Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dimitri
New Contributor

FortiClient VPN for Linux DNS leak

Hi,

I am running the latest FortiClient VPN for Linux version 7.0.0.0018 on Ubuntu 20.04 LTS. The FortiGate is configured to send a simple name resolution configuration to SSL VPN clients: just two DNS servers (xxx.xxx.xxx.7and xxx.xxx.xxx.6), no split DNS, no domain search list. Here is the redacted XML configuration sent by the FortiGate to the FortiClient:

 

<?xml version="1.0" encoding="utf-8"?>
<sslvpn-tunnel ver="2" dtls="1" patch="1">
  <dtls-config heartbeat-interval="10" heartbeat-fail-count="10" heartbeat-idle-timeout="10" client-hello-timeout="10"/>
  <tunnel-method value="ppp"/>
  <tunnel-method value="tun"/>
  <fos platform="FG22E1" major="6" minor="02" patch="10" build="1263" branch="1263"/>
  <auth-ses check-src-ip="1" tun-connect-without-reauth="0" tun-user-ses-timeout="30"/>
  <client-config save-password="off" keep-alive="off" auto-connect="off"/>
  <exclusive-routing>on</exclusive-routing>
  <ipv4>
    <dns ip="xxx.xxx.xxx.7"/>
    <dns ip="xxx.xxx.xxx.6"/>
    <assigned-addr ipv4="10.11.240.4"/>
  </ipv4>
  <idle-timeout val="1500"/>
  <auth-timeout val="43200"/>
</sslvpn-tunnel>

 

The default name resolution configuration looks like this, with two local DNS servers, 192.168.0.254 and fd0f:ee:b0::1:

 

$ systemd-resolve --status
[...]
Link 3 (wg0)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 2 (enp0s31f6)
      Current Scopes: DNS          
DefaultRoute setting: yes          
       LLMNR setting: yes          
MulticastDNS setting: no           
  DNSOverTLS setting: no           
      DNSSEC setting: no           
    DNSSEC supported: no           
  Current DNS Server: 192.168.0.254
         DNS Servers: 192.168.0.254
                      fd0f:ee:b0::1
          DNS Domain: ~.           
                      --           
$ 

 

The FortiClient VPN for Linux 7.0.0.0018 fails to fully replace these default DNS servers with the new DNS servers specified by the FortiGate:

 

$ systemd-resolve --status
[...]
Link 8 (vpn)
      Current Scopes: DNS          
DefaultRoute setting: yes          
       LLMNR setting: yes          
MulticastDNS setting: no           
  DNSOverTLS setting: no           
      DNSSEC setting: no           
    DNSSEC supported: no           
  Current DNS Server: xxx.xxx.xxx.7
         DNS Servers: xxx.xxx.xxx.7
                      xxx.xxx.xxx.6
          DNS Domain: ~.           

Link 3 (wg0)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 2 (enp0s31f6)
      Current Scopes: DNS          
DefaultRoute setting: yes          
       LLMNR setting: yes          
MulticastDNS setting: no           
  DNSOverTLS setting: no           
      DNSSEC setting: no           
    DNSSEC supported: no           
  Current DNS Server: fd0f:ee:b0::1
         DNS Servers: fd0f:ee:b0::1
                      xxx.xxx.xxx.7
                      xxx.xxx.xxx.6
          DNS Domain: ~.           
$ 

 

 

  • The local DNS server fd0f:ee:b0::1 is not replaced by FortiClient on Ethernet interface enp0s31f6, and becomes the primary DNS server.
  • Keeping ~. associated to both interfaces, the LAN interface (enp0s31f6 in this case) and vpn, does not give a clear priority to any of the sets of DNS servers.

Instead, I would expect one the new servers xxx.xxx.xxx.7 and xxx.xxx.xxx.6 to become the primary DNS server, by:

  • either defining them as the DNS servers for each interface (the LAN interface and the vpn interface),
  • or associating ~. only to the vpn interface, so that the DNS servers associated to that vpn interface are used preferably for all domains.

This results in a DNS leak, as the local DNS server fd0f:ee:b0::1 is used while FortiClient is running, instead of the DNS servers specified by the FortiGate, xxx.xxx.xxx.7 and xxx.xxx.xxx.6. Any clue how to work around this FortiClient bug?

3 REPLIES 3
pvalente
Staff
Staff

Hi Dimitri, 

 

The FortiGate is configured to send a simple name resolution configuration to SSL VPN clients.

 

Could you please revise that configuration:

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/960561/fortigate-dns-server

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/752486/dns-domain-list

 

Best regards, 

Pedro

Pedro Valente
Dimitri
New Contributor

I am not the administrator of the FortiGate, so I cannot revise anything. That said, why do you think the VPN SSL configuration is incorrect? The administrators do not provide a domain search list on purpose, just DNS servers xxx.xxx.xxx.7 and xxx.xxx.xxx.6. They want computers connected to the VPN gateway to use the above DNS servers for any query. And as far as I can see, the XML configuration sent from the FortiGate to FortiClient, which I have intercepted, is correct:

 

  <ipv4>
    <dns ip="xxx.xxx.xxx.7"/>
    <dns ip="xxx.xxx.xxx.6"/>
    <assigned-addr ipv4="10.11.240.4"/>
  </ipv4>

 

Instead, this really looks like a minor vulnerability in FortiClient VPN for Linux, in that it results in DNS leaks.

Dimitri
New Contributor

Note that:

  • exclusive routing is on: <exclusive-routing>on</exclusive-routing>
  • no split DNS whatsoever is specified

Again, here is the XML configuration sent by the FortiGate to the FortiClient:

<?xml version="1.0" encoding="utf-8"?>
<sslvpn-tunnel ver="2" dtls="1" patch="1">
  <dtls-config heartbeat-interval="10" heartbeat-fail-count="10" heartbeat-idle-timeout="10" client-hello-timeout="10"/>
  <tunnel-method value="ppp"/>
  <tunnel-method value="tun"/>
  <fos platform="FG22E1" major="6" minor="02" patch="10" build="1263" branch="1263"/>
  <auth-ses check-src-ip="1" tun-connect-without-reauth="0" tun-user-ses-timeout="30"/>
  <client-config save-password="off" keep-alive="off" auto-connect="off"/>
  <exclusive-routing>on</exclusive-routing>
  <ipv4>
    <dns ip="xxx.xxx.xxx.7"/>
    <dns ip="xxx.xxx.xxx.6"/>
    <assigned-addr ipv4="10.11.240.4"/>
  </ipv4>
  <idle-timeout val="1500"/>
  <auth-timeout val="43200"/>
</sslvpn-tunnel>