Skip to main content
no_one
no_one
New Member
April 12, 2022
Question

DNS settings on Ubuntu 22.04 and FortiClient VPN 7.0.0.0018

  • April 12, 2022
  • 14 replies
  • 80983 views

I have a strange problem when I connect to a company VPN with forticlient application. First, I did not know what was wrong. After spending some time, I figured out that DNS is not working as it should have. Unfortunately, I have no idea, who's fault is that. It may be FortiClient VPN, systemd-resolved, or something else. I am using Ubuntu 22.04, which is not an official version yet, but I have doubts it will get any better until official release in a week or two.

 

This is output from resolvectl before VPN is established:

username@hostname:~$ resolvectl Global        Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub  Link 2 (enp2s0) Current Scopes: none      Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported  Link 3 (wlp1s0)     Current Scopes: DNS          Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.1.1        DNS Servers: 192.168.1.1 2a00:ee0:d::13 2a00:ee0:e::13         DNS Domain: --

After VPN is established resolvectl reports additional link called vpn:

username@hostname:~$ resolvectl Global        Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub  Link 2 (enp2s0) Current Scopes: none      Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported  Link 3 (wlp1s0)     Current Scopes: DNS          Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS  DNSSEC=no/unsupported Current DNS Server: 172.20.1.21        DNS Servers: 172.20.1.16 172.20.1.21 2a00:ee0:d::13 2a00:ee0:e::13         DNS Domain: company.com  Link 5 (vpn) Current Scopes: none      Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

As you can see additional DNS servers are added to Link 3, which should help me resolve internal names when connected to VPN. Strange thing is that when I write

username@hostname:~$ resolvectl query name.company.com name.company.com: resolve call failed: 'name.company.com' not found

I do not get anything. If I try with nslookup like this

username@hostname:~$ nslookup > server 172.20.1.16 Default server: 172.20.1.16 Address: 171.20.1.16#53 > name.company.com Server:     172.20.1.16 Address:    172.20.1.16#53  Name:   name.company.com Address: 172.20.38.251

I get the correct answer. Since this was strange I traced network traffic to see what does nslookup differently than resolvectl query.

It turned out that nslookup uses a VPN assigned address for the source IP when asking DNS for a name. On the other hand, resolvectl query uses all other addresses for source IP except the one assigned by VPN. Because of that I guess DNS server does not have the route to send back an answer correctly to my computer, or DNS queries may even not reach the newly added DNS servers.

Because of that none of the programs I need can resolve the names correctly. The result is that I cannot connect anywhere within a VPN with a domain name.

Does anybody have an idea how to make resolvectl realize there is newly assigned VPN address, and it should use it as the source IP. Should FortiClient do some additional configutation on establishing a connection? Probably not.

I tried to restart systemd-resolved after VPN is established, but it does not help. Should I restart some other service? Which one?

 

I have checked how DNS is setup in network settings, and they are correct. Without VPN the network interface wlp1s0 shows:

username@hostname:~$ nmcli device show wlp1s0 | grep DNS IP4.DNS[1]:                             192.168.1.1 IP6.DNS[1]:                             2a00:ee0:d::13 IP6.DNS[2]:                             2a00:ee0:e::13

After VPN is connected:

username@hostname:~$ nmcli device show wlp1s0 | grep DNS IP4.DNS[1]:                             172.20.1.16 IP4.DNS[2]:                             172.20.1.21 username@hostname:~$ nmcli device show vpn | grep DNS IP4.DNS[1]:                             172.20.1.16 IP4.DNS[2]:                             172.20.1.21

 

14 replies

Show previous replies
SlavaS
SlavaS
Visitor III
November 3, 2022

Has anyone tried to switch back to X11 from wayland and see if it fixes the problem? After the Ubuntu upgrade 20.04 to 22.04, Wayland became the default, and my laptop started acting weirdly at times - sometimes slowing down, VPN not connecting, flicking on some screens, freezing when you move a window from one monitor to the other (connected to HDMI as external). Flipping back to X11 solved a lot of those issues. And VPN continued working as it used to (on 20.04 I was using X11 because of the same weird behavior).

 

Ghandalf-82
Ghandalf-82
New Member
September 5, 2023

Hi,

 

are there any news on this?

We are using FCT 7.0.9 with EMS license and also have this issue.

Also 7.2.1 is not solving this.

 

What I have found out: it is only not working when a IPv6 DNS server is used from the ISP.

I have created a ticket at Fortinet support, but as this issue is not solved for about a year now, I have not very much confidence, that it will be fixed soon...

 

Regarding this workaround from f_sfetea:

I have completely different interface names.

