1OPENFORTIVPN(1)             General Commands Manual            OPENFORTIVPN(1)
2
3
4

NAME

6       openfortivpn - Client for PPP+SSL VPN tunnel services
7
8

SYNOPSIS

10       openfortivpn  [<host>[:<port>]]  [-u  <user>] [-p <pass>] [--otp=<otp>]
11       [--otp-prompt=<prompt>]     [--otp-delay=<delay>]     [--realm=<realm>]
12       [--set-routes=<bool>]   [--no-routes]   [--set-dns=<bool>]   [--no-dns]
13       [--half-internet-routes=<bool>] [--ca-file=<file>] [--user-cert=<file>]
14       [--user-cert=pkcs11:]         [--user-key=<file>]        [--use-syslog]
15       [--trusted-cert=<digest>]  [--insecure-ssl]   [--cipher-list=<ciphers>]
16       [--pppd-use-peerdns=<bool>]   [--pppd-no-peerdns]   [--pppd-log=<file>]
17       [--pppd-plugin=<file>]                        [--pppd-ipparam=<string>]
18       [--pppd-ifname=<string>]  [--pppd-call=<name>]  [--ppp-system=<string>]
19       [--persistent=<interval>] [-c <file>] [-v|-q]
20       openfortivpn --help
21       openfortivpn --version
22
23

DESCRIPTION

25       openfortivpn connects to a VPN by setting up a tunnel to the gateway at
26       <host>:<port>.
27
28

OPTIONS

30       --help Show the help message and exit.
31
32       --version
33              Show version and exit.
34
35       -c <file>, --config=<file>
36              Specify  a  custom  config file (default: /etc/openfortivpn/con‐
37              fig).
38
39       -u <user>, --username=<user>
40              VPN account username.
41
42       -p <pass>, --password=<pass>
43              VPN account password.
44
45       -o <otp>, --otp=<otp>
46              One-Time-Password.
47
48       --otp-prompt=<prompt>
49              Search for the OTP password  prompt  starting  with  the  string
50              <prompt>.
51
52       --otp-delay=<delay>
53              Set the amount of time to wait before sending the One-Time-Pass‐
54              word.  The delay time must be  specified  in  seconds,  where  0
55              means no wait (this is the default).
56
57       --realm=<realm>
58              Connect  to  the  specified  authentication  realm.  Defaults to
59              empty, which is usually what you want.
60
61       --set-routes=<bool>, --no-routes
62              Set if openfortivpn should try to configure  IP  routes  through
63              the  VPN when tunnel is up. If used multiple times, the last one
64              takes priority.
65
66              --no-routes is the same as --set-routes=0.
67
68       --half-internet-routes=<bool>
69              Set if openfortivpn should add  two  0.0.0.0/1  and  128.0.0.0/1
70              routes  with  higher  priority  instead of replacing the default
71              route.
72
73       --set-dns=<bool>, --no-dns
74              Set  if  openfortivpn   should   add   DNS   name   servers   in
75              /etc/resolv.conf  when tunnel is up. If used multiple times, the
76              last one takes priority.  Note that there may  be  other  mecha‐
77              nisms  to  update  /etc/resolv.conf, e.g., --pppd-use-peerdns in
78              conjunction with an ip-up-script, which may require  that  open‐
79              fortivpn  is  called  with  --no-dns.   Also a dns-suffix may be
80              received from the peer and added to /etc/resolv.conf in the turn
81              of adding the name servers.
82
83              --no-dns is the same as --set-dns=0.
84
85       --ca-file=<file>
86              Use  specified PEM-encoded certificate bundle instead of system-
87              wide store to verify the gateway certificate.
88
89       --user-cert=<file>
90              Use specified PEM-encoded certificate  if  the  server  requires
91              authentication with a certificate.
92
93       --user-cert=pkcs11:
94              Use  at least the string pkcs11: for using a smartcard. It takes
95              the full or a partial PKCS11-URI (p11tool --list-token-urls)
96
97                --user-cert = pkcs11:
98
99                --user-cert = pkcs11:token=someuser
100
101                --user-cert    =    pkcs11:model=PKCS%2315%20emulated;manufac‐
102              turer=piv_II;serial=012345678;token=someuser
103
104              This feature requires OpenSSL PKCS engine!
105
106       --user-key=<file>
107              Use specified PEM-encoded key if the server requires authentica‐
108              tion with a certificate.
109
110       --use-syslog
111              Log to syslog instead of terminal.
112
113       --trusted-cert=<digest>
114              Trust a given gateway. If classical SSL  certificate  validation
115              fails,  the  gateway  certificate  will  be matched against this
116              value. <digest> is  the  X509  certificate's  sha256  sum.  This
117              option can be used multiple times to trust several certificates.
118
119       --insecure-ssl
120              Do  not  disable insecure SSL protocols/ciphers.  If your server
121              requires  a  specific  cipher,  consider   using   --cipher-list
122              instead.
123
124       --cipher-list=<ciphers>
125              OpenSSL  ciphers  to  use. If default does not work, you can try
126              alternatives such as  HIGH:!MD5:!RC4  or  as  suggested  by  the
127              Cipher:  line  in  the  output  of  openssl(1) (e.g. AES256-GCM-
128              SHA384):
129
130              $ openssl s_client -connect <host:port>
131
132              (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
133
134       --use-peer-dns=<bool>, --pppd-no-peerdns
135              Whether to ask peer ppp server for DNS server addresses and  let
136              pppd  rewrite  /etc/resolv.conf. If the DNS server addresses are
137              requested, also --set-dns=1 may  race  with  the  mechanisms  in
138              pppd.
139
140              --pppd-no-peerdns is the same as --pppd-use-peerdns=0.
141
142       --pppd-log=<file>
143              Set pppd in debug mode and save its logs into <file>.
144
145       --pppd-plugin=<file>
146              Use  specified  pppd  plugin instead of configuring the resolver
147              and routes directly.
148
149       --pppd-ipparam=<string>
150              Provides an extra parameter to the ip-up, ip-pre-up and  ip-down
151              scripts. See man pppd(8) for further details
152
153       --pppd-ifname=<string>
154              Set  the  ppp interface name. Only if supported by pppd. Patched
155              versions of pppd implement this option but may not be  available
156              on your platform.
157
158       --pppd-call=<name>
159              Drop  usual  arguments  from  pppd  command  line  and add `call
160              <name>' instead.  This can be useful on Debian and Ubuntu, where
161              unprivileged  users in group `dip' can invoke `pppd call <name>'
162              to make pppd read and apply options  from  /etc/ppp/peers/<name>
163              (including privileged ones).
164
165       --ppp-system=<string>
166              Only  available  if  compiled for ppp user space client (e.g. on
167              FreeBSD).   Connect  to  the  specified  system  as  defined  in
168              /etc/ppp/ppp.conf
169
170       --persistent=<interval>
171              Run the VPN persistently in an endless loop and try to reconnect
172              forever.  The reconnect interval may be  specified  in  seconds,
173              where 0 means no reconnect is done (this is the default).
174
175       -v     Increase  verbosity.  Can be used multiple times to be even more
176              verbose.
177
178       -q     Decrease verbosity. Can be used multiple times to be  even  less
179              verbose.
180
181

