Skip to content

Instantly share code, notes, and snippets.

@mgeeky
Last active March 4, 2024 14:39
  • Star 45 You must be signed in to star a gist
  • Fork 19 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save mgeeky/8afc0e32b8b97fd6f96fce6098615a93 to your computer and use it in GitHub Desktop.
Simple script intended to automate Fortinet SSL VPN Client connection on Linux using expect scripting.
#!/bin/bash
# Forticlient SSL VPN Client launching script utilizing expect.
# --------------------------------------------
# CONFIGURATION
# If empty - script will take some simple logic to locate appropriate binary.
FORTICLIENT_PATH=""
# VPN Credentials
VPN_HOST="host:10443"
VPN_USER="username"
VPN_PASS="password"
# --------------------------------------------
trap ctrl_c INT
function ctrl_c() {
echo "Removing left-over files..."
rm -f /tmp/expect
}
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
if [ -z "$FORTICLIENT_PATH" ]; then
FORTICLIENT_PATH=`uname -r | grep -q 64 && echo $(locate forticlientsslvpn_cli | grep 64bit) || echo $(locate forticlientsslvpn_cli | grep 32bit)`
if [ ! -f $FORTICLIENT_PATH ]; then
echo "Tried to locate Forticlient SSL VPN Cli binary, but failed."
echo "Specify it at variable FORTCLIENT_PATH"
exit 1
fi
echo "Located Forticlient VPN Client at: $FORTICLIENT_PATH"
fi
echo "Killing previous instances of Forticlient SSL VPN client..."
killall -9 $(basename $FORTICLIENT_PATH) 2> /dev/null
cat << EOF > /tmp/expect
#!/usr/bin/expect -f
match_max 1000000
set timeout -1
spawn $FORTICLIENT_PATH --server $VPN_HOST --vpnuser $VPN_USER --keepalive
expect "Password for VPN:"
send -- "$VPN_PASS"
send -- "\r"
expect "Would you like to connect to this server? (Y/N)"
send -- "Y"
send -- "\r"
expect "Clean up..."
close
EOF
chmod 500 /tmp/expect
/usr/bin/expect -f /tmp/expect
rm -f /tmp/expect
@alfem
Copy link

alfem commented Apr 1, 2019

I use something like this, but I do not need to run it with root permissions.

@naxvm
Copy link

naxvm commented May 27, 2019

Really useful, thanks!!!!

PD: in my case, the "sudo" launching is not required, I commented that lines on the script and works flawlessly.

@ccarrascoqt
Copy link

give command line ok

but bash

Always give this terror

he certificate for the SSLVPN server is invalid.
You are connecting to an untrusted server. which could put your confidential information at risk.
Would you like to connect to this server? (Y/N)
Y
NOTICE::Insufficient credential(s). Please check the password, client certificate, etc.
STATUS::Set up tunnel failed
SSLVPN down unexpectedly with error:2
Press Ctrl-C to quit
Clean up...

any solution?
Thanks

@giriannamalai
Copy link

Great

@tyrams
Copy link

tyrams commented May 5, 2020

give command line ok

but bash

Always give this terror

he certificate for the SSLVPN server is invalid.
You are connecting to an untrusted server. which could put your confidential information at risk.
Would you like to connect to this server? (Y/N)
Y
NOTICE::Insufficient credential(s). Please check the password, client certificate, etc.
STATUS::Set up tunnel failed
SSLVPN down unexpectedly with error:2
Press Ctrl-C to quit
Clean up...

any solution?
Thanks

Hi I got the same issue did you ever get the solution?

@alexattia
Copy link

give command line ok
but bash
Always give this terror
he certificate for the SSLVPN server is invalid.
You are connecting to an untrusted server. which could put your confidential information at risk.
Would you like to connect to this server? (Y/N)
Y
NOTICE::Insufficient credential(s). Please check the password, client certificate, etc.
STATUS::Set up tunnel failed
SSLVPN down unexpectedly with error:2
Press Ctrl-C to quit
Clean up...
any solution?
Thanks

Hi I got the same issue did you ever get the solution?

@tlouyeken22 @ccarrascoqt I am facing the same error. Do you have any solution? 🙏

@sprnza
Copy link

sprnza commented Sep 14, 2020

Hi!
Is there a way to auto accept License, that is being required to at the first run?

Copy link

ghost commented Oct 21, 2020

forticlientsslvpn-expect.sh: 20: forticlientsslvpn-expect.sh: Syntax error: "(" unexpected

Im getting abvove error. can someone pls help ?

@magixus
Copy link

magixus commented Apr 23, 2021

forticlientsslvpn-expect.sh: 20: forticlientsslvpn-expect.sh: Syntax error: "(" unexpected

Im getting abvove error. can someone pls help ?

run as sudo solve your issue

@juanmanuelrq
Copy link

./forticlientsslvpn-expect.sh
Killing previous instances of Forticlient SSL VPN client...
./forticlientsslvpn-expect.sh: line 59: /usr/bin/expect: No such file or directory
root@a219ebdcdda3:/opt/forticlient-sslvpn/64bit#

@AbhilashSvapps
Copy link

forticlientsslvpn-expect.sh: 20: forticlientsslvpn-expect.sh: Syntax error: "(" unexpected
Im getting abvove error. can someone pls help ?

run as sudo solve your issue

Same issue but couldn't solve the above solution.

