1OPENFORTIVPN(1)             General Commands Manual            OPENFORTIVPN(1)
2
3
4

NAME

6       openfortivpn - Client for PPP+SSL VPN tunnel services
7
8

SYNOPSIS

10       openfortivpn  [<host>[:<port>]]  [-u  <user>] [-p <pass>] [--otp=<otp>]
11       [--otp-prompt=<prompt>]     [--otp-delay=<delay>]     [--realm=<realm>]
12       [--set-routes=<bool>]   [--no-routes]   [--set-dns=<bool>]   [--no-dns]
13       [--half-internet-routes=<bool>] [--ca-file=<file>] [--user-cert=<file>]
14       [--user-cert=pkcs11:]         [--user-key=<file>]        [--use-syslog]
15       [--trusted-cert=<digest>]  [--insecure-ssl]   [--cipher-list=<ciphers>]
16       [--pppd-use-peerdns=<bool>]   [--pppd-no-peerdns]   [--pppd-log=<file>]
17       [--pppd-plugin=<file>]                        [--pppd-ipparam=<string>]
18       [--pppd-ifname=<string>]  [--pppd-call=<name>]  [--ppp-system=<string>]
19       [--use-resolvconf=<bool>] [--persistent=<interval>] [-c <file>] [-v|-q]
20       openfortivpn --help
21       openfortivpn --version
22
23

DESCRIPTION

25       openfortivpn connects to a VPN by setting up a tunnel to the gateway at
26       <host>:<port>.
27
28