ENVIRONMENT and proxy support

183       openfortivpn  can  be  run  behind an HTTP proxy that supports the HTTP
184       connect command.   It  checks  if  one  of  the  environment  variables
185       https_proxy  HTTPS_PROXY  all_proxy ALL_PROXY is set which are supposed
186       to contain a string of the format
187       http://[host]:[port]
188       where [host] is the ip or the fully qualified host name  of  the  proxy
189       server  [port]  is the TCP port number where the proxy is listening for
190       incoming connections. If one  of  these  variables  is  defined,  open‐
191       fortivpn tries to first establish a TCP connection to this proxy (plain
192       HTTP, not encrypted), and then makes a request to connect  to  the  VPN
193       host  as  given on the command line or in the config file. The proxy is
194       supposed to forward any subsequent packets  transparently  to  the  VPN
195       host,  so  that  the  TLS layer of the connection effectively is estab‐
196       lished between the client and the VPN host, and the proxy just acts  as
197       a forwarding instance on the lower level of the TCP connection.
198
199       The following environment variables are set by openfortivpn and pppd(8)
200       or its scripts can obtain information this way:
201       VPN_GATEWAY the ip of the gateway host
202       and for each route three variables are set up, where an integer  number
203       is  appended  to the variable names, denoting the number of the current
204       route:
205       VPN_ROUTE_DEST_... the destination network of the route
206       VPN_ROUTE_MASK_... the network mask for this route
207       VPN_ROUTE_GATEWAY_... the gateway for the current route entry
208
209       If not compiled for pppd the pppd options and  features  that  rely  on
210       them are not available. On FreeBSD --ppp-system is available instead.
211
212

CONFIG FILE

214       Options  can  be taken from a configuration file. Options passed in the
215       command line will override those from  the  config  file,  though.  The
216       default  config  file  is /etc/openfortivpn/config, but this can be set
217       using the -c  option.   An  empty  template  for  the  config  file  is
218       installed to /usr/share/openfortivpn/config.template
219
220
221       A config file looks like:
222              # this is a comment
223              host = vpn-gateway
224              port = 443
225              username = foo
226              password = bar
227              # realm = some-realm
228              # useful for a gui that passes a config file to openfortivpn
229              # otp = 123456
230              # otp-delay = 0
231              # otp-prompt = Please
232              user-cert = /etc/openfortivpn/user-cert.pem
233              user-key = /etc/openfortivpn/user-key.pem
234              # the sha256 digest of the trusted host certs obtained by
235              # openssl dgst -sha256 server-cert.pem:
236              trusted-cert = certificatedigest4daa8c5fe6c...
237              trusted-cert = othercertificatedigest6631bf...
238              # This would specify a ca bundle instead of system-wide store
239              # ca-file = /etc/openfortivpn/ca-bundle.pem
240              set-dns = 0
241              set-routes = 1
242              half-internet-routes = 0
243              pppd-use-peerdns = 1
244              # alternatively, use a specific pppd plugin instead
245              # pppd-plugin = /usr/lib/pppd/default/some-plugin.so
246              # for debugging pppd write logs here
247              # pppd-log = /var/log/pppd.log
248              #  pass  ppp  interface  name to pppd (if supported by a patched
249              pppd)
250              # pppd-ifname = ppp1
251              # pass an ipparam string to pppd, e.g. the device name (a  simi‐
252              lar use case)
253              # pppd-ipparam = 'device=$DEVICE'
254              #  instruct  pppd  to call a script instead of passing arguments
255              (if pppd supports it)
256              # pppd-call = script
257              # use-syslog = 0
258              insecure-ssl = 0
259              cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
260              persistent = 0
261
262
263
264                               November 27, 2019               OPENFORTIVPN(1)
Impressum