Skip to main content
Linux

FortiClient VPN on Hyprland Wayland The Complete Setup Guide

How to install and configure FortiClient VPN on Arch Linux with Hyprland and Wayland. Covers the right AUR package, gnome-keyring setup, and the XWayland workaround needed for SAML/SSO login to work.

· By Ulrich Bojko · 4 min read

If you're running Hyprland on Wayland and need to connect to a Fortinet SSL VPN with SAML/SSO, you're in for a rough ride. FortiClient on Linux has several undocumented issues on Wayland compositors, and the official documentation is essentially silent on the topic.

This guide covers every pitfall I've hit and how to solve them — from choosing the right package to getting the SAML login popup to actually appear.

Choosing the Right Package

On Arch Linux (and derivatives like CachyOS), there are three options in the AUR:

Package Description SSO Support
openfortivpn Open-source CLI client No native SAML — requires cookie workaround
forticlient Full ZTNA edition Yes, but blocks standalone VPN without EMS server
forticlient-vpn VPN-only edition Yes, works standalone

The correct choice is forticlient-vpn. Here's why the others fail:

  • openfortivpn doesn't support SAML/SSO authentication natively. You'd need to extract an SVPNCOOKIE from a browser session manually — fragile and tedious.
  • forticlient (the ZTNA edition) includes endpoint compliance features that require registration with a FortiClient EMS server. Without EMS, the VPN feature is locked with the error: SSLVPN is disabled while registered to EMS. If your organization doesn't provide an EMS endpoint, this package is a dead end.

Install the VPN-only edition:

paru -S forticlient-vpn

Start and enable the service:

sudo systemctl enable --now forticlient.service

The Secrets Service Requirement

FortiClient stores VPN credentials through the org.freedesktop.secrets D-Bus interface. Without a secrets service running, you cannot save VPN profiles — the GUI save button simply does nothing, with no error message.

If you're on a KDE-based setup, you might have kwallet installed but not necessarily exposing the freedesktop secrets interface. The most reliable option is gnome-keyring:

sudo pacman -S gnome-keyring

Start the secrets component:

gnome-keyring-daemon --start --components=secrets

Verify it's registered on D-Bus:

dbus-send --session --print-reply \
  --dest=org.freedesktop.DBus \
  /org/freedesktop/DBus \
  org.freedesktop.DBus.ListNames 2>&1 | grep secrets

You should see org.freedesktop.secrets in the output.

Making It Persistent

To ensure gnome-keyring starts automatically on login, add it to your PAM configuration. The gnome-keyring package typically installs PAM hooks automatically, but if your session doesn't go through a standard display manager (common with Hyprland), you may need to start it in your Hyprland config:

# ~/.config/hypr/hyprland.conf
exec-once = gnome-keyring-daemon --start --components=secrets

After setting up the secrets service, restart FortiClient:

sudo systemctl restart forticlient.service

You should now be able to save VPN profiles in the GUI.

The Wayland Problem: Buttons Don't Work

Here's where it gets truly frustrating. You've installed the right package, set up the secrets service, saved your VPN profile — and when you click Connect, nothing happens. No SAML popup. No error. The GUI shows "Connecting" and sits there forever.

The SSL VPN log at /var/log/forticlient/sslvpn.log reveals the issue:

[sslvpn:INFO] main:1781 State: Logging in
[sslvpn:DEBG] main:1689 Message to UI: 8
[sslvpn:DEBG] main:1707 90 bytes sent.

The VPN backend sends a message to the GUI (the SAML login window request), but the Electron-based GUI running natively on Wayland fails to open the popup. The buttons themselves may also not register clicks properly.

The Fix: Force XWayland

FortiClient's Electron GUI doesn't work correctly as a native Wayland client on Hyprland. The solution is to force it to run under XWayland using the --ozone-platform=x11 flag:

WAYLAND_DISPLAY="" DISPLAY=:1 \
  /opt/forticlient/gui/FortiClient --ozone-platform=x11

You can verify it's running under XWayland by checking:

hyprctl clients | grep -A15 "FortiClient"

Look for xwayland: 1 in the output. If it says xwayland: 0, it's running as a native Wayland client and will have the input/popup issues.

Permanent Wrapper Script

Create a wrapper script so you don't have to remember the flags:

#!/usr/bin/env bash
# ~/.local/bin/forticlient-vpn
# Force FortiClient to run under XWayland on Hyprland
export WAYLAND_DISPLAY=""
export DISPLAY="${DISPLAY:-:1}"
exec /opt/forticlient/gui/FortiClient --ozone-platform=x11 "$@"

Make it executable:

chmod +x ~/.local/bin/forticlient-vpn

You can also create a desktop entry to override the default launcher:

[Desktop Entry]
Type=Application
Name=FortiClient VPN
Exec=env WAYLAND_DISPLAY="" DISPLAY=:1 /opt/forticlient/gui/FortiClient --ozone-platform=x11
Icon=FortiClient
Terminal=false
Categories=Network;VPN;

Summary Checklist

If you're setting up FortiClient VPN on Hyprland from scratch, here's the complete sequence:

  1. Install forticlient-vpn (not forticlient ZTNA edition)
  2. Install gnome-keyring and ensure org.freedesktop.secrets is on D-Bus
  3. Start the FortiClient service: sudo systemctl enable --now forticlient.service
  4. Launch FortiClient with --ozone-platform=x11 to force XWayland
  5. Add your VPN profile in the GUI (server, port, SAML authentication)
  6. Click Connect — the SAML login popup should now appear

Troubleshooting

SSLVPN is disabled while registered to EMS

You installed the ZTNA edition (forticlient). Switch to forticlient-vpn — the VPN-only package that works without an EMS server.

Cannot save VPN profiles

No secrets service is running. Install gnome-keyring and start it with gnome-keyring-daemon --start --components=secrets. Verify that org.freedesktop.secrets appears on D-Bus.

Connect button does nothing / SAML popup doesn't appear

FortiClient is running as a native Wayland client. Force XWayland by launching with --ozone-platform=x11 and unsetting WAYLAND_DISPLAY. Verify with hyprctl clients that xwayland: 1 is shown.

Keyring is locked

The gnome-keyring needs to be unlocked at login. Ensure it's integrated with PAM or started in your Hyprland config with exec-once = gnome-keyring-daemon --start --components=secrets.

No log output in /var/log/forticlient/sslvpn.log

Enable VPN logging in FortiClient settings (under the gear icon), or check that the FortiClient service is running: systemctl status forticlient.service.

Stuck on ‘Connecting’ after SAML login completes

The VPN gateway’s TLS certificate is being rejected silently. Check ~/.config/FortiClient/logs/main.log for FCT_VPN_INVALID_CERTIFICATE. The GUI fails to display the certificate acceptance dialog, so the connection hangs until timeout.

Fix by disabling the certificate warning in FortiClient’s SQLite config databases:

sudo systemctl stop forticlient

sudo sqlite3 /var/lib/forticlient/config.db \
  "UPDATE vpn SET value='0' WHERE config='sslvpn.options.warn_invalid_server_certificate';"

sudo sqlite3 /opt/forticlient/.config.db.init \
  "UPDATE vpn SET value='0' WHERE config='sslvpn.options.warn_invalid_server_certificate';"

sudo systemctl start forticlient

This setting may reset after FortiClient package updates.

About the author

Ulrich Bojko Ulrich Bojko
View profile
Updated on Feb 17, 2026