OPTIONS

30       --help Show the help message and exit.
31
32       --version
33              Show version and exit.
34
35       -c <file>, --config=<file>
36              Specify  a  custom  config file (default: /etc/openfortivpn/con‐
37              fig).
38
39       -u <user>, --username=<user>
40              VPN account username.
41
42       -p <pass>, --password=<pass>
43              VPN account password.
44
45       -o <otp>, --otp=<otp>
46              One-Time-Password.
47
48       --otp-prompt=<prompt>
49              Search for the OTP password  prompt  starting  with  the  string
50              <prompt>.
51
52       --otp-delay=<delay>
53              Set the amount of time to wait before sending the One-Time-Pass‐
54              word.  The delay time must be  specified  in  seconds,  where  0
55              means no wait (this is the default).
56
57       --realm=<realm>
58              Connect  to  the  specified  authentication  realm.  Defaults to
59              empty, which is usually what you want.
60
61       --set-routes=<bool>, --no-routes
62              Set if openfortivpn should try to configure  IP  routes  through
63              the  VPN when tunnel is up. If used multiple times, the last one
64              takes priority.
65
66              --no-routes is the same as --set-routes=0.
67
68       --half-internet-routes=<bool>
69              Set if openfortivpn should add  two  0.0.0.0/1  and  128.0.0.0/1
70              routes  with  higher  priority  instead of replacing the default
71              route.
72
73       --set-dns=<bool>, --no-dns
74              Set  if  openfortivpn   should   add   DNS   name   servers   in
75              /etc/resolv.conf  when  tunnel  is  up. Also a dns-suffix may be
76              received from the peer and added to /etc/resolv.conf in the turn
77              of  adding the name servers.  resolvconf is instructed to do the
78              update  of  the  resolv.conf  file  if  it  is   installed   and
79              --use-resolvconf  is  activated, otherwise openfortivpn prepends
80              its changes to the existing content  of  the  resolv.conf  file.
81              Note   that   there   may   be   other   mechanisms   to  update
82              /etc/resolv.conf, e.g., --pppd-use-peerdns in  conjunction  with
83              an  ip-up-script,  which may require that openfortivpn is called
84              with --no-dns.  --no-dns is the same as --set-dns=0.
85
86       --use-resolvconf=<bool>
87              Set if openfortivpn  should  use  resolvconf  to  add  DNS  name
88              servers  in /etc/resolv.conf. If it is set to false, the builtin
89              fallback mechanism is used even if resolvconf is available.
90
91       --ca-file=<file>
92              Use specified PEM-encoded certificate bundle instead of  system-
93              wide store to verify the gateway certificate.
94
95       --user-cert=<file>
96              Use  specified  PEM-encoded  certificate  if the server requires
97              authentication with a certificate.
98
99       --user-cert=pkcs11:
100              Use at least the string pkcs11: for using a smartcard. It  takes
101              the full or a partial PKCS11-URI (p11tool --list-token-urls)
102
103                --user-cert = pkcs11:
104
105                --user-cert = pkcs11:token=someuser
106
107                --user-cert    =    pkcs11:model=PKCS%2315%20emulated;manufac‐
108              turer=piv_II;serial=012345678;token=someuser
109
110              This feature requires OpenSSL PKCS engine!
111
112       --user-key=<file>
113              Use specified PEM-encoded key if the server requires authentica‐
114              tion with a certificate.
115
116       --use-syslog
117              Log to syslog instead of terminal.
118
119       --trusted-cert=<digest>
120              Trust  a  given gateway. If classical SSL certificate validation
121              fails, the gateway certificate  will  be  matched  against  this
122              value.  <digest>  is the X509 certificate's sha256 sum. The cer‐
123              tificate has to be encoded in DER form.  This option can be used
124              multiple times to trust several certificates.
125
126       --insecure-ssl
127              Do  not  disable insecure SSL protocols/ciphers.  If your server
128              requires  a  specific  cipher,  consider   using   --cipher-list
129              instead.
130
131       --cipher-list=<ciphers>
132              OpenSSL  ciphers  to  use. If default does not work, you can try
133              alternatives such as  HIGH:!MD5:!RC4  or  as  suggested  by  the
134              Cipher:  line  in  the  output  of  openssl(1) (e.g. AES256-GCM-
135              SHA384):
136
137              $ openssl s_client -connect <host:port>
138
139              (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
140
141       --use-peer-dns=<bool>, --pppd-no-peerdns
142              Whether to ask peer ppp server for DNS server addresses and  let
143              pppd rewrite /etc/resolv.conf. There is no mechanism to tell the
144              dns-suffix to pppd. If the DNS server addresses  are  requested,
145              also --set-dns=1 may race with the mechanisms in pppd.
146
147              --pppd-no-peerdns is the same as --pppd-use-peerdns=0.
148
149       --pppd-log=<file>
150              Set pppd in debug mode and save its logs into <file>.
151
152       --pppd-plugin=<file>
153              Use  specified  pppd  plugin instead of configuring the resolver
154              and routes directly.
155
156       --pppd-ipparam=<string>
157              Provides an extra parameter to the ip-up, ip-pre-up and  ip-down
158              scripts. See man pppd(8) for further details
159
160       --pppd-ifname=<string>
161              Set  the  ppp interface name. Only if supported by pppd. Patched
162              versions of pppd implement this option but may not be  available
163              on your platform.
164
165       --pppd-call=<name>
166              Drop  usual  arguments  from  pppd  command  line  and add `call
167              <name>' instead.  This can be useful on Debian and Ubuntu, where
168              unprivileged  users in group `dip' can invoke `pppd call <name>'
169              to make pppd read and apply options  from  /etc/ppp/peers/<name>
170              (including privileged ones).
171
172       --ppp-system=<string>
173              Only  available  if  compiled for ppp user space client (e.g. on
174              FreeBSD).   Connect  to  the  specified  system  as  defined  in
175              /etc/ppp/ppp.conf
176
177       --persistent=<interval>
178              Run the VPN persistently in an endless loop and try to reconnect
179              forever.  The reconnect interval may be  specified  in  seconds,
180              where 0 means no reconnect is done (this is the default).
181
182       -v     Increase  verbosity.  Can be used multiple times to be even more
183              verbose.
184
185       -q     Decrease verbosity. Can be used multiple times to be  even  less
186              verbose.
187
188

