Unable To Run Forticlient VPN In Incus Container, Suspect Firewall Or Privilege?

Megaguy32 · February 17, 2025, 5:34pm

Hi, sorry I’ve exhausted myself trying to confgure an incus container that serves as a resource efficient vpn.
I’m confused and kindly seeking help

Reproducable steps

# create container
incus create images:ubuntu/22.04  u22
incus start u22
incus shell u22

# setup ssh
apt install openssh-server -y
cat << EOF  >> /etc/ssh/sshd_config
PermitRootLogin yes
X11Forwarding yes
EOF
systemctl restart sshd

# ssh to container
exit
incus list
ssh -X 10.0.32.77

# install vpn software and dependencies
wget https://ccnet.ntu.edu.tw/vpn/Download/ps-pulse-linux-22.2r1.0-b1295-64bit-installer.deb https://filestore.fortinet.com/forticlient/forticlient_vpn_7.4.0.1636_amd64.deb
apt install ./*.deb

# launch vpn software
forticlient gui

forticlient starts up fine. I configure the vpn and start it, successflly authenticating through SAML but its stuck on connecting.

This process works on virtualbox and I notice in virtualbox it creates a new network interface. I don’t know how to configure permissions for that. if someone can point me in the right direction please.

Please find the logs for the vpn software Below

confighandler.log

20250217 17:08:37.100 TZ=+0000 [confighandler:EROR] about:105 Failed to get icdb metadata: i/o error: N
o such file or directory (os error 2)
20250217 17:08:39.717 TZ=+0000 [confighandler:EROR] vuln:58 Failed to read vuln scan result: i/o error:
No such file or directory (os error 2)
20250217 17:08:39.722 TZ=+0000 [confighandler:EROR] antivirus:49 Failed to get total quarantine entry c
ount: i/o error: No such file or directory (os error 2)
20250217 17:08:39.764 TZ=+0000 [confighandler:EROR] vuln:58 Failed to read vuln scan result: i/o error:
No such file or directory (os error 2)
20250217 17:08:39.769 TZ=+0000 [confighandler:EROR] vuln:58 Failed to read vuln scan result: i/o error:
No such file or directory (os error 2)
20250217 17:08:39.785 TZ=+0000 [confighandler:EROR] vuln:58 Failed to read vuln scan result: i/o error:
No such file or directory (os error 2)
20250217 17:08:39.824 TZ=+0000 [confighandler:EROR] antivirus:49 Failed to get total quarantine entry c
ount: i/o error: No such file or directory (os error 2)
20250217 17:08:39.858 TZ=+0000 [confighandler:EROR] antivirus:49 Failed to get total quarantine entry c
ount: i/o error: No such file or directory (os error 2)
20250217 17:08:40.091 TZ=+0000 [confighandler:EROR] about:105 Failed to get icdb metadata: i/o error: N
o such file or directory (os error 2)
20250217 17:24:19.717 TZ=+0000 [confighandler:EROR] websock:79 Failed to recv message from ws: WebSocke
t protocol error: Connection reset without closing handshake

fctsched.log

20250217 16:59:25.497 TZ=+0000 [scheduler:INFO] fctsched:580 Checking confighandler status
20250217 16:59:25.498 TZ=+0000 [scheduler:INFO] fctsched:586 Confighandler status OK
20250217 16:59:25.498 TZ=+0000 [scheduler:INFO] fctsched:603 FortiClient Scheduler start …
20250217 16:59:33.549 TZ=+0000 [scheduler:INFO] fct_task_queue:266 Launching firewall
20250217 16:59:33.651 TZ=+0000 [scheduler:INFO] fct_task_queue:151 Firewall socket ready
20250217 17:00:30.549 TZ=+0000 [scheduler:INFO] fct_task_queue:780 Schedule start update task
20250217 17:08:40.106 TZ=+0000 [scheduler:INFO] cmd_dispatcher:474 Update task added

firewall.log

20250217 16:59:33.574 TZ=+0000 [INFO ] factory:72 Using: nftables
20250217 16:59:33.650 TZ=+0000 [INFO ] main:203 IPC socket ready

sslvpn.log

20250217 16:59:25.538 TZ=+0000 [sslvpn:INFO] main:1817 Init
20250217 16:59:25.539 TZ=+0000 [sslvpn:INFO] main:1829 VPN is running in restore DNS mode
20250217 16:59:30.544 TZ=+0000 [sslvpn:EROR] firewall_api:46 ipc_recv failed
20250217 16:59:30.544 TZ=+0000 [sslvpn:DEBG] dns:965 Failed to flush VPN rules
20250217 16:59:30.544 TZ=+0000 [sslvpn:DEBG] dns:73 Restore DNS config
20250217 16:59:30.544 TZ=+0000 [sslvpn:DEBG] dns:77 No DNS backup file was found. Skip.
20250217 16:59:30.544 TZ=+0000 [sslvpn:DEBG] mtu:116 Restore MTU.
20250217 16:59:30.544 TZ=+0000 [sslvpn:DEBG] mtu:120 No MTU backup file was found. Skip.

stgraber · February 17, 2025, 6:48pm

Most VPNs use /dev/net/tun to create network interfaces. That works fine from within a container too, so unless this one is doing something very different, that shouldn’t be the issue.

