之前在工作中時有遇到要安裝VPN 端點工具,而VPN 的環境是用 Forticlient 實踐的。在官方網站中也有針對 Linux 開發,所以只需要去官方下載Linux 版本就可以了!怎樣,是不是比想像中還要簡單呀!
在這邊我們直接下載 僅限 FortiClient VPN 就可以了。
然後針對Linux 是 Debian 還是 RedHat 系列下載對應的軟體包,我是Debain 所以就下載 .deb。
$ sudo apt install ./forticlient_vpn_7.0.0.0018_amd64.deb
安裝完成之後,開始 fortiClient 連線視窗,依VPN 伺服器的設定就可以了。
或是帥氣的下指令也是可以
$ /opt/forticlient/fortivpn edit my_vpn_name
=====================
Create new VPN profile: my_vpn_name
=====================
Remote Gateway: xxx.xxx.xxx.xxx
Port [default=443]: xxx
Authentication (1.prompt / 2.save / 3.disable) [default=1]: 2
Username: xxxxx
Client Certificate (.p12 file URL) [default=None]:
Do not Warn Invalid Server Certificate (y/n) [default=n]: y
/opt/forticlient/fortivpn connect my_vpn_name
當初我在伺服器上安裝 VPN 端點時就出現這個問題。
解決思路很簡單,without X11 就是說沒有 GUI 的套件呀!就安裝就好了!然後就把肥大的桌面系統安裝起來~把20GB 的雲端虛擬磁碟空間吃滿~ 然後再跟老闆說磁碟空間不夠趕快買!
最後就被炒魷魚了
檢視問題思路:
因為雲端虛擬機是最小安裝,不會有桌面視窗軟體。而 FrotiClient 是建立在 GUI 中開發的,所以 X11 套件是必要,但是磁碟空間又很小要怎辦? 使用老闆的鈔能力
通常我遇到的問題有百分之 99.9999 都是別人遇過的,問 Googole Cannot autolaunch D-Bus without X11 $DISPLAY forticlient 就會得到答案。解決方式是使用: openfortivpn 。
為了在最小安裝環境中解決 FortiClient 無法連,必須得安裝 openfortivpn
請養成不使用的軟體就移除或不安裝的習慣,先移除 forticlient 吧!
sudo apt remove forticlient
sudo apt autoremove
sudo apt install openfortivpn
sudo yum install openfortivpn
sudo openfortivpn xxx.xxx.xxx.xxx:xxx -u xxxx
第一次連線有可會遇到錯訊息
$ sudo openfortivpn xxx.xxx.xxx.xxx:xxx -u xxxx
WARN: Bad port in config file: "0".
VPN account password:
ERROR: Gateway certificate validation failed, and the certificate digest in not in the local whitelist. If you trust it, rerun with:
ERROR: --trusted-cert [連線憑證]
ERROR: or add this line to your config file:
ERROR: trusted-cert = [連線憑證]
ERROR: Gateway certificate:
ERROR: subject:
ERROR: C=US
ERROR: ST=California
ERROR: L=Sunnyvale
ERROR: O=Fortinet
ERROR: OU=FortiGate
ERROR: CN=xxxxxxxxxxxxx
ERROR: emailAddress=???@mail.com
ERROR: issuer:
ERROR: C=US
ERROR: ST=California
ERROR: L=Sunnyvale
ERROR: O=Fortinet
ERROR: OU=Certificate Authority
ERROR: CN=???
ERROR: emailAddress=???@mail.com
ERROR: sha256 digest:
ERROR: [連線憑證]
INFO: Closed connection to gateway.
ERROR: Gateway certificate validation failed, and the certificate digest in not in the local whitelist. If you trust it, rerun with:
ERROR: --trusted-cert [連線憑證]
ERROR: or add this line to your config file:
ERROR: trusted-cert = [連線憑證]
ERROR: Gateway certificate:
ERROR: subject:
ERROR: C=US
ERROR: ST=California
ERROR: L=Sunnyvale
ERROR: O=Fortinet
ERROR: OU=FortiGate
ERROR: CN=xxxxxxxxxxxxx
ERROR: emailAddress=???@mail.com
ERROR: issuer:
ERROR: C=US
ERROR: ST=California
ERROR: L=Sunnyvale
ERROR: O=Fortinet
ERROR: OU=Certificate Authority
ERROR: CN=???
