OpenFortivpn setup

I am attempting to connect my openwrt router to my home fortigate using OpenFortivpn. I have setup the interface and can see the connection on my fortigate but I cannot pass any traffic. I am sure I am missing something simple but I am not sure how i can debug what is missing. Anyone have any luck setting up this type of connection?

please post your /etc/config/network and /etc/config/firewall - please remember to redact any private stuff like MAC/users/pass/public IPs

1 Like



does adding:

config forwarding
	option src 'lan'
	option dest 'fortivpn'

make any difference?

no...same i need to edit the routing table to route the internal addresses?

alright - let's try something simple first:

  • does the ppp0/1..X vpn interface has a private vpn ip?
  • do you have a route for at least a private subnet to pppX?

my fortivpn is managed by my emplyer's IT dept so this is how it looks like (full tunneling):

11: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1354 qdisc fq_codel state UNKNOWN qlen 3
    inet peer scope global ppp0
       valid_lft forever preferred_lft forever
root@OpenWrt:~# ip r
default dev ppp0 scope link dev eth1 scope link  src
<public-ip-here> via dev eth1 dev ppp0 scope link  src dev br-lan scope link  src

@maurer, his VPN zone is vpn, not fortivpn.

@cookemmm, your firewall config is wrong.
The VPN network must be assigned only to one zone.
Also enable masquerading and MTU fix on the VPN zone.

uci del_list firewall.@zone[2].network="fortivpn"
uci set firewall.@zone[1].masq="1"
uci set firewall.@zone[1].mtu_fix="1"
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci commit firewall
/etc/init.d/firewall restart
1 Like

awesome...that worked for the full tunnel.....but if i want to split tunnel only my internal networks 192.168.x.x but not all other traffic though the tunnel i need to add routes or something else? on the forticlient on my phone it seems to work without adding anything special but It failed on the openfortivpn router

Ideally you should do this via fortinet appliance (set up split routing per client)
Otherwise you need to put set-routes=0 in your openforti config and configure static routes

1 Like

There are multiple different methods to implement split tunneling.
The most simple way is to disable gateway redirection and add static routes if necessary.

uci set network.fortivpn.defaultroute="0"
uci commit network
/etc/init.d/network restart

Make sure your LAN doesn't overlap with VPN, otherwise change the LAN subnet/netmask.

that command did not work...i tried turning off the default route in the gui but i am not sure that does the same thing.

uci: Invalid argument

Probably something has changed in your network config.

Yes, it should be the same.

I'm successfully using the method described in the wiki for openwrt

1 Like