Hi,
I am running the latest FortiClient VPN for Linux version 7.0.0.0018 on Ubuntu 20.04 LTS. The FortiGate is configured to send a simple name resolution configuration to SSL VPN clients: just two DNS servers (xxx.xxx.xxx.7and xxx.xxx.xxx.6), no split DNS, no domain search list. Here is the redacted XML configuration sent by the FortiGate to the FortiClient:
<?xml version="1.0" encoding="utf-8"?>
<sslvpn-tunnel ver="2" dtls="1" patch="1">
<dtls-config heartbeat-interval="10" heartbeat-fail-count="10" heartbeat-idle-timeout="10" client-hello-timeout="10"/>
<tunnel-method value="ppp"/>
<tunnel-method value="tun"/>
<fos platform="FG22E1" major="6" minor="02" patch="10" build="1263" branch="1263"/>
<auth-ses check-src-ip="1" tun-connect-without-reauth="0" tun-user-ses-timeout="30"/>
<client-config save-password="off" keep-alive="off" auto-connect="off"/>
<exclusive-routing>on</exclusive-routing>
<ipv4>
<dns ip="xxx.xxx.xxx.7"/>
<dns ip="xxx.xxx.xxx.6"/>
<assigned-addr ipv4="10.11.240.4"/>
</ipv4>
<idle-timeout val="1500"/>
<auth-timeout val="43200"/>
</sslvpn-tunnel>
The default name resolution configuration looks like this, with two local DNS servers, 192.168.0.254 and fd0f:ee:b0::1:
$ systemd-resolve --status
[...]
Link 3 (wg0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 2 (enp0s31f6)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.0.254
DNS Servers: 192.168.0.254
fd0f:ee:b0::1
DNS Domain: ~.
--
$
The FortiClient VPN for Linux 7.0.0.0018 fails to fully replace these default DNS servers with the new DNS servers specified by the FortiGate:
$ systemd-resolve --status
[...]
Link 8 (vpn)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: xxx.xxx.xxx.7
DNS Servers: xxx.xxx.xxx.7
xxx.xxx.xxx.6
DNS Domain: ~.
Link 3 (wg0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 2 (enp0s31f6)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: fd0f:ee:b0::1
DNS Servers: fd0f:ee:b0::1
xxx.xxx.xxx.7
xxx.xxx.xxx.6
DNS Domain: ~.
$
Instead, I would expect one the new servers xxx.xxx.xxx.7 and xxx.xxx.xxx.6 to become the primary DNS server, by:
This results in a DNS leak, as the local DNS server fd0f:ee:b0::1 is used while FortiClient is running, instead of the DNS servers specified by the FortiGate, xxx.xxx.xxx.7 and xxx.xxx.xxx.6. Any clue how to work around this FortiClient bug?
Hi Dimitri,
The FortiGate is configured to send a simple name resolution configuration to SSL VPN clients.
Could you please revise that configuration:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/960561/fortigate-dns-server
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/752486/dns-domain-list
Best regards,
Pedro
I am not the administrator of the FortiGate, so I cannot revise anything. That said, why do you think the VPN SSL configuration is incorrect? The administrators do not provide a domain search list on purpose, just DNS servers xxx.xxx.xxx.7 and xxx.xxx.xxx.6. They want computers connected to the VPN gateway to use the above DNS servers for any query. And as far as I can see, the XML configuration sent from the FortiGate to FortiClient, which I have intercepted, is correct:
<ipv4>
<dns ip="xxx.xxx.xxx.7"/>
<dns ip="xxx.xxx.xxx.6"/>
<assigned-addr ipv4="10.11.240.4"/>
</ipv4>
Instead, this really looks like a minor vulnerability in FortiClient VPN for Linux, in that it results in DNS leaks.
Note that:
Again, here is the XML configuration sent by the FortiGate to the FortiClient:
<?xml version="1.0" encoding="utf-8"?>
<sslvpn-tunnel ver="2" dtls="1" patch="1">
<dtls-config heartbeat-interval="10" heartbeat-fail-count="10" heartbeat-idle-timeout="10" client-hello-timeout="10"/>
<tunnel-method value="ppp"/>
<tunnel-method value="tun"/>
<fos platform="FG22E1" major="6" minor="02" patch="10" build="1263" branch="1263"/>
<auth-ses check-src-ip="1" tun-connect-without-reauth="0" tun-user-ses-timeout="30"/>
<client-config save-password="off" keep-alive="off" auto-connect="off"/>
<exclusive-routing>on</exclusive-routing>
<ipv4>
<dns ip="xxx.xxx.xxx.7"/>
<dns ip="xxx.xxx.xxx.6"/>
<assigned-addr ipv4="10.11.240.4"/>
</ipv4>
<idle-timeout val="1500"/>
<auth-timeout val="43200"/>
</sslvpn-tunnel>
Created on 02-17-2023 02:23 PM Edited on 02-17-2023 02:35 PM
I was having the same issue on Ubuntu 20.04 LTS.
This has worked for me:
nmcli c modify <vpn-settings-name> ipv4.dns-search '<domain>'
You should specify <vpn-settings-name>
that corresponds to a VPN setting name in GUI. And <domain>
is the domain name you want to search via DNS in the remote network.
After reconnecting to VPN, systemd-resolved status ppp0
shows
Link 6 (ppp0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.1.1
DNS Servers: 192.168.1.1 (<--- my dns)
192.168.1.10
DNS Domain: corp
Source:
https://askubuntu.com/questions/1147134/dns-settings-on-network-manager-when-using-vpn#1183690
My "resolvectl status" before:
My "resolvectl status" before:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.