Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pablo-yanez
New Contributor

Using forticlient vpn on linux without graphical user interface

Hi

 

I have a customer that has given me VPN access to his network. The customer is using FortiClient VPN.

 

I want to run the VPN on a private virtual machine (running Debian 12) without a graphical user interface (neither X11 nor Wayland). Following https://www.fortinet.com/support/product-downloads/linux I was able to install it. With "forticlient vpn edit" I was able to create a new profile and with "forticlient vpn connect" I'm able to start the VPN connection.

 

However for this particular customer I always get "X509 verify certificate failed" error and need to explicitly allow the connection. On my main desktop I started the GUI and saw that in the settings there is the option "Do not warn Invalid Server Certificate" but "forticlient" cli does not have a sub command to set the settings. Even executing it as root, I cannot find a way to set this option.

 

I managed to log in on my VM via SSH with X11 forwarding. I can execute stuff like "xterm" even as root. I called "forticlient gui" and the GUI was rendered. But when I click on "Unlock settings", all I can see in the stdout of the terminal is "05:18:17.661 › IPC_RENDERER_REQUEST.UNLOCK_FORTICLIENT" but the settings remain locked. So I cannot select the property I want. I tried it as a non-root user and as root user, always with the same result.

 

How can I set  the "Do not warn Invalid Server Certificate" without using the GUI? Is this even possible? Are there other command line options for /opt/forticlient/gui/FortiClient other than --no-sandbox? --help does not show any help, it just starts the GUI.

 

And why is the GUI not unlocking the settings, not even as root?

 

// edit: my VM is running with VirtualBox without TPM. When I execute "journalctl -f -u forticlient.service" to see  the logs of /opt/forticlient/fctsched, I can see these errors:

 

 

Jun 25 04:36:46 swm fctsched[537]: ERROR:tcti:src/tss2-tcti/tcti-device.c:456:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory
Jun 25 04:36:46 swm fctsched[537]: ERROR:tcti:src/tss2-tcti/tcti-device.c:456:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory
Jun 25 04:36:46 swm fctsched[537]: ERROR:tcti:src/tss2-tcti/tcti-device.c:456:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory
Jun 25 04:36:46 swm fctsched[537]: ERROR:tcti:src/tss2-tcti/tctildr-nodl.c:168:tctildr_get_default() No standard TCTI could be loaded

 

Could that be the reason why the settings cannot be unlocked?

Thanks.

1 REPLY 1
AEK
SuperUser
SuperUser

Hi Pablo

I don't see a relationship between those error logs and the issue you are facing.

You can try use another version of FCT VPN (like 7.4.3, 7.2.10 & 7.0.14) and see if it helps.

Other possible solution (as you are using Linux) is to use fortisslvpn plugin for NetworkManager instead of FortiClient VPN. You just add the sha256 digest of the remote certificate to the connection config and you will not be prompted anymore.

AEK
AEK
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors