1OPENFORTIVPN(1) General Commands Manual OPENFORTIVPN(1)
2
6 openfortivpn - Client for PPP+SSL VPN tunnel services
7
10 openfortivpn [<host>[:<port>]] [-u <user>] [-p <pass>] [--otp=<otp>]
11 [--otp-prompt=<prompt>] [--otp-delay=<delay>] [--realm=<realm>]
12 [--set-routes=<bool>] [--no-routes] [--set-dns=<bool>] [--no-dns]
13 [--half-internet-routes=<bool>] [--ca-file=<file>] [--user-cert=<file>]
14 [--user-key=<file>] [--use-syslog] [--trusted-cert=<digest>] [--inse‐
15 cure-ssl] [--cipher-list=<ciphers>] [--pppd-use-peerdns=<bool>]
16 [--pppd-no-peerdns] [--pppd-log=<file>] [--pppd-plugin=<file>]
17 [--pppd-ipparam=<string>] [--pppd-ifname=<string>] [--pppd-call=<name>]
18 [--ppp-system=<string>] [--persistent=<interval>] [-c <file>] [-v|-q]
19 openfortivpn --help
20 openfortivpn --version
21
24 openfortivpn connects to a VPN by setting up a tunnel to the gateway at
25 <host>:<port>.
26
29 --help Show the help message and exit.
30 --version
32 Show version and exit.
33 -c <file>, --config=<file>
35 Specify a custom config file (default: /etc/openfortivpn/con‐
36 fig).
37 -u <user>, --username=<user>
39 VPN account username.
40 -p <pass>, --password=<pass>
42 VPN account password.
43 -o <otp>, --otp=<otp>
45 One-Time-Password.
46 --otp-prompt=<prompt>
48 Search for the otp password prompt starting with the string
49 <prompt>.
50 --otp-delay=<delay>
52 Set the amount of time to wait before sending the One-Time-Pass‐
53 word. The delay time must be specified in seconds, where 0
54 means no wait (this is the default).
55 --realm=<realm>
57 Connect to the specified authentication realm. Defaults to
58 empty, which is usually what you want.
59 --set-routes=<bool>, --no-routes
61 Set if openfortivpn should try to configure IP routes through
62 the VPN when tunnel is up. If used multiple times, the last one
63 takes priority.
64 --no-routes is the same as --set-routes=0.
66 --half-internet-routes=<bool>
68 Set if openfortivpn should add two 0.0.0.0/1 and 128.0.0.0/1
69 routes with higher priority instead of replacing the default
70 route.
71 --set-dns=<bool>, --no-dns
73 Set if openfortivpn should add VPN nameservers in
74 /etc/resolv.conf when tunnel is up. If used multiple times, the
75 last one takes priority. This option requires that the dns
76 entries are requested from the peer. So, --pppd-no-peerdns con‐
77 flicts with --set-dns=1. Note that there may be other mecha‐
78 nisms to update /etc/resolv.conf which may require that open‐
79 fortivpn is called with --no-dns.
80 --no-dns is the same as --set-dns=0.
82 --ca-file=<file>
84 Use specified PEM-encoded certificate bundle instead of system-
85 wide store to verify the gateway certificate.
86 --user-cert=<file>
88 Use specified PEM-encoded certificate if the server requires
89 authentication with a certificate.
90 --user-key=<file>
92 Use specified PEM-encoded key if the server requires authentica‐
93 tion with a certificate.
94 --use-syslog
96 Log to syslog instead of terminal.
97 --trusted-cert=<digest>
99 Trust a given gateway. If classical SSL certificate validation
100 fails, the gateway certificate will be matched against this
101 value. <digest> is the X509 certificate's sha256 sum. This
102 option can be used multiple times to trust several certificates.
103 --insecure-ssl
105 Do not disable insecure SSL protocols/ciphers. If your server
106 requires a specific cipher, consider using --cipher-list
107 instead.
108 --cipher-list=<ciphers>
110 Openssl ciphers to use. If default does not work, you can try
111 alternatives such as HIGH:!MD5:!RC4 or as suggested by the
112 Cipher: line in the output of openssl(1) (e.g. AES256-GCM-
113 SHA384):
114 $ openssl s_client -connect <host:port>
116 (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
118 --use-peer-dns=<bool>, --pppd-no-peerdns
120 Whether to ask peer ppp server for DNS server addresses and do
121 not make pppd rewrite /etc/resolv.conf. If the DNS server
122 addresses are not requested, also --set-dns=1 has no effect. On
123 the other hand, with --set-dns=0, when pppd requests DNS server
124 addresses, there may be othter mechanisms, such as an
125 pppd-ip-up-script that do the update of /etc/resolv.conf.
126 --pppd-no-peerdns is the same as --pppd-use-peerdns=0.
