-
Axel Spoerl authored7409eed2
- QFortiClient
- Brief
- Overview
- openfortivpn-saml fork
- Known issues
- Building and installing
- QFortiScheduler
- Enabling the scheduler
- Start the QFortiClient
- The main UI
- Default VPN
- Logs
- Scheduler Log
- VPN Log
- Customizing the QFortiClient
- The "SAML Settings tab"
- Use embedded browser
- Use custom executable
- Use default browser
- The Application Behavior tab
- Raise after SAML
- Save VPNs after edit
- Save settings after edit
- Show messages in system tray
- Autoconnect default VPN
- Autoconnect conditions
- Condition logic
- Condtion types
- IpV6Address / IpV4Address
- Subnet
- Network device
- The Scheduler tab
- Managing VPNs
- Name
- Host
- Port
- Use SAML login
- Standard route to VPN
- Use VPNs DNS
- PPP: Accept remote IP
- PPP: Accept remote DNS
- Make VPN persistent
- Username / password
- Import / Export
- TODO
QFortiClient
Brief
QFortiCLient (qforticlient / qfortischeduler) is a comprehensive frontend for openfortivpn. It is based on Rainer Keller's openfortivpn-saml fork, enabling Microsoft (c) Single Sign On.
Overview
QFortiClient has been developed by Axel Spoerl with Qt 6.8.1 on Linux / gcc / x86-64. Other than existing frontends, it implements a client/server architecture:
- QFortiScheduler operates as a system service with root-privileges in order to manipulate network and DNS settings.
- QFortiClient runs in user-space and communicates with the scheduler over websockets on the TCP/IP stack.
The TCP/IP approach has been chosen to facilitate scenarios where the scheduler runs on a router device, serving as a FortiVPN (c) endpoint. It also has been chosen to strictly seperate frontend activities from manipulations requiring root privileges.
openfortivpn-saml fork
Rainer Keller's openfortivpn-saml fork had to be forked again at https://github.com/ASpoerl/openfortivpn-saml This fork has been integrated into QFortiClient as a submodule. The fork was necessary to tweak openfortivpn from a command-line tool into a system service. The commandline version disconnects from a VPN only on SIGINT or SIGHUP, which eventually causes openfortivpn to exit. Being a system service, QFortiScheduler needs to gracefully disconnect and resume into listening mode, while its SIGINT and SIGHUP handlers shut down the system service entirely.
Known issues
- JSON import of VPN configurations isn't implemented.
- Using the system's default browser to launch SAML urls may fail due to QTBUG-132448. Use xdg-open as a custom executable in that case.
Building and installing
Clone the repository and make sure Qt 6.8.1 is installed in /opt/Qt. Run /path/to/qforticlient/configure.sh in a clean build directory. Change to the build directory, run 'ninja' and 'sudo ninja install'
QFortiScheduler
QFortiScheduler (/usr/bin/qfortischeduler) is implemented as a system service. It requires root privileges, because connecting a VPN chnages network routes and DNS servers. The scheduler solely listens to and executes on client requests. It doesn't store VPN configurations, usernames or passwords. QFortiScheduler can run independently from QFortiClient. While the typical use case is single-host, QFortiScheduler can be remote-controlled while running on a network router.
QFortiScheduler is designed to listen to multiple clients. Client concurrency is handled as follows:
- When a client requests to connect to a VPN, an existing active connection is dropped.
- Messages related to connections to and disconnections from VPNs are broadcast to all active clients. Only VPN names are shared in that case. The scheduler will not broadcast any credentials or connection attributes to other clients.
- Any client can disconnect from any VPN, regardless which client has initiated the connection.
QFortiScheduler will disconnect from any active VPN, when the last client goes off-line.
Enabling the scheduler
sudo systemctl enable qfortischeduler sudo ststemctl start qfortischeduler.service
Start the QFortiClient
execute /usr/bin/qforticlient A yellow system tray icon with a VPN symbol will appear. Right-clicking the icon offers the posibility to start the built-in configuration for TQTC. Selecting the "Edit VPNs" context menu or left-clicking launches the main UI.
The main UI
The large button in the middle of the UI connects to the VPN currently selected in the VPN combobox. Edit/New/Delete/Copy buttons can be used to manage multiple VPN configurations.
Default VPN
If you want a default VPN to be selected at each startup, select it in the VPN combobox and activate the 'default' option. If only one VPN configurations exists, it automatically becomes the default. The default option can't be unchecked. Select another default VPN, if you want to change it.
Logs
Two seperate log sections inform about each step of QFortiClient. Both logs can be modified in size, undocked and re-docked or closed entirely.
Scheduler Log
This section logs interactions between QFortiClient and the scheduler, which runs as a system service.
VPN Log
This section logs VPN connection activities.
Customizing the QFortiClient
It makes sense to review and change the default configuration, before connecting to a VPN. Click the "Settings" button on the top left of the main UI. ALl settings are explained by tool tip popups.