ENVIRONMENT and proxy support

190       openfortivpn  can  be  run  behind an HTTP proxy that supports the HTTP
191       connect command.   It  checks  if  one  of  the  environment  variables
192       https_proxy  HTTPS_PROXY  all_proxy ALL_PROXY is set which are supposed
193       to contain a string of the format
194       http://[host]:[port]
195       where [host] is the ip or the fully qualified host name  of  the  proxy
196       server  [port]  is the TCP port number where the proxy is listening for
197       incoming connections. If one  of  these  variables  is  defined,  open‐
198       fortivpn tries to first establish a TCP connection to this proxy (plain
199       HTTP, not encrypted), and then makes a request to connect  to  the  VPN
200       host  as  given on the command line or in the config file. The proxy is
201       supposed to forward any subsequent packets  transparently  to  the  VPN
202       host,  so  that  the  TLS layer of the connection effectively is estab‐
203       lished between the client and the VPN host, and the proxy just acts  as
204       a forwarding instance on the lower level of the TCP connection.
205
206       The following environment variables are set by openfortivpn and pppd(8)
207       or its scripts can obtain information this way:
208       VPN_GATEWAY the ip of the gateway host
209       and for each route three variables are set up, where an integer  number
210       is  appended  to the variable names, denoting the number of the current
211       route:
212       VPN_ROUTE_DEST_... the destination network of the route
213       VPN_ROUTE_MASK_... the network mask for this route
214       VPN_ROUTE_GATEWAY_... the gateway for the current route entry
215
216       If not compiled for pppd the pppd options and  features  that  rely  on
217       them are not available. On FreeBSD --ppp-system is available instead.
218
219

CONFIG FILE

221       Options  can  be taken from a configuration file. Options passed in the
222       command line will override those from  the  config  file,  though.  The
223       default  config  file  is /etc/openfortivpn/config, but this can be set
224       using the -c  option.   An  empty  template  for  the  config  file  is
225       installed to /usr/share/openfortivpn/config.template
226
227
228       A config file looks like:
229              # this is a comment
230              host = vpn-gateway
231              port = 443
232              username = foo
233              password = bar
234              # realm = some-realm
235              # useful for a gui that passes a config file to openfortivpn
236              # otp = 123456
237              # otp-delay = 0
238              # otp-prompt = Please
239              # pinentry = pinentry program
240              user-cert = /etc/openfortivpn/user-cert.pem
241              # user-cert = pkcs1: # use smartcard as client certificate
242              user-key = /etc/openfortivpn/user-key.pem
243              # the sha256 digest of the trusted host certs obtained by
244              # openssl dgst -sha256 server-cert.crt:
245              trusted-cert = certificatedigest4daa8c5fe6c...
246              trusted-cert = othercertificatedigest6631bf...
247              # This would specify a ca bundle instead of system-wide store
248              # ca-file = /etc/openfortivpn/ca-bundle.pem
249              set-dns = 0
250              use-resolvconf = 1
251              set-routes = 1
252              half-internet-routes = 0
253              pppd-use-peerdns = 1
254              # alternatively, use a specific pppd plugin instead
255              # pppd-plugin = /usr/lib/pppd/default/some-plugin.so
256              # for debugging pppd write logs here
257              # pppd-log = /var/log/pppd.log
258              #  pass  ppp  interface  name to pppd (if supported by a patched
259              pppd)
260              # pppd-ifname = ppp1
261              # pass an ipparam string to pppd, e.g. the device name (a  simi‐
262              lar use case)
263              # pppd-ipparam = 'device=$DEVICE'
264              #  instruct  pppd  to call a script instead of passing arguments
265              (if pppd supports it)
266              # pppd-call = script
267              # use-syslog = 0
268              insecure-ssl = 0
269              cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
270              persistent = 0
271              seclevel-1 = 0
272
273
274
275                                March 13, 2020                 OPENFORTIVPN(1)
Impressum