128 --pppd-log=<file>
130 Set pppd in debug mode and save its logs into <file>.
131 --pppd-plugin=<file>
133 Use specified pppd plugin instead of configuring the resolver
134 and routes directly.
135 --pppd-ipparam=<string>
137 Provides an extra parameter to the ip-up, ip-pre-up and ip-down
138 scripts. See man pppd(8) for further details
139 --pppd-ifname=<string>
141 Set the ppp interface name. Only if supported by pppd. Patched
142 versions of pppd implement this option but may not be available
143 on your platform.
144 --pppd-call=<name>
146 Drop usual arguments from pppd command line and add `call
147 <name>' instead. This can be useful on Debian and Ubuntu, where
148 unprivileged users in group `dip' can invoke `pppd call <name>'
149 to make pppd read and apply options from /etc/ppp/peers/<name>
150 (including privileged ones).
151 --ppp-system=<string>
153 Only available if compiled for ppp user space client (e.g. on
154 FreeBSD). Connect to the specified system as defined in
155 /etc/ppp/ppp.conf
156 --persistent=<interval>
158 Run the vpn persistently in an endless loop and try to reconnect
159 forever. The reconnect interval may be specified in seconds,
160 where 0 means no reconnect is done (this is the default).
161 -v Increase verbosity. Can be used multiple times to be even more
163 verbose.
164 -q Decrease verbosity. Can be used multiple times to be even less
166 verbose.
167
170 openfortivpn can be run behind a http proxy that supports the http con‐
171 nect command. It checks if one of the environment variables
172 https_proxy HTTPS_PROXY all_proxy ALL_PROXY is set which are supposed
173 to contain a string of the format
174 http://[host]:[port]
175 where [host] is the ip or the fully qualified host name of the proxy
176 server [port] is the tcp port number where the proxy is listening for
177 incoming connections. If one of these variables is defined, open‐
178 fortivpn tries to first establish a tcp connection to this proxy (plain
179 http, not encrypted), and then makes a request to connect to the vpn
180 host as given on the command line or in the config file. The proxy is
181 supposed to forward any subsequent packets transparently to the vpn
182 host, so that the tls layer of the connection effectively is estab‐
183 lished between the client and the vpn host, and the proxy just acts as
184 a forwarding instance on the lower level of the tcp connection.
185 The following environment variables are set by openfortivpn and pppd(8)
187 or its scripts can obtain information this way:
188 VPN_GATEWAY the ip of the gateway host
189 and for each route three variables are set up, where an integer number
190 is appended to the variable names, denoting the number of the current
191 route:
192 VPN_ROUTE_DEST_... the destination network of the route
193 VPN_ROUTE_MASK_... the network mask for this route
194 VPN_ROUTE_GATEWAY_... the gateway for the current route entry
195 If not compiled for pppd the pppd options and features that rely on
197 them are not available. On FreeBSD --ppp-system is available instead.
198
201 Options can be taken from a configuration file. Options passed in the
202 command line will override those from the config file, though. The
203 default config file is /etc/openfortivpn/config, but this can be set
204 using the -c option. An empty template for the config file is
205 installed to /usr/share/openfortivpn/config.template
206 A config file looks like:
209 # this is a comment
210 host = vpn-gateway
211 port = 443
212 username = foo
213 password = bar
214 # realm = some-realm
215 # useful for a gui that passes a config file to openfortivpn
216 # otp = 123456
217 # otp-delay = 0
218 # otp-prompt = Please
219 user-cert = /etc/openfortivpn/user-cert.pem
220 user-key = /etc/openfortivpn/user-key.pem
221 # the sha256 digest of the trusted host certs obtained by
222 # openssl dgst -sha256 server-cert.pem:
223 trusted-cert = certificatedigest4daa8c5fe6c...
224 trusted-cert = othercertificatedigest6631bf...
225 # This would specify a ca bundle instead of system-wide store
226 # ca-file = /etc/openfortivpn/ca-bundle.pem
227 set-dns = 0
228 set-routes = 1
229 half-internet-routes = 0
230 pppd-use-peerdns = 1
231 # alternatively, use a specific pppd plugin instead
232 # pppd-plugin = /usr/lib/pppd/default/some-plugin.so
233 # for debugging pppd write logs here
234 # pppd-log = /var/log/pppd.log
235 # pass ppp interface name to pppd (if supported by a patched
236 pppd)
237 # pppd-ifname = ppp1
238 # pass an ipparam string to pppd, e.g. the device name (a simi‐
239 lar use case)
240 # pppd-ipparam = 'device=$DEVICE'
241 # instruct pppd to call a script instead of passing arguments
242 (if pppd supports it)
243 # pppd-call = script
244 # use-syslog = 0
245 insecure-ssl = 0
246 cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
247 persistent = 0
248 March 12, 2019 OPENFORTIVPN(1)