Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Simple script intended to automate Fortinet SSL VPN Client connection on Linux using expect scripting.
#!/bin/bash
# Forticlient SSL VPN Client launching script utilizing expect.
# --------------------------------------------
# CONFIGURATION
# If empty - script will take some simple logic to locate appropriate binary.
FORTICLIENT_PATH=""
# VPN Credentials
VPN_HOST="host:10443"
VPN_USER="username"
VPN_PASS="password"
# --------------------------------------------
trap ctrl_c INT
function ctrl_c() {
echo "Removing left-over files..."
rm -f /tmp/expect
}
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
if [ -z "$FORTICLIENT_PATH" ]; then
FORTICLIENT_PATH=`uname -r | grep -q 64 && echo $(locate forticlientsslvpn_cli | grep 64bit) || echo $(locate forticlientsslvpn_cli | grep 32bit)`
if [ ! -f $FORTICLIENT_PATH ]; then
echo "Tried to locate Forticlient SSL VPN Cli binary, but failed."
echo "Specify it at variable FORTCLIENT_PATH"
exit 1
fi
echo "Located Forticlient VPN Client at: $FORTICLIENT_PATH"
fi
echo "Killing previous instances of Forticlient SSL VPN client..."
killall -9 $(basename $FORTICLIENT_PATH) 2> /dev/null
cat << EOF > /tmp/expect
#!/usr/bin/expect -f
match_max 1000000
set timeout -1
spawn $FORTICLIENT_PATH --server $VPN_HOST --vpnuser $VPN_USER --keepalive
expect "Password for VPN:"
send -- "$VPN_PASS"
send -- "\r"
expect "Would you like to connect to this server? (Y/N)"
send -- "Y"
send -- "\r"
expect "Clean up..."
close
EOF
chmod 500 /tmp/expect
/usr/bin/expect -f /tmp/expect
rm -f /tmp/expect
@azizasm
Copy link

azizasm commented Jul 22, 2017

A very good script to access fortiClient using bash script.
For Ubuntu 64 bit based Linux need to change to uname -a | grep -q 64 because uname -r doesn't work.

@hugoeustaquio
Copy link

hugoeustaquio commented Dec 28, 2017

Thanks, it works perfectly!

@ronamosa
Copy link

ronamosa commented Apr 3, 2018

Thanks for this. came in real handy for work!

@alfem
Copy link

alfem commented Apr 1, 2019

I use something like this, but I do not need to run it with root permissions.

@naxvm
Copy link

naxvm commented May 27, 2019

Really useful, thanks!!!!

PD: in my case, the "sudo" launching is not required, I commented that lines on the script and works flawlessly.

@ccarrascoqt
Copy link

ccarrascoqt commented Feb 3, 2020

give command line ok

but bash

Always give this terror

he certificate for the SSLVPN server is invalid.
You are connecting to an untrusted server. which could put your confidential information at risk.
Would you like to connect to this server? (Y/N)
Y
NOTICE::Insufficient credential(s). Please check the password, client certificate, etc.
STATUS::Set up tunnel failed
SSLVPN down unexpectedly with error:2
Press Ctrl-C to quit
Clean up...

any solution?
Thanks

@giriannamalai
Copy link

giriannamalai commented Apr 4, 2020

Great

@tyrams
Copy link

tyrams commented May 5, 2020

give command line ok

but bash

Always give this terror

he certificate for the SSLVPN server is invalid.
You are connecting to an untrusted server. which could put your confidential information at risk.
Would you like to connect to this server? (Y/N)
Y
NOTICE::Insufficient credential(s). Please check the password, client certificate, etc.
STATUS::Set up tunnel failed
SSLVPN down unexpectedly with error:2
Press Ctrl-C to quit
Clean up...

any solution?
Thanks

Hi I got the same issue did you ever get the solution?

@alexattia
Copy link

alexattia commented Jul 17, 2020

give command line ok
but bash
Always give this terror
he certificate for the SSLVPN server is invalid.
You are connecting to an untrusted server. which could put your confidential information at risk.
Would you like to connect to this server? (Y/N)
Y
NOTICE::Insufficient credential(s). Please check the password, client certificate, etc.
STATUS::Set up tunnel failed
SSLVPN down unexpectedly with error:2
Press Ctrl-C to quit
Clean up...
any solution?
Thanks

Hi I got the same issue did you ever get the solution?

@tlouyeken22 @ccarrascoqt I am facing the same error. Do you have any solution? 🙏

@sprnza
Copy link

sprnza commented Sep 14, 2020

Hi!
Is there a way to auto accept License, that is being required to at the first run?

Copy link

ghost commented Oct 21, 2020

forticlientsslvpn-expect.sh: 20: forticlientsslvpn-expect.sh: Syntax error: "(" unexpected

Im getting abvove error. can someone pls help ?

@magixus
Copy link

magixus commented Apr 23, 2021

forticlientsslvpn-expect.sh: 20: forticlientsslvpn-expect.sh: Syntax error: "(" unexpected

Im getting abvove error. can someone pls help ?

run as sudo solve your issue

@juanmanuelrq
Copy link

juanmanuelrq commented May 31, 2021

./forticlientsslvpn-expect.sh
Killing previous instances of Forticlient SSL VPN client...
./forticlientsslvpn-expect.sh: line 59: /usr/bin/expect: No such file or directory
root@a219ebdcdda3:/opt/forticlient-sslvpn/64bit#

@AbhilashSvapps
Copy link

AbhilashSvapps commented Jul 6, 2021

forticlientsslvpn-expect.sh: 20: forticlientsslvpn-expect.sh: Syntax error: "(" unexpected
Im getting abvove error. can someone pls help ?

run as sudo solve your issue

Same issue but couldn't solve the above solution.

@roupasz
Copy link

roupasz commented Sep 15, 2021

Hi,

Thanks for the great script. I have tried to add also token handling

expect "A FortiToken code is required for SSL-VPN login authentication."
send_user "Enter the token: "
gets stdin token
send -- "$token\r"

but i keep getting an error about authentication

NOTICE::Insufficient credential(s). Please check the password, client certificate, etc.
STATUS::Set up tunnel failed
SSLVPN down unexpectedly with error:2
STATUS::Setting up the tunnel
Press Ctrl-C to quit
Clean up...

so i'm not sure if the problem is in my password where it includes a @ character (escaping with \@) or in the token part or in the token code part.
If i try to login via

forticlientsslvpn_cli --server host:443 --vpnuser vnn_user --keepalive

it asks for the password, certificate and token and everything is working as expected

Do you have any idea maybe?

Thanks

@roupasz
Copy link

roupasz commented Sep 15, 2021

Hi,

Thanks for the great script. I have tried to add also token handling

expect "A FortiToken code is required for SSL-VPN login authentication."
send_user "Enter the token: "
gets stdin token
send -- "$token\r"

but i keep getting an error about authentication

NOTICE::Insufficient credential(s). Please check the password, client certificate, etc.
STATUS::Set up tunnel failed
SSLVPN down unexpectedly with error:2
STATUS::Setting up the tunnel
Press Ctrl-C to quit
Clean up...

so i'm not sure if the problem is in my password where it includes a @ character (escaping with \@) or in the token part or in the token code part.
If i try to login via

forticlientsslvpn_cli --server host:443 --vpnuser vnn_user --keepalive

it asks for the password, certificate and token and everything is working as expected

Do you have any idea maybe?

Thanks

Ok fixed it by changing

  1. adding a token parameter
    token=$1
    2)changing the token code part as below
expect "A FortiToken code is required for SSL-VPN login authentication."
send_user "Enter the token: "
send -- "$token\r"
send -- "\r"

and running it with ./forticlientsslvpn-expect.sh [token]

Probably something is interfering between the read token part and the actual token passed to the authentication but I will further troubleshoot this when i have more time but for now maybe this is helpful to someone

@gabsmprocha
Copy link

gabsmprocha commented Dec 1, 2021

@roupasz in which part of the code did you add the token script?

@roupasz
Copy link

roupasz commented Dec 3, 2021

Hi @gabsmprocha ,

To make it more visible, in the VPN Credentials block i added

# VPN Credentials
VPN_HOST="host:10443"
VPN_USER="username"
VPN_PASS="password"
token=$1 #new addition, 1st script parameter as variable

and i have added on more block in the expect part , check expect "A FortiToken code is required for SSL-VPN login authentication." below

cat << EOF > /tmp/expect
#!/usr/bin/expect -f
match_max 1000000
set timeout -1
spawn $FORTICLIENT_PATH --server $VPN_HOST --vpnuser $VPN_USER --keepalive
expect "Password for VPN:"
send -- "$VPN_PASS"
send -- "\r"
expect "Would you like to connect to this server? (Y/N)"
send -- "Y"
send -- "\r"
expect "A FortiToken code is required for SSL-VPN login authentication." #new block
send_user "Enter the token:"
#gets stdin token
send -- "$token\r"
send -- "\r" #end of new block
expect "Clean up..."
close
EOF

so i can then run it like ./forticlientsslvpn-expect.sh <123456>

Maybe it's now clearer ? If not please let me know

@dinarpay
Copy link

dinarpay commented Dec 3, 2021

invalid command name "--vpnuser"
while executing
"--vpnuser kks"
(file "/tmp/expect" line 5)

@gabsmprocha
Copy link

gabsmprocha commented Dec 6, 2021

@roupasz tks a lot! 😄

@roupasz
Copy link

roupasz commented Dec 10, 2021

np problem @gabsmprocha :)

@GiseliSiqueira
Copy link

GiseliSiqueira commented Jan 26, 2022

I'm trying to run the script and I'm getting the following error:

./forticlientsslvpn-expect.sh
Killing previous instances of Forticlient SSL VPN client...
./forticlientsslvpn-expect.sh: line 59: /usr/bin/expect: No such file or directory

Has anyone gone through the same and can help me with this?

Edit**: it is necessary to install the Expect tool before running the Script.

@zroupas
Copy link

zroupas commented Jan 26, 2022

hi @GiseliSiqueira ,

The error shows that expect binary is not installed or at least found in the expected path in your system. You can quickly confirm it by running which expect, if this provides a path you can update the script with the correct one.

If not, then you need to install it and this depends on your distribution.
ex for Ubuntu 18.04

sudo apt update
sudo apt install expect

ex. for Fedora 34
dnf -y install expect

Hope this helps

UPDATE: I just saw your edit, so you've figured out on your own ;)

@Matarwy
Copy link

Matarwy commented Dec 3, 2022

if there a python copy of this script?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment