I have a strange problem when I connect to a company VPN with forticlient application. First, I did not know what was wrong. After spending some time, I figured out that DNS is not working as it should have. Unfortunately, I have no idea, who's fault is that. It may be FortiClient VPN, systemd-resolved, or something else. I am using Ubuntu 22.04, which is not an official version yet, but I have doubts it will get any better until official release in a week or two.
This is output from resolvectl before VPN is established:
username@hostname:~$ resolvectl Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (enp2s0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 3 (wlp1s0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.1.1 DNS Servers: 192.168.1.1 2a00:ee0:d::13 2a00:ee0:e::13 DNS Domain: --
After VPN is established resolvectl reports additional link called vpn:
username@hostname:~$ resolvectl Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (enp2s0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 3 (wlp1s0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 172.20.1.21 DNS Servers: 172.20.1.16 172.20.1.21 2a00:ee0:d::13 2a00:ee0:e::13 DNS Domain: company.com Link 5 (vpn) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
As you can see additional DNS servers are added to Link 3, which should help me resolve internal names when connected to VPN. Strange thing is that when I write
username@hostname:~$ resolvectl query name.company.com name.company.com: resolve call failed: 'name.company.com' not found
I do not get anything. If I try with nslookup like this
username@hostname:~$ nslookup > server 172.20.1.16 Default server: 172.20.1.16 Address: 171.20.1.16#53 > name.company.com Server: 172.20.1.16 Address: 172.20.1.16#53 Name: name.company.com Address: 172.20.38.251
I get the correct answer. Since this was strange I traced network traffic to see what does nslookup differently than resolvectl query.
It turned out that nslookup uses a VPN assigned address for the source IP when asking DNS for a name. On the other hand, resolvectl query uses all other addresses for source IP except the one assigned by VPN. Because of that I guess DNS server does not have the route to send back an answer correctly to my computer, or DNS queries may even not reach the newly added DNS servers.
Because of that none of the programs I need can resolve the names correctly. The result is that I cannot connect anywhere within a VPN with a domain name.
Does anybody have an idea how to make resolvectl realize there is newly assigned VPN address, and it should use it as the source IP. Should FortiClient do some additional configutation on establishing a connection? Probably not.
I tried to restart systemd-resolved after VPN is established, but it does not help. Should I restart some other service? Which one?
I have checked how DNS is setup in network settings, and they are correct. Without VPN the network interface wlp1s0 shows:
username@hostname:~$ nmcli device show wlp1s0 | grep DNS IP4.DNS[1]: 192.168.1.1 IP6.DNS[1]: 2a00:ee0:d::13 IP6.DNS[2]: 2a00:ee0:e::13
After VPN is connected:
username@hostname:~$ nmcli device show wlp1s0 | grep DNS IP4.DNS[1]: 172.20.1.16 IP4.DNS[2]: 172.20.1.21 username@hostname:~$ nmcli device show vpn | grep DNS IP4.DNS[1]: 172.20.1.16 IP4.DNS[2]: 172.20.1.21
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'm looking for a replacement. The most senior people on the IT teams use Linux and this kind of support doesn't cut it. They clearly think Linux support is not important. They clearly don't know who makes the tech decisions.
Perhaps is related:
Our workaround for FCT 7.0.4 & 7.0.6 SSO with build-in Chrome based browser is:
you need to edit NM config
sudo vi /etc/NetworkManager/NetworkManager.conf
and append the
[keyfile]
unmanaged-devices=interface-name:vpn*,except:interface-name:enp0s3;interface-name:wlan*
then restart your service
$ sudo systemctl restart NetworkManager.service
the External Browser(default own OS browser) option for SSO does not seem to work for the moment and presents an JS error sendSslvpnAuthId is not a function
Your solution worked, thanks !!
Thanks for your reply. Works for me. Congratulations!
I'm on Ubuntu 22.04 LTS with FortClient VPN 7.0.2.0063 and this solution also worked for me.
Created on 09-14-2023 05:16 AM Edited on 09-14-2023 05:19 AM
Your solution worked for me, thank you very much! I had previously had to install a Proprietary OS® in a Virtual Machine to use FortiClient VPN, and for that I had to get more RAM and since my ThinkPad t540p couldn't take more than 16Gb I had to buy another computer!!! I just wish I had seen your post before, although it feels good to have a much faster computer now but just to show how the situation is embarassing... I hope this doesn't have to do directly with Fortinet development team, as it would attest quite an ethical flaw to leave users subject to this.
It stopped working, I've spent a few hours trying to make it work again, no use, I'm back to submission to the Proprietary OS® :(
I am struggling with DNS on FortiClient in multiple versions (7.0.0, 7.0.7)
Firstly I tried to set up split DNS, but ofc it did not work on any Ubuntu machine.
I tried to talk about it with support, even received some unreleased build of client, but it is still not working properly.
Now I deceided to manually set DNS server for connection (no split), which worked on Ubuntu 20.04, but (of course) not on 22.04.
I find it extremly frustrating and I spent definitely too much time on that.
good post like it
Has anyone tried to switch back to X11 from wayland and see if it fixes the problem? After the Ubuntu upgrade 20.04 to 22.04, Wayland became the default, and my laptop started acting weirdly at times - sometimes slowing down, VPN not connecting, flicking on some screens, freezing when you move a window from one monitor to the other (connected to HDMI as external). Flipping back to X11 solved a lot of those issues. And VPN continued working as it used to (on 20.04 I was using X11 because of the same weird behavior).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.