That said, the logs show it’s trying to access something related to its anti-virus and that seems to be failing. I don’t know if there’s a way to get a more useful log that actually tells you what it’s looking for. It’s quite possibly as simple as a missing dependency.

Megaguy32 · February 18, 2025, 5:54pm

Appreciate the input Stéphane,

I’ve done a broad stroke and installed the entirety of gnome with
and I’ve made ubuntu sudo user and use that user to launch the program for dbus purposes

apt install gnome libxi-dev
dbus-run-session -- bash  # may not be necessary if running as ubuntu user

forticlient relies for some reason on X11 extensions & gnome-keyring, it prompts a keyring password and I create it.

but I’m still battling at the same screen

looking at journalctl -fxe output. this is what I get when the SAML authentication completes

Journalctl -fxe

Feb 18 17:44:06 u22 dbus-daemon[560]: [session uid=1000 pid=560] Activating service name=‘org.gnome.keyring.SystemPrompter’ requested by ‘:1.17’ (uid=1000 pid=899 comm="gnome-keyring-daemon --unlock ")
Feb 18 17:44:06 u22 gcr-prompter[1436]: cannot open display:
Feb 18 17:44:06 u22 dbus-daemon[560]: [session uid=1000 pid=560] Activated service ‘org.gnome.keyring.SystemPrompter’ failed: Process org.gnome.keyring.SystemPrompter exited with status 1
Feb 18 17:44:06 u22 gnome-keyring-daemon[899]: couldn’t create system prompt: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.gnome.keyring.SystemPrompter exited with status 1
Feb 18 17:44:15 u22 xdg-desktop-por[1242]: GError set over the top of a previous GError or uninitialized memory.
This indicates a bug in someone’s code. You must ensure an error is NULL before it’s set.
The overwriting error message was: Error calling StartServiceByName for org.freedesktop.impl.portal.desktop.gtk: Timeout was reached
Feb 18 17:44:15 u22 xdg-desktop-por[1242]: Failed to create settings proxy: Error calling StartServiceByName for org.freedesktop.impl.portal.desktop.gnome: Timeout was reached
Feb 18 17:44:15 u22 xdg-desktop-por[1242]: No skeleton to export
Feb 18 17:44:19 u22 systemd[1]: Starting Cleanup of Temporary Directories…
░░ Subject: A start job for unit systemd-tmpfiles-clean.service has begun execution
░░ Defined-By: systemd
░░ Support: Enterprise open source support | Ubuntu
░░
░░ A start job for unit systemd-tmpfiles-clean.service has begun execution.
░░
░░ The job identifier is 1878.
Feb 18 17:44:19 u22 systemd[1]: systemd-tmpfiles-clean.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: Enterprise open source support | Ubuntu
░░
░░ The unit systemd-tmpfiles-clean.service has successfully entered the ‘dead’ state.
Feb 18 17:44:19 u22 systemd[1]: Finished Cleanup of Temporary Directories.
░░ Subject: A start job for unit systemd-tmpfiles-clean.service has finished successfully
░░ Defined-By: systemd
░░ Support: Enterprise open source support | Ubuntu
░░
░░ A start job for unit systemd-tmpfiles-clean.service has finished successfully.
░░
░░ The job identifier is 1878.
Feb 18 17:44:30 u22 systemd[534]: xdg-desktop-portal.service: start operation timed out. Terminating.
Feb 18 17:44:30 u22 systemd[534]: xdg-desktop-portal.service: Failed with result ‘timeout’.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: Enterprise open source support | Ubuntu
░░
░░ The unit UNIT has entered the ‘failed’ state with result ‘timeout’.
Feb 18 17:44:30 u22 systemd[534]: Failed to start Portal service.
░░ Subject: A start job for unit UNIT has failed
░░ Defined-By: systemd
░░ Support: Enterprise open source support | Ubuntu
░░
░░ A start job for unit UNIT has finished with a failure.
░░
░░ The job identifier is 236 and the job result is failed.

Megaguy32 · April 25, 2025, 11:31am

I’ve managed to solve the problem.
I’m unable to explain it, but it works.

sudo apt install openssh-server psmisc gnome-keyring libasound-dev libgbm-dev libdrm-dev zip bzip2 -y

as root - tick do not warn invalid cert in settings
log out. killall ssh. log back as normal user forwarding X11, kill and restart gnome keyring…

ssh -X ubuntu@10.0.32.77
sudo killall gnome-keyring-daemon
echo -n "test" | gnome-keyring-daemon --unlock

as normal user (no root, no sudo) - run the vpn things

forticlient gui