Openfortivpn - bash works but GUI (networkmanager) not

Utini · 2020-12-01 19:12:13

Hello everyone,

I am starting to use my private notebook via rdp to work on my companies corporate/work server.
Basically I am connecting via rdp to my companies Windows server which then allows to me log in and work in a windows environment that is running on the Windows server.

I simulated this in a Windows 10 VM and the process looks like this:

Boot Windows 10
Connect to my companies network via Fortivpn client
Run RDP to connect to my companies Windows server

How ever on my host linux setup there seem to be some troubles.
I am running KDE with "networkmanager-fortisslvpn" and "openfortivpn".

1. I have DNSCrypt running. The easy fix for this is the following script to stop dnscrypt and let other applications access /etc/resolv.conf:

#!/bin/bash
set -e
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit 1
fi
if [[ "$1" = "stop" ]]; then
echo "Stopping dnscrypt-proxy"
chattr -i /etc/resolv.conf
systemctl stop dnscrypt-proxy
resolvconf -u
echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1\nnameserver 8.8.8.8" > /etc/resolv.conf
# chattr +i /etc/resolv.conf
exit
fi
if [[ "$1" = "start" ]]; then
echo "Starting dnscrypt-proxy"
chattr -i /etc/resolv.conf
resolvconf -u
echo -e "nameserver 127.0.0.1\noptions edns0 single-request-reopen" > /etc/resolv.conf
systemctl start dnscrypt-proxy
chattr +i /etc/resolv.conf
exit
fi
echo 'Please provide command "start" or "stop"'
exit 1

2. The following command will connect to the VPN and add two new DNS servers (the one from my companies server) automatically to my /etc/resolv.conf. My host is able to connect to the internet and also to the rdp server afterwards:

sudo openfortivpn serverip:port --username=myuser --trusted-cert cert_here

How ever, connecting to the VPN via the GUI (network manager) will not add any new DNS servers to my /etc/resolv.conf
It is there for also not possible to ping an IP or connect to the domain.

Is there anything I am configuring wrong within the VPN plugin of networkmanager?

Additionally:
Is there a possibility to have my whole Arch run via DNSCrypt and independently from the VPN and only have freerdp use the VPN connection?

Thanks in advance!

Zod · 2020-12-01 21:03:24

Utini wrote:

It is there for also not possible to ping an IP

If you can't ping an IP you've got bigger problems then name resolution.

Namely routing and actually being connected to the remote host.

Utini · 2020-12-01 21:18:03

Zod wrote:

Utini wrote:
It is there for also not possible to ping an IP
If you can't ping an IP you've got bigger problems then name resolution.
Namely routing and actually being connected to the remote host.

Yes true!

But why is that? The Networkmanager-Fortivpnclient tells me that I was able to connect to the server.
Afaik it only works when connecting via bash. Only the bash connection will add new DNS entries to my /etc/resolv.conf

Zod · 2020-12-01 21:24:06

Do you know an IP address on the remote network?

You should probably connect to the vpn, get your routing table (post it here) and then try to ping the address.

Edit: while you're connected you might as well get your addresses

ip a
ip r

Last edited by Zod (2020-12-01 21:26:48)

Utini · 2020-12-02 05:35:41

Due to privacy reasons removed. Sorry!

Last edited by Utini (2023-01-03 14:16:28)

Zod · 2020-12-02 11:17:17

While connected to the VPN via KDE NetworkManager.

# ip route delete default dev ppp0

See if that helps.

Edit: What is the IP address you are trying to ping?

Going out on a limb: I'm assuming that the IP is local and when the NM client connects it is routing *all* traffic across the VPN.

What you are lacking is called a split tunnel.

Last edited by Zod (2020-12-02 11:58:04)

Utini · 2020-12-02 17:42:51

Zod wrote:

While connected to the VPN via KDE NetworkManager.
# ip route delete default dev ppp0
See if that helps.

Edit: What is the IP address you are trying to ping?
Going out on a limb: I'm assuming that the IP is local and when the NM client connects it is routing *all* traffic across the VPN.
What you are lacking is called a split tunnel.

Yep, using this command after connecting fixes the issue:

# ip route delete default dev ppp0

I am pinging e.g. 8.8.8.8

So do I have to run this command manually all the time or is there smth that I am missing in the KDE configuration gui?
Also regarding your split tunnel: Does the split tunnel mean I can use the VPN only for freerdp and use my non-vpn connection for all other apps/traffic?

Thanks thanks!

Utini · 2020-12-04 18:43:20

I think I fixed this but I am not sure if everything is correct. Maybe someone can doublecheck for me.

How I fixed it:

In KDE Connections settings -> VPN -> IPv4: 
Check "IPv4 is required for this connection"

In KDE Connections settings -> VPN -> IPv4 -> Routes:
Check "Ignore automatically obtained rules"
Check "Use only for resources on this connection"

In KDE Connections settings -> VPN -> IPv4 -> Routes -> Add:
IP: Company VPN IP
Netmask: 255.255.255.0
Gateway: RPD Server IP

Outcome:

- DNSCrypt enabled and running
- I can connect to the VPN
- My internet will work and "whatsmyip.com" will show me my providers IP
- I can still connect to the RDP server which is only accessible when connected to the VPN

netstat -rn before connecting to VPN:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         x      0.0.0.0         UG        0 0          0 wlp0s20f3
x      0.0.0.0         255.255.248.0   U         0 0          0 wlp0s20f3
192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0

netstat -rn after connecting to VPN:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         x       0.0.0.0         UG        0 0          0 wlp0s20f3
x       0.0.0.0         255.255.248.0   U         0 0          0 wlp0s20f3
x      0.0.0.0         255.255.255.255 UH        0 0          0 wlp0s20f3
rdpserverip   0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
192.0.2.1       0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0
companyip.0   rdpserverip   255.255.255.0   UG        0 0          0 ppp0
companyip.54  x       255.255.255.255 UGH       0 0          0 wlp0s20f3

So did I now successfully route only one connection through the VPN which is my RDP connection?

Last edited by Utini (2023-01-03 14:17:04)

Arch Linux

#1 2020-12-01 19:12:13

Openfortivpn - bash works but GUI (networkmanager) not

#2 2020-12-01 21:03:24

Re: Openfortivpn - bash works but GUI (networkmanager) not

#3 2020-12-01 21:18:03

Re: Openfortivpn - bash works but GUI (networkmanager) not

#4 2020-12-01 21:24:06

Re: Openfortivpn - bash works but GUI (networkmanager) not

#5 2020-12-02 05:35:41

Re: Openfortivpn - bash works but GUI (networkmanager) not

#6 2020-12-02 11:17:17

Re: Openfortivpn - bash works but GUI (networkmanager) not

#7 2020-12-02 17:42:51

Re: Openfortivpn - bash works but GUI (networkmanager) not

#8 2020-12-04 18:43:20

Re: Openfortivpn - bash works but GUI (networkmanager) not

Board footer