1OPENFORTIVPN(1) General Commands Manual OPENFORTIVPN(1)
2
3
4
6 openfortivpn - Client for PPP+SSL VPN tunnel services
7
8
10 openfortivpn [<host>[:<port>]] [-u <user>] [-p <pass>] [--otp=<otp>]
11 [--otp-prompt=<prompt>] [--otp-delay=<delay>] [--realm=<realm>]
12 [--set-routes=<bool>] [--no-routes] [--set-dns=<bool>] [--no-dns]
13 [--half-internet-routes=<bool>] [--ca-file=<file>] [--user-cert=<file>]
14 [--user-cert=pkcs11:] [--user-key=<file>] [--use-syslog]
15 [--trusted-cert=<digest>] [--insecure-ssl] [--cipher-list=<ciphers>]
16 [--pppd-use-peerdns=<bool>] [--pppd-no-peerdns] [--pppd-log=<file>]
17 [--pppd-plugin=<file>] [--pppd-ipparam=<string>]
18 [--pppd-ifname=<string>] [--pppd-call=<name>] [--ppp-system=<string>]
19 [--persistent=<interval>] [-c <file>] [-v|-q]
20 openfortivpn --help
21 openfortivpn --version
22
23
25 openfortivpn connects to a VPN by setting up a tunnel to the gateway at
26 <host>:<port>.
27
28
30 --help Show the help message and exit.
31
32 --version
33 Show version and exit.
34
35 -c <file>, --config=<file>
36 Specify a custom config file (default: /etc/openfortivpn/con‐
37 fig).
38
39 -u <user>, --username=<user>
40 VPN account username.
41
42 -p <pass>, --password=<pass>
43 VPN account password.
44
45 -o <otp>, --otp=<otp>
46 One-Time-Password.
47
48 --otp-prompt=<prompt>
49 Search for the OTP password prompt starting with the string
50 <prompt>.
51
52 --otp-delay=<delay>
53 Set the amount of time to wait before sending the One-Time-Pass‐
54 word. The delay time must be specified in seconds, where 0
55 means no wait (this is the default).
56
57 --realm=<realm>
58 Connect to the specified authentication realm. Defaults to
59 empty, which is usually what you want.
60
61 --set-routes=<bool>, --no-routes
62 Set if openfortivpn should try to configure IP routes through
63 the VPN when tunnel is up. If used multiple times, the last one
64 takes priority.
65
66 --no-routes is the same as --set-routes=0.
67
68 --half-internet-routes=<bool>
69 Set if openfortivpn should add two 0.0.0.0/1 and 128.0.0.0/1
70 routes with higher priority instead of replacing the default
71 route.
72
73 --set-dns=<bool>, --no-dns
74 Set if openfortivpn should add DNS name servers in
75 /etc/resolv.conf when tunnel is up. If used multiple times, the
76 last one takes priority. Note that there may be other mecha‐
77 nisms to update /etc/resolv.conf, e.g., --pppd-use-peerdns in
78 conjunction with an ip-up-script, which may require that open‐
79 fortivpn is called with --no-dns. Also a dns-suffix may be
80 received from the peer and added to /etc/resolv.conf in the turn
81 of adding the name servers.
82
83 --no-dns is the same as --set-dns=0.
84
85 --ca-file=<file>
86 Use specified PEM-encoded certificate bundle instead of system-
87 wide store to verify the gateway certificate.
88
89 --user-cert=<file>
90 Use specified PEM-encoded certificate if the server requires
91 authentication with a certificate.
92
93 --user-cert=pkcs11:
94 Use at least the string pkcs11: for using a smartcard. It takes
95 the full or a partial PKCS11-URI (p11tool --list-token-urls)
96
97 --user-cert = pkcs11:
98
99 --user-cert = pkcs11:token=someuser
100
101 --user-cert = pkcs11:model=PKCS%2315%20emulated;manufac‐
102 turer=piv_II;serial=012345678;token=someuser
103
104 This feature requires OpenSSL PKCS engine!
105
106 --user-key=<file>
107 Use specified PEM-encoded key if the server requires authentica‐
108 tion with a certificate.
109
110 --use-syslog
111 Log to syslog instead of terminal.
112
113 --trusted-cert=<digest>
114 Trust a given gateway. If classical SSL certificate validation
115 fails, the gateway certificate will be matched against this
116 value. <digest> is the X509 certificate's sha256 sum. This
117 option can be used multiple times to trust several certificates.
118
119 --insecure-ssl
120 Do not disable insecure SSL protocols/ciphers. If your server
121 requires a specific cipher, consider using --cipher-list
122 instead.
123
124 --cipher-list=<ciphers>
125 OpenSSL ciphers to use. If default does not work, you can try
126 alternatives such as HIGH:!MD5:!RC4 or as suggested by the
127 Cipher: line in the output of openssl(1) (e.g. AES256-GCM-
128 SHA384):
129
130 $ openssl s_client -connect <host:port>
131
132 (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
133
134 --use-peer-dns=<bool>, --pppd-no-peerdns
135 Whether to ask peer ppp server for DNS server addresses and let
136 pppd rewrite /etc/resolv.conf. If the DNS server addresses are
137 requested, also --set-dns=1 may race with the mechanisms in
138 pppd.