The "SAML Settings tab"
QFortiClient offers three options to handle Microsoft Single Sign On.
Use embedded browser
Select this option, if you don't want to rely on the PC's standard browsers. QFortiClient will bring up its own embedded browser to launch the Microsoft SAML page. If the VPN settings contain credentials, they will be injected.
Use custom executable
Select this option, if you want to specify your own executble to open the SAML url, e.g. xdg-open or kde-open. If you want to pass credentials as command line arguments to the executable, specify the commands indicating a username and/or password in 'User argument' and 'Password argument' fields. Any other arguments can be specified in the 'Other arguments' field. Use one argument per line.
Use default browser
Select this option, if you want to open the SAML link in your system's default browser (e.g. Firefox). QDesktopServices::openUrl() will be used to launch the SAML url.
Note: If the web browser holds a valid SAML cookie (e.g. because Microsoft Outlook is already running), no further authentication is needed for the VPN.
The Application Behavior tab
This tab controls QFortiClient's behavior.
Raise after SAML
An external browser, launched to process a SAML login, will usually stay on top and cover QFortiClient's UI. Activating this option causes QFortiClient to raise itself to the foreground when a SAML request has been processed.
Save VPNs after edit
VPN configurations are saved when the QFortiClient is shut down. Activating this option causes VPN configurations to be saved immediately after a VPN has been edited.
Save settings after edit
Settings are saved when the QFortiClient is shut down. Activating this option causes Settings to be saved immediately after a VPN has been edited.
Show messages in system tray
Activate this option, if you want QFortiClient to send system tray messages for all log events.
Autoconnect default VPN
Activate this option, if you want QFortiClient to automatically connect to the default VPN upon startup. Autoconnect is handled on the client side. The system service will not automatically connect upon startup.
Autoconnect conditions
If the Autoconnect option is activated, you may specify conditions for automatic VPN connections. You may want to automatically connect to a VPN, except when using your laptop in the office.
Condition logic
A condition can be optional (Or) or mandatory (And). One or more optional conditions being met cause an automatic connection. If you choose mandatory connections, all of them have to be met to cause an automatic connection. Each condition type has a positive / negative trigger.
Condtion types
IpV6Address / IpV4Address
Specify an IP address, which has to be found on one of the system's network devices. Specify whether the the autostart condition is satisfied, if the IP address is found on a device - or not.
Subnet
Specify a subnet, which the PC has to be part of with one of its network devices. Specify whether the the autostart condition is satisfied, if PC is inside or outside the subnet.
Network device
Specify a network device. Specify whether the the autostart condition is satisfied, if device is up or down.
The Scheduler tab
The scheduler should run as a system service and will be started in the multiuser runlevel. However, if you prefer an manual setup, the QFortiClient can try to autostart the scheduler. Activate the 'Autostart scheduler' option for that purpose. It will prompt for the root password, unless the current user is either root or a sudoer. By default, the scheduler listens on localhost:6042. This can be changed by modifying the service file in /etc/systemd/system/qfortischeduler.service. Run qfortischeduler --help for all available command line options.
Managing VPNs
Hitting the main UIs 'Edit' or 'New' button adds or edits existing VPN configuration. Only user-configurations can be edited. The built-in Qt option can only be copied as a template.
Name
Specify a meaningful name for each VPN to distinguish which one is which.
Host
'remote.qt.io' for TQTC.
Port
Usually 443 (https).
Use SAML login
Launch a corporate SAML page (https://remote.qt.io).
Standard route to VPN
If the option is activated and a VPN connection is up, route all network traffic through the VPN. Otherwise only traffic to sites behind the VPN will be routed through the VPN.
Use VPNs DNS
Activate this option to add VPN specific nameservers, while the connection is up.
PPP: Accept remote IP
Activate this option to locally use an IP address provided by the PPP peer.
PPP: Accept remote DNS
Activate this option to also add nameservers on a PPP level. This is a legacy option, not typically used by moder PPP servers.
Make VPN persistent
Automatically reconnect if the connection drops e.g. by remote shutdown, network glitches or timeout. No reconnect attempt will be made, if the connection is manually disconnected.
Username / password
Usernames will be saved explicitly in the VPN connection. Passwords will not be saved. KWallet is used to store passwords. Activate the '(prompt)' option next to username / password, if you want to be prompted on each VPN connection. In that case, the specified credentials will be used as default values. https://github.com/ASpoerl/openfortivpn-saml Note: A password with wild card dots will be displayed only if it's changed.
Import / Export
Only the export functionality is implemented. You may export VPN settings in a JSON format.
TODO
- implement missing JSON import functionality
- document how to ship QFortiClient with built-in network configurations
- implement system wide configurations (e.g. in /etc/qforticlient/vpns.json)
- implement autotests
- implement other platforms (Windows, macOS including proprietary password management)
- change VpnWorker class to a plugin architecture, so the client can handle multiple VPN protocols (FortiVPN, IPSec, ssh tunnel, ...)