Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
no_one
New Contributor

DNS settings on Ubuntu 22.04 and FortiClient VPN 7.0.0.0018

I have a strange problem when I connect to a company VPN with forticlient application. First, I did not know what was wrong. After spending some time, I figured out that DNS is not working as it should have. Unfortunately, I have no idea, who's fault is that. It may be FortiClient VPN, systemd-resolved, or something else. I am using Ubuntu 22.04, which is not an official version yet, but I have doubts it will get any better until official release in a week or two.

 

This is output from resolvectl before VPN is established:

username@hostname:~$ resolvectl
Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (enp2s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (wlp1s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.1.1
       DNS Servers: 192.168.1.1 2a00:ee0:d::13 2a00:ee0:e::13
        DNS Domain: --

After VPN is established resolvectl reports additional link called vpn:

username@hostname:~$ resolvectl
Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (enp2s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (wlp1s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS 
DNSSEC=no/unsupported
Current DNS Server: 172.20.1.21
       DNS Servers: 172.20.1.16 172.20.1.21 2a00:ee0:d::13 2a00:ee0:e::13
        DNS Domain: company.com

Link 5 (vpn)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

As you can see additional DNS servers are added to Link 3, which should help me resolve internal names when connected to VPN. Strange thing is that when I write

username@hostname:~$ resolvectl query name.company.com
name.company.com: resolve call failed: 'name.company.com' not found

I do not get anything. If I try with nslookup like this

username@hostname:~$ nslookup
> server 172.20.1.16
Default server: 172.20.1.16
Address: 171.20.1.16#53
> name.company.com
Server:     172.20.1.16
Address:    172.20.1.16#53

Name:   name.company.com
Address: 172.20.38.251

I get the correct answer. Since this was strange I traced network traffic to see what does nslookup differently than resolvectl query.

It turned out that nslookup uses a VPN assigned address for the source IP when asking DNS for a name. On the other hand, resolvectl query uses all other addresses for source IP except the one assigned by VPN. Because of that I guess DNS server does not have the route to send back an answer correctly to my computer, or DNS queries may even not reach the newly added DNS servers.

Because of that none of the programs I need can resolve the names correctly. The result is that I cannot connect anywhere within a VPN with a domain name.

Does anybody have an idea how to make resolvectl realize there is newly assigned VPN address, and it should use it as the source IP. Should FortiClient do some additional configutation on establishing a connection? Probably not.

I tried to restart systemd-resolved after VPN is established, but it does not help. Should I restart some other service? Which one?

 

I have checked how DNS is setup in network settings, and they are correct. Without VPN the network interface wlp1s0 shows:

username@hostname:~$ nmcli device show wlp1s0 | grep DNS
IP4.DNS[1]:                             192.168.1.1
IP6.DNS[1]:                             2a00:ee0:d::13
IP6.DNS[2]:                             2a00:ee0:e::13

After VPN is connected:

username@hostname:~$ nmcli device show wlp1s0 | grep DNS
IP4.DNS[1]:                             172.20.1.16
IP4.DNS[2]:                             172.20.1.21
username@hostname:~$ nmcli device show vpn | grep DNS
IP4.DNS[1]:                             172.20.1.16
IP4.DNS[2]:                             172.20.1.21

 

33 REPLIES 33
jmichels

I'm looking for a replacement. The most senior people on the IT teams use Linux and this kind of support doesn't cut it. They clearly think Linux support is not important. They clearly don't know who makes the tech decisions.

f_sfetea
New Contributor II

Perhaps is related:
Our workaround for FCT 7.0.4 & 7.0.6 SSO with build-in Chrome based browser is:

you need to edit NM config

sudo vi /etc/NetworkManager/NetworkManager.conf

and append the

[keyfile]
unmanaged-devices=interface-name:vpn*,except:interface-name:enp0s3;interface-name:wlan*

then restart your service

$ sudo systemctl restart NetworkManager.service

 

the External Browser(default own OS browser) option for SSO does not seem to work for the moment and presents an JS error sendSslvpnAuthId is not a function

f_sfetea_0-1661170142631.png

 

SlavaS
New Contributor II

Your solution worked, thanks !!

claudemir
New Contributor II

Thanks for your reply. Works for me. Congratulations! 

Paul_Crenis

I'm on Ubuntu 22.04 LTS with FortClient VPN 7.0.2.0063 and this solution also worked for me.

robertokir

Your solution worked for me, thank you very much! I had previously had to install a Proprietary OS® in a Virtual Machine to use FortiClient VPN, and for that I had to get more RAM and since my ThinkPad t540p couldn't take more than 16Gb I had to buy another computer!!! I just wish I had seen your post before, although it feels good to have a much faster computer now but just to show how the situation is embarassing... I hope this doesn't have to do directly with Fortinet development team, as it would attest quite an ethical flaw to leave users subject to this.

robertokir

It stopped working, I've spent a few hours trying to make it work again, no use, I'm back to submission to the Proprietary OS®   :(

jw-websensa
New Contributor

I am struggling with DNS on FortiClient in multiple versions (7.0.0, 7.0.7)

Firstly I tried to set up split DNS, but ofc it did not work on any Ubuntu machine.

I tried to talk about it with support, even received some unreleased build of client, but it is still not working properly.

Now I deceided to manually set DNS server for connection (no split), which worked on Ubuntu 20.04, but (of course) not on 22.04.

I find it extremly frustrating and I spent definitely too much time on that.

anushty
New Contributor II

good post like it

SlavaS
New Contributor II

Has anyone tried to switch back to X11 from wayland and see if it fixes the problem? After the Ubuntu upgrade 20.04 to 22.04, Wayland became the default, and my laptop started acting weirdly at times - sometimes slowing down, VPN not connecting, flicking on some screens, freezing when you move a window from one monitor to the other (connected to HDMI as external). Flipping back to X11 solved a lot of those issues. And VPN continued working as it used to (on 20.04 I was using X11 because of the same weird behavior).

 

Labels
Top Kudoed Authors