If you're running Hyprland on Wayland and need to connect to a Fortinet SSL VPN with SAML/SSO, you're in for a rough ride. FortiClient on Linux has several undocumented issues on Wayland compositors, and the official documentation is essentially silent on the topic.
This guide covers every pitfall I've hit and how to solve them — from choosing the right package to getting the SAML login popup to actually appear.
Choosing the Right Package
On Arch Linux (and derivatives like CachyOS), there are three options in the AUR:
| Package | Description | SSO Support |
|---|---|---|
openfortivpn |
Open-source CLI client | No native SAML — requires cookie workaround |
forticlient |
Full ZTNA edition | Yes, but blocks standalone VPN without EMS server |
forticlient-vpn |
VPN-only edition | Yes, works standalone |
The correct choice is forticlient-vpn. Here's why the others fail:
- openfortivpn doesn't support SAML/SSO authentication natively. You'd need to extract an
SVPNCOOKIEfrom a browser session manually — fragile and tedious. - forticlient (the ZTNA edition) includes endpoint compliance features that require registration with a FortiClient EMS server. Without EMS, the VPN feature is locked with the error:
SSLVPN is disabled while registered to EMS. If your organization doesn't provide an EMS endpoint, this package is a dead end.
Install the VPN-only edition:
paru -S forticlient-vpnStart and enable the service:
sudo systemctl enable --now forticlient.serviceThe Secrets Service Requirement
FortiClient stores VPN credentials through the org.freedesktop.secrets D-Bus interface. Without a secrets service running, you cannot save VPN profiles — the GUI save button simply does nothing, with no error message.
If you're on a KDE-based setup, you might have kwallet installed but not necessarily exposing the freedesktop secrets interface. The most reliable option is gnome-keyring:
sudo pacman -S gnome-keyringStart the secrets component:
gnome-keyring-daemon --start --components=secretsVerify it's registered on D-Bus:
dbus-send --session --print-reply \
--dest=org.freedesktop.DBus \
/org/freedesktop/DBus \
org.freedesktop.DBus.ListNames 2>&1 | grep secretsYou should see org.freedesktop.secrets in the output.
Making It Persistent
To ensure gnome-keyring starts automatically on login, add it to your PAM configuration. The gnome-keyring package typically installs PAM hooks automatically, but if your session doesn't go through a standard display manager (common with Hyprland), you may need to start it in your Hyprland config:
# ~/.config/hypr/hyprland.conf
exec-once = gnome-keyring-daemon --start --components=secretsAfter setting up the secrets service, restart FortiClient:
sudo systemctl restart forticlient.serviceYou should now be able to save VPN profiles in the GUI.
The Wayland Problem: Buttons Don't Work
Here's where it gets truly frustrating. You've installed the right package, set up the secrets service, saved your VPN profile — and when you click Connect, nothing happens. No SAML popup. No error. The GUI shows "Connecting" and sits there forever.
The SSL VPN log at /var/log/forticlient/sslvpn.log reveals the issue:
[sslvpn:INFO] main:1781 State: Logging in
[sslvpn:DEBG] main:1689 Message to UI: 8
[sslvpn:DEBG] main:1707 90 bytes sent.The VPN backend sends a message to the GUI (the SAML login window request), but the Electron-based GUI running natively on Wayland fails to open the popup. The buttons themselves may also not register clicks properly.
The Fix: Force XWayland
FortiClient's Electron GUI doesn't work correctly as a native Wayland client on Hyprland. The solution is to force it to run under XWayland using the --ozone-platform=x11 flag:
WAYLAND_DISPLAY="" DISPLAY=:1 \
/opt/forticlient/gui/FortiClient --ozone-platform=x11You can verify it's running under XWayland by checking:
hyprctl clients | grep -A15 "FortiClient"Look for xwayland: 1 in the output. If it says xwayland: 0, it's running as a native Wayland client and will have the input/popup issues.
Permanent Wrapper Script
Create a wrapper script so you don't have to remember the flags:
#!/usr/bin/env bash
# ~/.local/bin/forticlient-vpn
# Force FortiClient to run under XWayland on Hyprland
export WAYLAND_DISPLAY=""
export DISPLAY="${DISPLAY:-:1}"
exec /opt/forticlient/gui/FortiClient --ozone-platform=x11 "$@"Make it executable:
chmod +x ~/.local/bin/forticlient-vpnYou can also create a desktop entry to override the default launcher:
[Desktop Entry]
Type=Application
Name=FortiClient VPN
Exec=env WAYLAND_DISPLAY="" DISPLAY=:1 /opt/forticlient/gui/FortiClient --ozone-platform=x11
Icon=FortiClient
Terminal=false
Categories=Network;VPN;Summary Checklist
If you're setting up FortiClient VPN on Hyprland from scratch, here's the complete sequence:
- Install
forticlient-vpn(notforticlientZTNA edition) - Install
gnome-keyringand ensureorg.freedesktop.secretsis on D-Bus - Start the FortiClient service:
sudo systemctl enable --now forticlient.service - Launch FortiClient with
--ozone-platform=x11to force XWayland - Add your VPN profile in the GUI (server, port, SAML authentication)
- Click Connect — the SAML login popup should now appear
Troubleshooting
SSLVPN is disabled while registered to EMS
You installed the ZTNA edition (forticlient). Switch to forticlient-vpn — the VPN-only package that works without an EMS server.
Cannot save VPN profiles
No secrets service is running. Install gnome-keyring and start it with gnome-keyring-daemon --start --components=secrets. Verify that org.freedesktop.secrets appears on D-Bus.
Connect button does nothing / SAML popup doesn't appear
FortiClient is running as a native Wayland client. Force XWayland by launching with --ozone-platform=x11 and unsetting WAYLAND_DISPLAY. Verify with hyprctl clients that xwayland: 1 is shown.
Keyring is locked
The gnome-keyring needs to be unlocked at login. Ensure it's integrated with PAM or started in your Hyprland config with exec-once = gnome-keyring-daemon --start --components=secrets.
No log output in /var/log/forticlient/sslvpn.log
Enable VPN logging in FortiClient settings (under the gear icon), or check that the FortiClient service is running: systemctl status forticlient.service.
Stuck on ‘Connecting’ after SAML login completes
The VPN gateway’s TLS certificate is being rejected silently. Check ~/.config/FortiClient/logs/main.log for FCT_VPN_INVALID_CERTIFICATE. The GUI fails to display the certificate acceptance dialog, so the connection hangs until timeout.
Fix by disabling the certificate warning in FortiClient’s SQLite config databases:
sudo systemctl stop forticlient
sudo sqlite3 /var/lib/forticlient/config.db \
"UPDATE vpn SET value='0' WHERE config='sslvpn.options.warn_invalid_server_certificate';"
sudo sqlite3 /opt/forticlient/.config.db.init \
"UPDATE vpn SET value='0' WHERE config='sslvpn.options.warn_invalid_server_certificate';"
sudo systemctl start forticlientThis setting may reset after FortiClient package updates.