Alter.Org.UA
 << Back Home EN en   Donate Donate

Disable FortiClientVPN DNS update

I'm using FortiClientVPN to access my office network. And I've performance problem with it. When tunnel is up sites are opened slowly. But everything else works fine. My problem was due to resolve.conf updates performed by FortiClientVPN. Since tunnel DNS are far from here (up to 100ms), I've got singnificant delay on hostname resolve. FortiClientVPN is not well-documented and I couldn't find a way to prevent it from updating local DNS via config file. I've tried to find some CLI options

ps axww|grep fori

30595 ?        S      0:00 /bin/sh /opt/forticlient-sslvpn/forticlientsslvpn.sh
30598 ?        S      0:00 /bin/sh ./fortisslvpn.sh
30600 ?        Sl     0:08 ./forticlientsslvpn
31411 ?        S      0:00 ./forticlientsslvpn
31416 ?        Sl     0:00 ./forticlientsslvpn
31418 ?        Sl     0:00 ./forticlientsslvpn
31420 ?        S      0:00 /usr/sbin/pppd noipdefault noaccomp noauth default-asyncmap nopcomp 
      nodefaultroute debug logfile /usr/opt/forticlient-sslvpn/64bit/./helper/pppd.log :1.1.1.1 
      nodetach lcp-max-configure 40 38400 usepeerdns mru 1354

The idea was to remove usepeerdns option. Unfortunately, without success. It is hardcoded option. But search for dns substring inside distribution gave me a hint. There is helper/waitapp.sh script which generates update for resolve.conf. So, I've just commented nameserver updates there

Script waitapp.sh.patch

--- helper/waitppp.sh.orig      2020-05-05 09:53:45.207891802 +0300
+++ helper/waitppp.sh   2020-05-05 09:44:30.278470481 +0300
@@ -35,7 +35,7 @@
 done

 if [ "x$dns1" != "x" ]; then
-       echo "nameserver        $dns1"
+       echo "#nameserver       $dns1 #forticlient"
 fi

 if [ "x$dns1" == "x$dns2" ]; then
@@ -43,7 +43,7 @@
 fi

 if [ "x$dns2" != "x" ]; then
-       echo "nameserver        $dns2"
+       echo "#nameserver       $dns2 #forticlient"
 fi

 echo "Done" >> "$base/forticlientsslvpn.log"

Forticlient config

Connection config and history are stored in .fctsslvpnhistory. Don't forget to make backup, it is often lost (and get empty) after reboot.

2020.05.05


FB or mail alterX@alter.org.ua (remove X)   Share
Автор: Alter (Александр А. Телятников) Сервер: Apache+PHP под FBSD © 2002-2024