Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiflb54oqba67j4gviqc5ynuh7aqnl6vkuji6x3zhvmijavjjzxwh4",
    "uri": "at://did:plc:vd5cwlrxa4prr35ajkonul4s/app.bsky.feed.post/3mey4c64ju5p2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreiarzb75k5jkjwpy3mynpxgkquvgy5av7apezzipjckrrys3he3jjq"
    },
    "mimeType": "image/jpeg",
    "size": 233534
  },
  "description": "How to install and configure FortiClient VPN on Arch Linux with Hyprland and Wayland. Covers the right AUR package, gnome-keyring setup, and the XWayland workaround needed for SAML/SSO login to work.",
  "path": "/en/forticlient-vpn-on-hyprland-wayland-the-complete-setup-guide/",
  "publishedAt": "2026-02-16T13:02:00.000Z",
  "site": "https://www.docupoint.eu",
  "textContent": "If you're running Hyprland on Wayland and need to connect to a Fortinet SSL VPN with SAML/SSO, you're in for a rough ride. FortiClient on Linux has several undocumented issues on Wayland compositors, and the official documentation is essentially silent on the topic.\n\nThis guide covers every pitfall I've hit and how to solve them — from choosing the right package to getting the SAML login popup to actually appear.\n\n## Choosing the Right Package\n\nOn Arch Linux (and derivatives like CachyOS), there are three options in the AUR:\n\nPackage | Description | SSO Support\n---|---|---\n`openfortivpn` | Open-source CLI client | No native SAML — requires cookie workaround\n`forticlient` | Full ZTNA edition | Yes, but **blocks standalone VPN** without EMS server\n`forticlient-vpn` | VPN-only edition | Yes, works standalone\n\nThe correct choice is **forticlient-vpn**. Here's why the others fail:\n\n  * **openfortivpn** doesn't support SAML/SSO authentication natively. You'd need to extract an `SVPNCOOKIE` from a browser session manually — fragile and tedious.\n  * **forticlient** (the ZTNA edition) includes endpoint compliance features that require registration with a FortiClient EMS server. Without EMS, the VPN feature is locked with the error: `SSLVPN is disabled while registered to EMS`. If your organization doesn't provide an EMS endpoint, this package is a dead end.\n\n\n\nInstall the VPN-only edition:\n\n\n    paru -S forticlient-vpn\n\nStart and enable the service:\n\n\n    sudo systemctl enable --now forticlient.service\n\n## The Secrets Service Requirement\n\nFortiClient stores VPN credentials through the `org.freedesktop.secrets` D-Bus interface. Without a secrets service running, **you cannot save VPN profiles** — the GUI save button simply does nothing, with no error message.\n\nIf you're on a KDE-based setup, you might have `kwallet` installed but not necessarily exposing the freedesktop secrets interface. The most reliable option is `gnome-keyring`:\n\n\n    sudo pacman -S gnome-keyring\n\nStart the secrets component:\n\n\n    gnome-keyring-daemon --start --components=secrets\n\nVerify it's registered on D-Bus:\n\n\n    dbus-send --session --print-reply \\\n      --dest=org.freedesktop.DBus \\\n      /org/freedesktop/DBus \\\n      org.freedesktop.DBus.ListNames 2>&1 | grep secrets\n\nYou should see `org.freedesktop.secrets` in the output.\n\n### Making It Persistent\n\nTo ensure gnome-keyring starts automatically on login, add it to your PAM configuration. The `gnome-keyring` package typically installs PAM hooks automatically, but if your session doesn't go through a standard display manager (common with Hyprland), you may need to start it in your Hyprland config:\n\n\n    # ~/.config/hypr/hyprland.conf\n    exec-once = gnome-keyring-daemon --start --components=secrets\n\nAfter setting up the secrets service, restart FortiClient:\n\n\n    sudo systemctl restart forticlient.service\n\nYou should now be able to save VPN profiles in the GUI.\n\n## The Wayland Problem: Buttons Don't Work\n\nHere's where it gets truly frustrating. You've installed the right package, set up the secrets service, saved your VPN profile — and when you click **Connect** , nothing happens. No SAML popup. No error. The GUI shows \"Connecting\" and sits there forever.\n\nThe SSL VPN log at `/var/log/forticlient/sslvpn.log` reveals the issue:\n\n\n    [sslvpn:INFO] main:1781 State: Logging in\n    [sslvpn:DEBG] main:1689 Message to UI: 8\n    [sslvpn:DEBG] main:1707 90 bytes sent.