can now be established using the following command. You will be prompted for your password.

nmcli --ask con up OTH

In order to disconnect, use the following command.

nmcli con down OTH

If you want to permanently save your password you can create a “secret” which will be associated to the VPN connection.

nmcli con mod OTH vpn.secrets "password=PasswordStrong"

Instructions for other operating systems