Bugzilla – Bug 1218402
openfortivpn broken after upgrade ppp
Last modified: 2024-02-22 16:46:22 UTC
Created attachment 871555 [details] forti.log work: > [werwolf@wolfbook] ~ > ❯ rpm -qa ppp > ppp-2.4.9-3.5.x86_64 > > [werwolf@wolfbook] ~ > ❯ rpm -qa openfortivpn > openfortivpn-1.20.5-2.1.x86_64 don't work: > [werwolf@home] ~ > ❯ rpm -qa openfortivpn > openfortivpn-1.20.5-2.1.x86_64 > > [werwolf@home] ~ > ❯ rpm -qa ppp > ppp-2.5.0-113.2.x86_64 both packages are from OSS
I can confirm this issue with TW20231222. I presume that openfortivpn should be compiled against ppp-2.5.0, like, e.g., NetworkManager-fortisslvpn. CC'ing maintainer.
version 1.21.0 from network:vpn work normally
(In reply to Dmitry Markov from comment #2) > version 1.21.0 from network:vpn work normally Are you using the command line? For me it's getting worse with openfortivpn 1.21.0 (no connections at all), using NetworkManager-fortisslvpn-1.4.0-4.1.x86_64 from TW20231226.
(In reply to Frank Krüger from comment #3) > (In reply to Dmitry Markov from comment #2) > > version 1.21.0 from network:vpn work normally > > Are you using the command line? For me it's getting worse with openfortivpn > 1.21.0 (no connections at all), using > NetworkManager-fortisslvpn-1.4.0-4.1.x86_64 from TW20231226. on two out of three devices I DO NOT use network-manager, because even where network-manager is installed, I only use it for wi-fi. I will be able to check the operation of NetworkManager-fortisslvpn later, but unfortunately not today.
JFYI: Using openfortivpn 1.21.0 from the command line works fine, however, it does not when using NetworkManager(-fortisslvpn-1.4.0-4.1.x86_64) from TW20231226. Anyway, since openfortivpn 1.21.0 has been accepted for Factory, the issue described here seems to be solved.
@mardnh@gmx.de: Is there any news/progress?
Forti based VPN servers may expect to propose an IP which the client assigns to the local VPN device. pppd >= 2.5 disables ipcp-accept-remote by default, which breaks that contract. (1) Forticlient 7.2 Uncomment the line containing ipcp-accept-remote in /etc/ppp/options. Have in mind: Forticlient also makes a file backup of pre-VPN DNS and routing settings. It uses the network name, to generate a temp file name. If the network name contains special characters (e.g. ' " ? *), it drops the connection after login with "DNS Backup failed". (2) openfortivpn 1.2 - see (1), or - add a line pppd-accept-remote = true" in /etc/openfortivpn/config, or - pass --pppd-accept-remote on the command line (3)NetworkManager-fortisslvpn-1.4.0 Links to pppd dynamically and bypasses the configuration as per the above. No workaround comes to my mind at present. IMO it needs patching. The git repository shows several attempts to update compatibility to pppd 2.5, but none of those work on my system. The actual patch is fairly simple. On version 1.4.0, the following line needs to be added to nm-fortisslvpn-service.c:228 g_ptr_array_add (argv, (gpointer) g_strdup ("--pppd-accept-remote")) The issue is, that version 1.4.0 doesn't build with pppd-2.5 headers. Someone who is building with earlier headers could easily provide a patch that works with pppd 2.5