\n\nThe VPN backend sends a message to the GUI (the SAML login window request), but the Electron-based GUI running natively on Wayland fails to open the popup. The buttons themselves may also not register clicks properly.\n\n### The Fix: Force XWayland\n\nFortiClient's Electron GUI doesn't work correctly as a native Wayland client on Hyprland. The solution is to force it to run under XWayland using the `--ozone-platform=x11` flag:\n\n\n    WAYLAND_DISPLAY=\"\" DISPLAY=:1 \\\n      /opt/forticlient/gui/FortiClient --ozone-platform=x11\n\nYou can verify it's running under XWayland by checking:\n\n\n    hyprctl clients | grep -A15 \"FortiClient\"\n\nLook for `xwayland: 1` in the output. If it says `xwayland: 0`, it's running as a native Wayland client and will have the input/popup issues.\n\n### Permanent Wrapper Script\n\nCreate a wrapper script so you don't have to remember the flags:\n\n\n    #!/usr/bin/env bash\n    # ~/.local/bin/forticlient-vpn\n    # Force FortiClient to run under XWayland on Hyprland\n    export WAYLAND_DISPLAY=\"\"\n    export DISPLAY=\"${DISPLAY:-:1}\"\n    exec /opt/forticlient/gui/FortiClient --ozone-platform=x11 \"$@\"\n\nMake it executable:\n\n\n    chmod +x ~/.local/bin/forticlient-vpn\n\nYou can also create a desktop entry to override the default launcher:\n\n\n    [Desktop Entry]\n    Type=Application\n    Name=FortiClient VPN\n    Exec=env WAYLAND_DISPLAY=\"\" DISPLAY=:1 /opt/forticlient/gui/FortiClient --ozone-platform=x11\n    Icon=FortiClient\n    Terminal=false\n    Categories=Network;VPN;\n\n## Summary Checklist\n\nIf you're setting up FortiClient VPN on Hyprland from scratch, here's the complete sequence:\n\n  1. Install `forticlient-vpn` (not `forticlient` ZTNA edition)\n  2. Install `gnome-keyring` and ensure `org.freedesktop.secrets` is on D-Bus\n  3. Start the FortiClient service: `sudo systemctl enable --now forticlient.service`\n  4. Launch FortiClient with `--ozone-platform=x11` to force XWayland\n  5. Add your VPN profile in the GUI (server, port, SAML authentication)\n  6. Click **Connect** — the SAML login popup should now appear\n\n\n\n## Troubleshooting\n\n#### SSLVPN is disabled while registered to EMS\n\nYou installed the ZTNA edition (`forticlient`). Switch to `forticlient-vpn` — the VPN-only package that works without an EMS server.\n\n#### Cannot save VPN profiles\n\nNo secrets service is running. Install `gnome-keyring` and start it with `gnome-keyring-daemon --start --components=secrets`. Verify that `org.freedesktop.secrets` appears on D-Bus.\n\n#### Connect button does nothing / SAML popup doesn't appear\n\nFortiClient is running as a native Wayland client. Force XWayland by launching with `--ozone-platform=x11` and unsetting `WAYLAND_DISPLAY`. Verify with `hyprctl clients` that `xwayland: 1` is shown.\n\n#### Keyring is locked\n\nThe gnome-keyring needs to be unlocked at login. Ensure it's integrated with PAM or started in your Hyprland config with `exec-once = gnome-keyring-daemon --start --components=secrets`.\n\n#### No log output in /var/log/forticlient/sslvpn.log\n\nEnable VPN logging in FortiClient settings (under the gear icon), or check that the FortiClient service is running: `systemctl status forticlient.service`.\n\n#### Stuck on ‘Connecting’ after SAML login completes\n\nThe VPN gateway’s TLS certificate is being rejected silently. Check `~/.config/FortiClient/logs/main.log` for `FCT_VPN_INVALID_CERTIFICATE`. The GUI fails to display the certificate acceptance dialog, so the connection hangs until timeout.\n\nFix by disabling the certificate warning in FortiClient’s SQLite config databases:\n\n\n    sudo systemctl stop forticlient\n\n    sudo sqlite3 /var/lib/forticlient/config.db \\\n      \"UPDATE vpn SET value='0' WHERE config='sslvpn.options.warn_invalid_server_certificate';\"\n\n    sudo sqlite3 /opt/forticlient/.config.db.init \\\n      \"UPDATE vpn SET value='0' WHERE config='sslvpn.options.warn_invalid_server_certificate';\"\n\n    sudo systemctl start forticlient\n\nThis setting may reset after FortiClient package updates.",
  "title": "FortiClient VPN on Hyprland Wayland The Complete Setup Guide",
  "updatedAt": "2026-03-11T20:38:15.014Z"
}