OpenWrt on Fortinet using VPN?

Hello,
Has anyone managed to get OpenWRT running on Fortinet's FAP223B devices with vpn? If yes then how?

I can't find that device in the Table of Hardware.

This device doesn't appear to be supported.

1 Like

I have successfully done this recently. You will need a TTL level serial adapter to view the serial console on the FAP. You will also need a basic tftp server. There are many free and easy options for Windows, etc.

J11 on the exposed PCB underside of the case is the serial console:

Pin 1 with the arrow is VCC. DO NOT CONNECT TO VCC.
Pin 2 is GND.
Pin 3 is TXD (connect to RXD on the computer side of TTL adapter)
Pin 4 is RXD (connect to TXD on the computer side of TTL adapter)

FAP uses 96008N1 for the serial parameters.

Boot up the FAP. Break the boot when prompted by pressing a key.

Press 'K' for hidden menu option. The 'password' I was able to locate in 'cat' dump of /proc/mtd0 (uboot). I found it near a text search of the dump for 'password' string. The password on my unit was '1'. Just the number 1. It seems that now the bootloader is opened up with extras by doing this.

Prepare your tftp server with an initrd image. I used initrd image 'pcs_cap324-initramfs-kernel.bin'. OpenWRT has versions for 21.02.0+. Dig around the downloads in the ath79/generic ar71xx/generic folders for the various 'cap324' firmware files.

at 'fap>' prompt, now you can configure tftp boot. 'Help' will show you a bunch of extra stuff. I did not have to change much, as you will see below:

Execute (where x.x.x.x are appropriate ip's for your setup):

setenv ipaddr x.x.x.x
setenv serverip x.x.x.x
tftpboot 0x81000000 YOUR_INITRD_IMG_FILE_ON_YOUR_TFTP
bootm 0x81000000

Your initrd will download from your tftp, load to RAM, and execute from RAM.

OpenWRT uses 115200 for baud rate, so you will have to re-connect with new rate to see/use console before network comes up.

With OpenWRT loaded and running to RAM, transfer a 'sysupgrade' to your AP and execute:
sysupgrade -n YOUR_SYSUPGRADE

I transferred the file by wget http from a simple web server on my Windows computer.

Unit will reboot. However, uboot will freak out that rootfs does not exist. Uboot is still trying to load the old kernel yet. Re-enter the 'unlocked' uboot console by the 'boot break, K, password' method again
(remember, FAP uboot uses 96008N1).

Back at 'fap>'

execute:
imls

Make note of the flash address locations for the new and/or old kernels detected. On my unit, the new kernel was at 0x9f050000. Change the 'default' kernel flash load address:

setenv bootcmd 'bootm 0x9f050000'
saveenv

Power cycle the unit, or execute:

boot

My factory printenv looked like this before making any changes:

fap> printenv
mbu=setenv ipaddr 172.30.80.148;setenv serverip 172.30.80.62;tftpboot 81000000 ap/u-boot.bin;go 81000000;
bootargs=console=ttyS0,9600 root=31:01 rootfstype=jffs2 init=/sbin/init mtdparts=ath-nor0:256k(u-boot),9216k(rootfs),1728k(uImage),5120k(reserved),64k(caldata)
bootcmd=bootm 0x9f940000
bootdelay=4
baudrate=9600
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=192.168.1.1
serverip=192.168.1.10
dir=
lu=tftp 0x80060000 ${dir}u-boot.bin&&erase 0x9f000000 +$filesize;cp.b $fileaddr 0x9f000000 $filesize
lf=tftp 0x80060000 ${dir}db12x${bc}-jffs2&&erase 0x9f040000 +0x630000;cp.b $fileaddr 0x9f040000 $filesize
lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&erase 0x9f680000 +$filesize;cp.b $fileaddr 0x9f680000 $filesize
factory_boot=tftp 0x3000000 vmlinux.gz.uImage && bootm 0x3000000
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 841/65532 bytes
fap>
1 Like

The snapshot versions of initram and sysupgrade from today work the best for me so far. You will need to manually configure and install Luci.

The snapshot firmware from today assigns the same MAC address to both radio0 and radio1 on my unit.

This was doing some strange things on my wifi scans for the access point. I changed radio1 MAC, and things are looking better.