2: enp2s0f0 -> local laptop rj45 port

4: wlp3s0 -> WiFi

6: enx34298f721425 -> docking station rj45 port

11: vpn0090df7b1e -> FCT

 

It would be nice, when someone can clarify this.

 

BR

    danielmora
    danielmora
    New Member
    October 15, 2023

    This is my temporal workaround to set the DNS server.

     

    I am using Ubuntu 22.04 and forticlient_vpn_7.0.7.0246_amd64.deb

     

    1)Connect to the VPN using forticlient

    2)Get the name of the VPN connection in your system by using:

     

    $ resolvectl

     

    In my case I get

     

    "Link 20 (vpn000170bb2a)"

     

     

    3)Use the vpn name connection to manually set the organization DNS (for example 10.10.10.10)

     

    $sudo resolvectl dns vpn000170bb2a 10.10.10.10 $sudo resolvectl domain vpn000170bb2a ~.

     

     

     

    4)To verify run again :

     

    $resolvectl
    Link 20 (vpn000170bb2a) Current Scopes: DNS Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 10.10.10.10 DNS Servers: 10.10.10.10 DNS Domain: ~.

     

     

    This has to be executed every time you connect to the VPN. If anyone has a better and permanent solution please help.

    SlavaS
    SlavaS
    Visitor III
    October 16, 2023

    Hi, tried this?

     

    need to edit NM config:
    sudo vi /etc/NetworkManager/NetworkManager.conf

    and append the
    [keyfile]
    unmanaged-devices=interface-name:vpn*,except:interface-name:enp0s3;interface-name:wlan*

     

    then restart your service
    $ sudo systemctl restart NetworkManager.service


    Another option:

    Fix DNS on ubuntu and Forticlient VPN:
    sudo vim /etc/systemd/resolved.conf

    DNS=8.8.8.8 8.8.4.4
    FallbackDNS=100.10.0.1  ### add your DNS here
    ##Domains
    #DNSSEC=no
    #DNSOverTLS=no
    #MulticastDNS=no
    #LLMNR=no
    #Cache=no-negative
    #CacheFromLocalhost=no
    #DNSStubListener=yes
    #DNSStubListenerExtra=
    ReadEtcHosts=yes
    #ResolveUnicastSingleLabel=no

    systemctl restart systemd-resolved.service

      danielmora
      danielmora
      New Member
      October 17, 2023

      Thank you very much, FallbackDNS didnt work for me, I had to add the vpn dns as the first one in the list:

       

      sudo vim /etc/systemd/resolved.conf  DNS=100.10.0.1 8.8.8.8 8.8.4.4 FallbackDNS=100.10.0.1 ReadEtcHosts=yes

       

       

      shannonpeeveyunlv
      shannonpeeveyunlv
      New Member
      May 2, 2024

      Thank you for your help, everyone! I have taken this info and created the following for Ubuntu 24.04: 

       

      #####
      #Forticlient VPN: Fix DNS resolution
      #####

       

      There are two ways to fix the DNS resolution issue. Pick your poison.

       

      1. Modify /etc/systemd/resolved.conf and restart systemd-resolved.service

       

      vi /etc/systemd/resolved.conf
      [Resolve]
      # Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
      # Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
      # Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
      # Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
      DNS=10.1.1.4 8.8.8.8 8.8.4.4
      FallbackDNS=10.1.1.4
      ...
      ReadEtcHosts=yes
      ...

      sudo systemctl restart systemd-resolved.service


      2. Create the following script and run it after connecting successfully to the VPN

       

      vi /usr/local/bin/fortinect_dns_fix.sh
      #!/bin/bash

      export VPN_INTERFACE=$(resolvectl | grep fctvpn | sed 's/[()]//g' | cut -d' ' -f3)


      sudo resolvectl domain $VPN_INTERFACE ~.
      sudo resolvectl dns $VPN_INTERFACE <space delimited DNS server IPs>

      chmod 755 /usr/local/bin/fortinect_dns_fix.sh
      Login to Forticlient VPN as normal
      #In a Terminal run: 
      /usr/local/bin/fortinect_dns_fix.sh


      #resolvectl should output something like:

       
      ...
      Link 11 (fctvpn6b5ab556)
      Current Scopes: DNS
      Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
      Current DNS Server: 10.1.1.4
      DNS Servers: 10.1.1.4 10.1.1.5 8.8.8.8 8.8.4.4
      DNS Domain: ~.

      Ubuntu 24.04: Forticlient VPN installation w/ DNS resolution fix

       

      Terms & ConditionsAccessibility statement