ERROR: emailAddress=???@mail.com
ERROR: sha256 digest:
ERROR: [連線憑證]
INFO: Could not log out.
sudo openfortivpn xxx.xxx.xxx.xxx:xxx -u xxxx --trusted-cert [連線憑證]
$ sudo openfortivpn xxx.xxx.xxx.xxx:xxx -u xxxx --trusted-cert [連線憑證]
WARN: Bad port in config file: "0".
VPN account password:
INFO: Connected to gateway.
INFO: Authenticated.
INFO: Remote gateway has allocated a VPN.
INFO: Got addresses: [xyx.xyx.xyx.xyx], ns [0.0.0.0, 0.0.0.0]
INFO: negotiation complete
INFO: Got addresses: [xyx.xyx.xyx.xyx], ns [0.0.0.0, 0.0.0.0]
INFO: negotiation complete
INFO: negotiation complete
INFO: Interface ppp0 is UP.
INFO: Setting new routes...
WARN: Route to gateway exists already.
INFO: Adding VPN nameservers...
INFO: Tunnel is up and running.
看到 Tunnel is up and running. 代表已經連接成功了!接下來連線就是每次人工下啦!但是...剛剛我是說在雲端主機上耶!怎麽辦?
當然是寫成文件直接執行啦!
/etc/openfortivpn/config 這份文件是 openforticlient 的預設腳本,但是我的命運總是多喘的,我有早上連接A VPN 晚上連 B VPN 的需求,總不能我每天上午6點起床設定一次,下午下班前再設定一次是多累人的事,要是這樣我就摔碗說:請別人做。老子不幹了!
sudo openfortivpn -c /etc/openfortivpn/vpn1.conf
$ sudo openfortivpn -c /etc/openfortivpn/vpn1.conf
INFO: Connected to gateway.
INFO: Authenticated.
INFO: Remote gateway has allocated a VPN.
INFO: Got addresses: [xyx.xyx.xyx.xyx], ns [0.0.0.0, 0.0.0.0]
INFO: negotiation complete
INFO: negotiation complete
INFO: Interface ppp0 is UP.
INFO: Setting new routes...
WARN: Route to gateway exists already.
INFO: Adding VPN nameservers...
INFO: Tunnel is up and running.
INFO: Cancelling threads...
INFO: Setting ppp interface down.
INFO: Restoring routes...
INFO: Removing VPN nameservers...
INFO: pppd: The link was terminated by the modem hanging up.
INFO: Terminated pppd.
INFO: Closed connection to gateway.
INFO: Logged out.
/etc/systemd/system/openfortivpn-vpn1.service
[Unit]
Description=OpenFortiVPN for vpn1
After=network-online.target
Documentation=man:openfortivpn(1)
[Service]
Type=simple
PrivateTmp=true
ExecStartPre=/usr/bin/sleep 30 # 等待網路服務完成啟動
ExecStartPre=/usr/bin/ping -q -c3 -w60 8.8.4.4 # 檢查網路有通
ExecStart=/bin/openfortivpn -c /etc/openfortivpn/vpn1.conf # 執行VPN 服務
OOMScoreAdjust=-100
[Install]
WantedBy=multi-user.target
這邊設定我需要說明一下配置,因為網路服務並不會一開機就執行,所以必須等待網路服務完成啟動再執行。
sudo systemctl start openfortivpn-vpn1
$ ping xxx.xxx.xxx.xxx
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=63 time=79.1 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=63 time=49.9 ms
^C
--- xxx.xxx.xxx.xxx ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 49.931/64.537/79.144/14.608 ms
sudo systemctl enable openfortivpn-vpn1
在 forticlient Server 有設定閒置連線逾時強制離線,我記得預設是4 分鐘。所以必須設定 keepAlive。
我的處理方式是設定排程每分鐘ping VPN 裡面的一台主機解決。
/usr/local/bin/checkVPN.sh
#!/bin/bash
export check;
if ! /usr/bin/ping -c 1 -q xxx.xxx.xxx.xxx > /dev/null
then
check="Y";
else
check="N";
fi
# echo $check
if [ "$check" = "N" ]
then
systemctl restart openfortivpn-vpn1
fi
crontab -e
*/10 * * * * /usr/local/bin/checkVPN.sh;
Linux 使用 openfortivpn 連線至 Fortinet VPN 伺服器建立 PPP+SSL VPN 教學與範例
iThome鐵人賽
看影片追技術