openfortivpn-haproxy icon indicating copy to clipboard operation
openfortivpn-haproxy copied to clipboard
verified publisher icon jeffre

SAML login isn't possible unless network mode is host

Open jesjimher opened this issue 9 months ago • 10 comments

Hi!

openfortivpn added SAML login in versión 1.23.0. It allows to perform authentication using an external browser. The problem is that, once authentication has succeeded, browser responds with a call to 127.0.0.1:8020, but openfortivpn inside docker image only listens to 8020 connections from inside docker image, so authentication can't succeed.

The only solution right now is using network_mode: host, which isn't ideal. It would be nice if 8020 traffic could be proxied, so external connections to 8020 port could reach internal openfortivpn, so SAML login works.

Thanks!

jesjimher avatar Jul 10 '25 08:07 jesjimher

Hello, in case you are not yet familiar, publishing ports from your local host to a docker container is vastly preferred to host networking mode.

jeffre avatar Jul 12 '25 21:07 jeffre

Hi!

I don't think is a matter of publishing ports, problem is openfortivpn only listens to SAML responses in 127.0.0.1:8020 inside the container, so even if port was published, an external connection from outside the container isn't recognized. I'm not sure if openfortivpn can be configured to listen on 0.0.0.0:8020 instead of 127.0.0.1:8020, that would be the solution, but I don't see any relevant command line option.

jesjimher avatar Jul 14 '25 08:07 jesjimher

Ah, indeed it seems like openfortinet's http server handles connections different depending on the source IP.

Testing via docker host

# docker run -d -p 127.0.0.1:8020:8020 jeffre/openfortivpn-haproxy --saml-login test.internal
# curl -siv 127.0.0.1:8020
*   Trying 127.0.0.1:8020...
* Connected to 127.0.0.1 (127.0.0.1) port 8020
> GET / HTTP/1.1
> Host: 127.0.0.1:8020
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
* Empty reply from server
* Closing connection
curl: (52) Empty reply from server

Testing within docker container

# docker run -d --name testsaml jeffre/openfortivpn-haproxy --saml-login test.internal
# docker exec testsaml curl -si 127.0.0.1:8020
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 124
Connection: close

<!DOCTYPE html>
<html><body>
Invalid redirect response from Fortinet server. VPN could not be established.</body></html>

A possible solution would be to leverage socat to proxy the connection. However, under the current logic, socat does not start until after the ppp interface is ready. So this would require a refactor. I will leave this issue open for now

jeffre avatar Jul 14 '25 18:07 jeffre

Would you mind testing out a new branch that supports proxying ports before the vpn is connected?

https://github.com/jeffre/openfortivpn-haproxy/pull/12

jeffre avatar Jul 15 '25 06:07 jeffre

Sure! I'll try it this afternoon.

Thanks!

jesjimher avatar Jul 15 '25 08:07 jesjimher

Unfortunately it hasn't worked... I don't know if I'm doing something wrong, my docker-compose is as follows:

  openfortivpn:
    image: jeffre/openfortivpn-haproxy:supprot-saml
    container_name: openfortivpn
    devices:
      - /dev/ppp
      - /dev/net/tun
    cap_add:
      - NET_ADMIN
    ports:
      - "1111:1111"
      - "8020:8020"
      - "3389:3389"
    environment:
      - PORT_FORWARD_RDP="3389:xxxxxx_redacted_xxxx:3389"
      - PORT_FORWARD_SAML="8020:127.0.0.1:8020"
    command: >
      --config /etc/openfortivpn/config
      --saml-login
    volumes:
      - ./openfortivpn/config:/etc/openfortivpn/config

When container starts, it shows the URL I need to open in the browser to authenticate, I perform authentication, and then browser redirects to http://127.0.0.1:8020/whatevethe browser shows an error (ERR_SOCKET_NOT_CONNECTED). If a do a nmap -p 8020 127.0.0.1 in my machine (outside docker container), it correctly shows 8020 port as open, but looks like communication can't be established.

If I can do any further test, just tell me.

Thanks!

jesjimher avatar Jul 17 '25 08:07 jesjimher

Thanks for sharing your docker compose. They way you have it setup socat will take over listening on port 8020 inside the container which will prevent openfortivpn from doing so. Try this instead

    ports:
      - "1111:1111"
      - "8020:2222"
      - "3389:3389"
    environment:
      - PORT_FORWARD_RDP="3389:xxxxxx_redacted_xxxx:3389"
      - PORT_FORWARD_SAML="2222:127.0.0.1:8020"

jeffre avatar Jul 17 '25 23:07 jeffre

Mmm, still not working. Same error about connection being reset.

My docker-compose is as follows:

openfortivpn:
    image: jeffre/openfortivpn-haproxy:supprot-saml
    container_name: openfortivpn
    devices:
      - /dev/ppp
      - /dev/net/tun
    cap_add:
      - NET_ADMIN
    ports:
      - "127.0.0.1:8020:2222"
    environment:
      - PORT_FORWARD_SAML="2222:127.0.0.1:8020"
    command: >
      --config /etc/openfortivpn/config
      --saml-login
    volumes:
      - ./openfortivpn/config:/etc/openfortivpn/config

Any idea? Any extra log I could check?

Thanks!

jesjimher avatar Jul 21 '25 09:07 jesjimher

Your docker compose file worked for me. I wonder if something went wrong with how the branch image was built. I went ahead and uploaded a build to docker hub. if you would like to test with it instead just change the image from jeffre/openfortivpn-haproxy:supprot-saml to jeffre/openfortivpn-haproxy:issue-11

jeffre avatar Jul 21 '25 20:07 jeffre

Yep, I also think there's something wrong in my side. I'll keep trying, thanks a lot!

jesjimher avatar Jul 22 '25 07:07 jesjimher