openfortivpn
openfortivpn copied to clipboard
adrienverge
Is it possible to use openfortivpn in github actions?
Hello, I am trying to use openfortivpn to connect to fortinet VPN while deploying application with Github Actions. On my machine ubuntu 20.04 command executes sucessfully:
sudo apt-get install ppp openfortivpn
sudo openfortivpn vpn.com:443 --username=user --password=password --trusted-cert xxxx
WARN: You should not pass the password on the command line. Type it interactively or use a config file instead.
WARN: Bad port in config file: "0".
INFO: Connected to gateway.
INFO: Authenticated.
INFO: Remote gateway has allocated a VPN.
INFO: Got addresses: [10.7.2.9], ns [172.17.0.3, 172.17.0.4]
INFO: negotiation complete
INFO: Got addresses: [10.7.2.9], ns [172.17.0.3, 172.17.0.4]
INFO: negotiation complete
INFO: negotiation complete
INFO: Interface ppp0 is UP.
INFO: Setting new routes...
INFO: Adding VPN nameservers...
INFO: Tunnel is up and running.
While on github actions, ubuntu 20.04 `WARN: You should not pass the password on the command line. Type it interactively or use a config file instead.
WARN: Bad port in config file: "0".
INFO: Connected to gateway.
INFO: Authenticated.
INFO: Remote gateway has allocated a VPN.
INFO: Got addresses: [10.7.2.21], ns [172.17.0.3, 172.17.0.4]
INFO: Got addresses: [10.7.2.21], ns [172.17.0.3, 172.17.0.4]
INFO: Got addresses: [10.7.2.21], ns [172.17.0.3, 172.17.0.4]
INFO: Got addresses: [10.7.2.21], ns [172.17.0.3, 172.17.0.4]
ERROR: read: Input/output error
INFO: Cancelling threads...
INFO: Terminated pppd.
INFO: Closed connection to gateway.
INFO: Logged out.
I have tried -v options, and what I got there is `DEBUG: Got Address: 10.7.2.2
DEBUG: if_config: not ready yet...
DEBUG: Got Address: 10.7.2.2
DEBUG: if_config: not ready yet...
DEBUG: Got Address: 10.7.2.2
DEBUG: if_config: not ready yet...
DEBUG: Got Address: 10.7.2.2
DEBUG: if_config: not ready yet...
DEBUG: Got Address: 10.7.2.2
DEBUG: if_config: not ready yet...
ERROR: read: Input/output error
INFO: Cancelling threads...
DEBUG: Waiting for pppd to exit...
DEBUG: waitpid: pppd exit status code 16
INFO: Terminated pppd.
INFO: Closed connection to gateway.
DEBUG: server_addr: 1.2.3.4
DEBUG: server_port: 443
DEBUG: gateway_addr: 1.2.3.4
DEBUG: gateway_port: 443
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Logged out.
Anyone has tried such use case?
Perhaps pppd is not configured as expected. You could start by retrieving /etc/ppp in the GitHub Ubuntu 18.04 or 20.04 environment and comparing it to what you see on your own machine.
@alekw did you get this to work? Anyone has any plans to creating a GitHub action for this? I'll pay 50 $ for it :)
No I didn't, but I haven't tried extensively. I started to doubt that github will allow to change ppp settings in their VMs due to security issues.
@alekw and @cesarvargas00, you could perhaps give OpenConnect a try. Support for FortiNet has been added very recently, so you will have to compile the latest sources. OpenConnect embarks its own PPP code instead of forking pppd, this will definitely help here. On the other hand, OpenConnect might not yet support all the openfortivpn options. In the latter case, do not hesitate to open a bug report against OpenConnect.
Please drop a message to tell us how it worked.
For anyone interested in this: Based on @DimitriPapadopoulos suggestion, here is a Github action, that builds OpenConnect from source and successfully connects to our VPN using the fortinet protocol.
# .github/workflows/vpn.yml
name: Can I use openconnect / fortinet on Github Actions?
on: push
jobs:
openconnect:
name: Build, install and run openconnect / fortinet
runs-on: ubuntu-latest
steps:
- name: Setup build environment
run: |
sudo apt update && sudo apt install -y git autotools-dev automake libtool pkg-config m4 gettext openssl libssl-dev libxml2-dev vpnc-scripts
- name: Build OpenConnect from source
run: |
git clone https://gitlab.com/openconnect/openconnect.git
cd openconnect
git checkout v9.01
./autogen.sh
./version.sh version.c
./configure
make -j$(nproc)
sudo make install
sudo ldconfig
- name: Connect to VPN
run: |
echo "${{ secrets.VPN_PWD }}" | sudo openconnect -u ${{ secrets.VPN_USER }} --passwd-on-stdin --protocol=fortinet ${{ secrets.VPN_HOST }}:${{ secrets.VPN_PORT }} --servercert ${{ secrets.VPN_SERVERCERT }} &
- name: Test if connected to VPN
run: |
ping -c4 ${{ secrets.SERVER_HOST_INSIDE_VPN }}
Here's my version of the @donalffons action, installing openconnect from apt instead of building it from source:
deploy:
needs: build
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Install openconnect ppa
run: sudo add-apt-repository ppa:dwmw2/openconnect -y && sudo apt update
- name: Install openconnect
run: sudo apt install -y openconnect
- name: Connect to VPN
run: |
echo "${{ secrets.VPN_PWD }}" | sudo openconnect -u ${{ secrets.VPN_USER }} --passwd-on-stdin --protocol=fortinet ${{ secrets.VPN_HOST }}:${{ secrets.VPN_PORT }} --servercert ${{ secrets.VPN_SERVERCERT }} --background
- name: Test if connected to VPN
run: |
ping -c4 ${{ secrets.SERVER_HOST_INSIDE_VPN }}
@campsjos @donalffons I am having a problem because I am not providing a --servercert, is there a way that i can connect to without providing it?
Hi @landlight,
Just run the Action, that will throw an error. In the error itself you'll see the servercert that you should add:
Hi @landlight, Just run the Action, that will throw an error. In the error itself you'll see the
servercertthat you should add:
Carlos, that's great stuff there. Thanks for sharing!
I am trying to get it running but having issues with the password.
This is the console output in Actions:
Run echo "***" | sudo openconnect -u myUserName --passwd-on-stdin --protocol=anyconnect https://subdomain.someAnyConnectVPN.com/ --background
echo "***" it's actually a secret, this is the yaml: ` run: | echo "${{ secrets.VPN_PASSWORD }}" | sudo openconnect -u myUserName --passwd-on-stdin --protocol=anyconnect https://subdomain.someAnyConnectVPN.com --background
`
But it fails like this:
Do you think it's because I am not setting "servercert" ? I am not sure, I think no but tbh, I am new to Github Actions.