@roupasz
Copy link

roupasz commented Sep 15, 2021

Hi,

Thanks for the great script. I have tried to add also token handling

expect "A FortiToken code is required for SSL-VPN login authentication."
send_user "Enter the token: "
gets stdin token
send -- "$token\r"

but i keep getting an error about authentication

NOTICE::Insufficient credential(s). Please check the password, client certificate, etc.
STATUS::Set up tunnel failed
SSLVPN down unexpectedly with error:2
STATUS::Setting up the tunnel
Press Ctrl-C to quit
Clean up...

so i'm not sure if the problem is in my password where it includes a @ character (escaping with \@) or in the token part or in the token code part.
If i try to login via

forticlientsslvpn_cli --server host:443 --vpnuser vnn_user --keepalive

it asks for the password, certificate and token and everything is working as expected

Do you have any idea maybe?

Thanks

@roupasz
Copy link

roupasz commented Sep 15, 2021

Hi,

Thanks for the great script. I have tried to add also token handling

expect "A FortiToken code is required for SSL-VPN login authentication."
send_user "Enter the token: "
gets stdin token
send -- "$token\r"

but i keep getting an error about authentication

NOTICE::Insufficient credential(s). Please check the password, client certificate, etc.
STATUS::Set up tunnel failed
SSLVPN down unexpectedly with error:2
STATUS::Setting up the tunnel
Press Ctrl-C to quit
Clean up...

so i'm not sure if the problem is in my password where it includes a @ character (escaping with \@) or in the token part or in the token code part.
If i try to login via

forticlientsslvpn_cli --server host:443 --vpnuser vnn_user --keepalive

it asks for the password, certificate and token and everything is working as expected

Do you have any idea maybe?

Thanks

Ok fixed it by changing

  1. adding a token parameter
    token=$1
    2)changing the token code part as below
expect "A FortiToken code is required for SSL-VPN login authentication."
send_user "Enter the token: "
send -- "$token\r"
send -- "\r"

and running it with ./forticlientsslvpn-expect.sh [token]

Probably something is interfering between the read token part and the actual token passed to the authentication but I will further troubleshoot this when i have more time but for now maybe this is helpful to someone

@gabsmprocha
Copy link

@roupasz in which part of the code did you add the token script?

@roupasz
Copy link

roupasz commented Dec 3, 2021

Hi @gabsmprocha ,

To make it more visible, in the VPN Credentials block i added

# VPN Credentials
VPN_HOST="host:10443"
VPN_USER="username"
VPN_PASS="password"
token=$1 #new addition, 1st script parameter as variable

and i have added on more block in the expect part , check expect "A FortiToken code is required for SSL-VPN login authentication." below

cat << EOF > /tmp/expect
#!/usr/bin/expect -f
match_max 1000000
set timeout -1
spawn $FORTICLIENT_PATH --server $VPN_HOST --vpnuser $VPN_USER --keepalive
expect "Password for VPN:"
send -- "$VPN_PASS"
send -- "\r"
expect "Would you like to connect to this server? (Y/N)"
send -- "Y"
send -- "\r"
expect "A FortiToken code is required for SSL-VPN login authentication." #new block
send_user "Enter the token:"
#gets stdin token
send -- "$token\r"
send -- "\r" #end of new block
expect "Clean up..."
close
EOF

so i can then run it like ./forticlientsslvpn-expect.sh <123456>

Maybe it's now clearer ? If not please let me know

@dinarpay
Copy link

dinarpay commented Dec 3, 2021

invalid command name "--vpnuser"
while executing
"--vpnuser kks"
(file "/tmp/expect" line 5)

@gabsmprocha
Copy link

@roupasz tks a lot! 😄

@roupasz
Copy link

roupasz commented Dec 10, 2021

np problem @gabsmprocha :)

@GiseliSiqueira
Copy link

GiseliSiqueira commented Jan 26, 2022

I'm trying to run the script and I'm getting the following error:

./forticlientsslvpn-expect.sh
Killing previous instances of Forticlient SSL VPN client...
./forticlientsslvpn-expect.sh: line 59: /usr/bin/expect: No such file or directory

Has anyone gone through the same and can help me with this?

Edit**: it is necessary to install the Expect tool before running the Script.

@zroupas
Copy link

zroupas commented Jan 26, 2022

hi @GiseliSiqueira ,

The error shows that expect binary is not installed or at least found in the expected path in your system. You can quickly confirm it by running which expect, if this provides a path you can update the script with the correct one.

If not, then you need to install it and this depends on your distribution.
ex for Ubuntu 18.04

sudo apt update
sudo apt install expect

ex. for Fedora 34
dnf -y install expect

Hope this helps

UPDATE: I just saw your edit, so you've figured out on your own ;)

@Matarwy
Copy link

Matarwy commented Dec 3, 2022

if there a python copy of this script?

@skjerns
Copy link

skjerns commented Jan 13, 2023

Somehow forticlientsslvpn_cli seems to be no longer available on the FortiNet website. Is there any mirror for it available?

@bzwierz
Copy link

bzwierz commented Feb 14, 2023

@skjerns Did you find a solution?

@skjerns
Copy link

skjerns commented Feb 14, 2023

yes! I simply use openfortivpn or openfortigui :) did not know there were open source alternatives out

@bzwierz
Copy link

bzwierz commented Feb 14, 2023

yes! I simply use openfortivpn or openfortigui :) did not know there were open source alternatives out

Thank you! Works great :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment