How to get forticlient working in OSX El Capitan
The forticlient VPN software is borked, when using split horizon, since OSX El Capitan. The problem is that DNS requests are sent out on the normal primary interface to the DNS of the VPN tunnel.
How do we get the DNS requests to be sent out over the correct interface (i.e. VPN tunnel)
Edited Answer
(Re)improved on just about everybody else's improved answer (@elmart, @user26312,myself). Edits should not be needed in the script:
#!/bin/bash
default_line=$(netstat -rn |grep default)
gateway=$(echo $default_line | awk '{print $2}')
interface=$(echo $default_line | awk '{print $6}')
echo $gateway
echo $interface
scutil <<EOF
d.init
get State:/Network/Service/forticlientsslvpn/IPv4
d.add InterfaceName ppp0
set State:/Network/Service/forticlientsslvpn/IPv4
EOF
route delete default
route delete -ifscope $interface default
route add -ifscope $interface default $gateway
route add -net 0.0.0.0 -interface $interface
Make the file you put this in, executable and execute (after connecting with the VPN) with sudo. Before the script does any changes, it looks at your current default route and therefore knows your current gateway and interface.
Old answer
Not a complete solution, you'll have to do the following two high-level things after each VPN connection setup:
- We'll have to set the tunnel's interface to
ppp0
- Redo default routes (because 1. implicitly sets the wrong default gateway, split tunnel should still work correctly hereafter)
Create a file with the name scutil-forti
for example
d.init
get State:/Network/Service/forticlientsslvpn/IPv4
d.add InterfaceName ppp0
set State:/Network/Service/forticlientsslvpn/IPv4
Redo gateway routes, so make another file, routes-forti
, with (mind the lines with specific settings for your network):
sudo route delete default
sudo route delete -ifscope en0 default # This line depends on your interface
sudo route add -ifscope en0 default 192.168.2.252 # This depends on your normal local gateway.
sudo route add -net 0.0.0.0 -interface en0
now, execute,
$ cat scutil-forti |sudo scutil ; bash routes-forti
I've reworked @hbogert's solution into a more manageable single script:
#!/bin/bash
scutil <<EOF
d.init
get State:/Network/Service/forticlientsslvpn/IPv4
d.add InterfaceName ppp0
set State:/Network/Service/forticlientsslvpn/IPv4
EOF
route delete default
route delete -ifscope en0 default
route add -ifscope en0 default 192.168.1.1
route add -net 0.0.0.0 -interface en0
That is assuming you're using en0 interface and 192.168.1.1 default gateway.
If not, replace those with your corresponding values. If you don't know them, type route get www.google.com
to get them.
Then:
- Place that into a file (e.g. 'fix-vpn') somewhere in your path.
- Give it execute permissions (
chmod u+x fix-vpn
). - Run it with sudo (
sudo fix-vpn
) just after connecting to vpn.
I've tried it and it works. As I said, this is just a rework of a previous solution. I just posted it as a separate answer because I didn't have space enough in a comment.
BTW, I also thought this could be included in a /etc/ppp/ip-up
script so that it gets automatically executed when connecting. But for some reason, it doesn't work that way. If somebody can explain/improve on that, please do.
I was able to use an older version of Forticlient and confirmed that it works!
Here's the link to it on my dropbox:
https://www.dropbox.com/s/p43ssvp0gusmzeq/forticlientsslvpn_macosx_4.0.2297.dmg?dl=0
UPDATE: Downloading and installing the newest and official version 5.4.1 for Mac OS X fixes all the problems on Mac OS X El Capitan.
As described in the fortinet forum one should download the newest (yet unpublished) version of the FortiClient to fix the problems on Mac OS X El Capitan:
https://www.dropbox.com/sh/cb0j4pxw1f8nq84/AABHzZW1bpx1VjzYAmiK00S9a?dl=0
This was the easiest solution for me.