zigford.org

About | Links | Scripts
Sharing linux/windows scripts and tips

Openfortivpn on Gentoo with OpenRC

April 14, 2021 — Jesse Harris

I recently setup a low-powered HP Stream laptop with Gentoo. Given it's lower spec, I opted for configuring it with a more conservative set of packages and decided to try OpenRC instead of systemd.

One of the default use flags for systemd, is resolvconf. On my other systems with Systemd, connecting to a FortiNet VPN usually results in DNS being automatically configured.

The Openfortivpn client uses resolvconf, but with OpenRC I don't have it installed, so I went about exploring how to configure the openfortivpn and ppp client to setup DNS automatically.


The man page for openfortivpn shows all the command line options which are also settable via the config file, which defaults to /etc/openfortivpn/config

The following settings caught my eye in the man page:

  • set-dns
  • use-resolvconf
  • use-peer-dns

set-dns

This option tries to update /etc/resolv.conf either by using resolvconf or by openfortivpn itself trying to prepend dns settings to /etc/resolv.conf.

I tried this option first and found that even without resolvconf installed,/etc/resolv.conf was correctly updated, however within seconds, the file had been overwritten and resolving hostnames with the vpn dns was no longer possible.

use-resolvconf

This tells openfortivpn to use resolvconf to configure DNS. I could install it, but I wanted to learn more about what hooks could be used to configure the DNS without it.

use-peer-dns

This option is passed to net-dialup/ppp and there is a matching usepeerdns option described in the pppd man page. In summary, the nameserver addresses are passed to /etc/ppp/ip-up scripts and added to /etc/ppp/resolv.conf. The ip-up script is responsible for launching scripts in /etc/ppp/ip-up.d/, and a quick peek in there shows a few scripts, one of which 40-dns.sh writes the /etc/ppp/resolv.conf.

What manages resolv.conf on a stock OpenRC Gentoo?

Inspecting resolv.conf itself reveals dhcpcd is the culprid:

    # Generated by dhcpcd from wlo1.dhcp
    # /etc/resolv.conf.head can replace this line

The second line is the most interesting. I can use the ip-up and ip-down scripts to write and remove a symlink to /etc/ppp/resolv.conf

Here is the very basic script I have used:

/etc/ppp/ip-up.d/60-resolvconf.sh

    #!/bin/sh

    # symlink /etc/ppp/resolv.conf to /etc/resolv.conf.head

    if [ ! -L /etc/resolv.conf.head ] && [ -f /etc/ppp/resolv.conf ]; then
        ln -s /etc/ppp/resolv.conf /etc/resolv.conf.head
    fi

/etc/ppp/ip-down.d/60-resolvconf.sh

    #!/bin/sh

    # remove symlink /etc/resolv.conf.head

    if [ -L /etc/resolv.conf.head ]; then
        rm /etc/resolv.conf.head
    fi

With these scripts in place, everytime I launch openfortivpn, DNS is setup correctly.

Tags: gentoo, openrc, fortinet