139
140 --pppd-no-peerdns is the same as --pppd-use-peerdns=0.
141
142 --pppd-log=<file>
143 Set pppd in debug mode and save its logs into <file>.
144
145 --pppd-plugin=<file>
146 Use specified pppd plugin instead of configuring the resolver
147 and routes directly.
148
149 --pppd-ipparam=<string>
150 Provides an extra parameter to the ip-up, ip-pre-up and ip-down
151 scripts. See man pppd(8) for further details
152
153 --pppd-ifname=<string>
154 Set the ppp interface name. Only if supported by pppd. Patched
155 versions of pppd implement this option but may not be available
156 on your platform.
157
158 --pppd-call=<name>
159 Drop usual arguments from pppd command line and add `call
160 <name>' instead. This can be useful on Debian and Ubuntu, where
161 unprivileged users in group `dip' can invoke `pppd call <name>'
162 to make pppd read and apply options from /etc/ppp/peers/<name>
163 (including privileged ones).
164
165 --ppp-system=<string>
166 Only available if compiled for ppp user space client (e.g. on
167 FreeBSD). Connect to the specified system as defined in
168 /etc/ppp/ppp.conf
169
170 --persistent=<interval>
171 Run the VPN persistently in an endless loop and try to reconnect
172 forever. The reconnect interval may be specified in seconds,
173 where 0 means no reconnect is done (this is the default).
174
175 -v Increase verbosity. Can be used multiple times to be even more
176 verbose.
177
178 -q Decrease verbosity. Can be used multiple times to be even less
179 verbose.
180
181
183 openfortivpn can be run behind an HTTP proxy that supports the HTTP
184 connect command. It checks if one of the environment variables
185 https_proxy HTTPS_PROXY all_proxy ALL_PROXY is set which are supposed
186 to contain a string of the format
187 http://[host]:[port]
188 where [host] is the ip or the fully qualified host name of the proxy
189 server [port] is the TCP port number where the proxy is listening for
190 incoming connections. If one of these variables is defined, open‐
191 fortivpn tries to first establish a TCP connection to this proxy (plain
192 HTTP, not encrypted), and then makes a request to connect to the VPN
193 host as given on the command line or in the config file. The proxy is
194 supposed to forward any subsequent packets transparently to the VPN
195 host, so that the TLS layer of the connection effectively is estab‐
196 lished between the client and the VPN host, and the proxy just acts as
197 a forwarding instance on the lower level of the TCP connection.
198
199 The following environment variables are set by openfortivpn and pppd(8)
200 or its scripts can obtain information this way:
201 VPN_GATEWAY the ip of the gateway host
202 and for each route three variables are set up, where an integer number
203 is appended to the variable names, denoting the number of the current
204 route:
205 VPN_ROUTE_DEST_... the destination network of the route
206 VPN_ROUTE_MASK_... the network mask for this route
207 VPN_ROUTE_GATEWAY_... the gateway for the current route entry
208
209 If not compiled for pppd the pppd options and features that rely on
210 them are not available. On FreeBSD --ppp-system is available instead.
211
212
214 Options can be taken from a configuration file. Options passed in the
215 command line will override those from the config file, though. The
216 default config file is /etc/openfortivpn/config, but this can be set
217 using the -c option. An empty template for the config file is
218 installed to /usr/share/openfortivpn/config.template
219
220
221 A config file looks like:
222 # this is a comment
223 host = vpn-gateway
224 port = 443
225 username = foo
226 password = bar
227 # realm = some-realm
228 # useful for a gui that passes a config file to openfortivpn
229 # otp = 123456
230 # otp-delay = 0
231 # otp-prompt = Please
232 user-cert = /etc/openfortivpn/user-cert.pem
233 user-key = /etc/openfortivpn/user-key.pem
234 # the sha256 digest of the trusted host certs obtained by
235 # openssl dgst -sha256 server-cert.pem:
236 trusted-cert = certificatedigest4daa8c5fe6c...
237 trusted-cert = othercertificatedigest6631bf...
238 # This would specify a ca bundle instead of system-wide store
239 # ca-file = /etc/openfortivpn/ca-bundle.pem
240 set-dns = 0
241 set-routes = 1
242 half-internet-routes = 0
243 pppd-use-peerdns = 1
244 # alternatively, use a specific pppd plugin instead
245 # pppd-plugin = /usr/lib/pppd/default/some-plugin.so
246 # for debugging pppd write logs here
247 # pppd-log = /var/log/pppd.log
248 # pass ppp interface name to pppd (if supported by a patched
249 pppd)
250 # pppd-ifname = ppp1
251 # pass an ipparam string to pppd, e.g. the device name (a simi‐
252 lar use case)
253 # pppd-ipparam = 'device=$DEVICE'
254 # instruct pppd to call a script instead of passing arguments
255 (if pppd supports it)
256 # pppd-call = script
257 # use-syslog = 0
258 insecure-ssl = 0
259 cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
260 persistent = 0
261
262
263
264 November 27, 2019 OPENFORTIVPN(1)