Disable FortiClientVPN DNS update
I'm using FortiClientVPN to access my office network. And I've performance problem with it.
When tunnel is up sites are opened slowly. But everything else works fine.
My problem was due to resolve.conf updates performed by FortiClientVPN.
Since tunnel DNS are far from here (up to 100ms), I've got singnificant delay on hostname resolve.
FortiClientVPN is not well-documented and I couldn't find a way to prevent it from updating local DNS
via config file. I've tried to find some CLI options
ps axww|grep fori
30595 ? S 0:00 /bin/sh /opt/forticlient-sslvpn/forticlientsslvpn.sh
30598 ? S 0:00 /bin/sh ./fortisslvpn.sh
30600 ? Sl 0:08 ./forticlientsslvpn
31411 ? S 0:00 ./forticlientsslvpn
31416 ? Sl 0:00 ./forticlientsslvpn
31418 ? Sl 0:00 ./forticlientsslvpn
31420 ? S 0:00 /usr/sbin/pppd noipdefault noaccomp noauth default-asyncmap nopcomp
nodefaultroute debug logfile /usr/opt/forticlient-sslvpn/64bit/./helper/pppd.log :22.214.171.124
nodetach lcp-max-configure 40 38400 usepeerdns mru 1354
The idea was to remove usepeerdns option. Unfortunately, without success. It is hardcoded option.
But search for dns substring inside distribution gave me a hint. There is helper/waitapp.sh
script which generates update for resolve.conf. So, I've just commented nameserver updates there
--- helper/waitppp.sh.orig 2020-05-05 09:53:45.207891802 +0300
+++ helper/waitppp.sh 2020-05-05 09:44:30.278470481 +0300
@@ -35,7 +35,7 @@
if [ "x$dns1" != "x" ]; then
- echo "nameserver $dns1"
+ echo "#nameserver $dns1 #forticlient"
if [ "x$dns1" == "x$dns2" ]; then
@@ -43,7 +43,7 @@
if [ "x$dns2" != "x" ]; then
- echo "nameserver $dns2"
+ echo "#nameserver $dns2 #forticlient"
echo "Done" >> "$base/forticlientsslvpn.log"
Connection config and history are stored in .fctsslvpnhistory.
Don't forget to make backup, it is often lost (and get empty) after reboot.
or mail alterX@alter.org.ua (remove X)