1OPENFORTIVPN(1) General Commands Manual OPENFORTIVPN(1)
2
6 openfortivpn - Client for PPP+SSL VPN tunnel services
7
10 openfortivpn [<host>[:<port>]] [-u <user>] [-p <pass>] [--otp=<otp>]
11 [--otp-prompt=<prompt>] [--otp-delay=<delay>] [--realm=<realm>]
12 [--set-routes=<bool>] [--no-routes] [--set-dns=<bool>] [--no-dns]
13 [--half-internet-routes=<bool>] [--ca-file=<file>] [--user-cert=<file>]
14 [--user-cert=pkcs11:] [--user-key=<file>] [--use-syslog]
15 [--trusted-cert=<digest>] [--insecure-ssl] [--cipher-list=<ciphers>]
16 [--pppd-use-peerdns=<bool>] [--pppd-no-peerdns] [--pppd-log=<file>]
17 [--pppd-plugin=<file>] [--pppd-ipparam=<string>]
18 [--pppd-ifname=<string>] [--pppd-call=<name>] [--ppp-system=<string>]
19 [--use-resolvconf=<bool>] [--persistent=<interval>] [-c <file>] [-v|-q]
20 openfortivpn --help
21 openfortivpn --version
22
25 openfortivpn connects to a VPN by setting up a tunnel to the gateway at
26 <host>:<port>.
27
30 --help Show the help message and exit.
31 --version
33 Show version and exit.
34 -c <file>, --config=<file>
36 Specify a custom config file (default: /etc/openfortivpn/con‐
37 fig).
38 -u <user>, --username=<user>
40 VPN account username.
41 -p <pass>, --password=<pass>
43 VPN account password.
44 -o <otp>, --otp=<otp>
46 One-Time-Password.
47 --otp-prompt=<prompt>
49 Search for the OTP password prompt starting with the string
50 <prompt>.
51 --otp-delay=<delay>
53 Set the amount of time to wait before sending the One-Time-Pass‐
54 word. The delay time must be specified in seconds, where 0
55 means no wait (this is the default).
56 --realm=<realm>
58 Connect to the specified authentication realm. Defaults to
59 empty, which is usually what you want.
60 --set-routes=<bool>, --no-routes
62 Set if openfortivpn should try to configure IP routes through
63 the VPN when tunnel is up. If used multiple times, the last one
64 takes priority.
65 --no-routes is the same as --set-routes=0.
67 --half-internet-routes=<bool>
69 Set if openfortivpn should add two 0.0.0.0/1 and 128.0.0.0/1
70 routes with higher priority instead of replacing the default
71 route.
72 --set-dns=<bool>, --no-dns
74 Set if openfortivpn should add DNS name servers in
75 /etc/resolv.conf when tunnel is up. Also a dns-suffix may be
76 received from the peer and added to /etc/resolv.conf in the turn
77 of adding the name servers. resolvconf is instructed to do the
78 update of the resolv.conf file if it is installed and
79 --use-resolvconf is activated, otherwise openfortivpn prepends
80 its changes to the existing content of the resolv.conf file.
81 Note that there may be other mechanisms to update
82 /etc/resolv.conf, e.g., --pppd-use-peerdns in conjunction with
83 an ip-up-script, which may require that openfortivpn is called
84 with --no-dns. --no-dns is the same as --set-dns=0.
85 --use-resolvconf=<bool>
87 Set if openfortivpn should use resolvconf to add DNS name
88 servers in /etc/resolv.conf. If it is set to false, the builtin
89 fallback mechanism is used even if resolvconf is available.
90 --ca-file=<file>
92 Use specified PEM-encoded certificate bundle instead of system-
93 wide store to verify the gateway certificate.
94 --user-cert=<file>
96 Use specified PEM-encoded certificate if the server requires
97 authentication with a certificate.
98 --user-cert=pkcs11:
100 Use at least the string pkcs11: for using a smartcard. It takes
101 the full or a partial PKCS11-URI (p11tool --list-token-urls)
102 --user-cert = pkcs11:
104 --user-cert = pkcs11:token=someuser
106 --user-cert = pkcs11:model=PKCS%2315%20emulated;manufac‐
108 turer=piv_II;serial=012345678;token=someuser
109 This feature requires OpenSSL PKCS engine!
111 --user-key=<file>
113 Use specified PEM-encoded key if the server requires authentica‐
114 tion with a certificate.
115 --use-syslog
117 Log to syslog instead of terminal.
118 --trusted-cert=<digest>
120 Trust a given gateway. If classical SSL certificate validation
121 fails, the gateway certificate will be matched against this
122 value. <digest> is the X509 certificate's sha256 sum. The cer‐
123 tificate has to be encoded in DER form. This option can be used
124 multiple times to trust several certificates.
125 --insecure-ssl
127 Do not disable insecure SSL protocols/ciphers. If your server
128 requires a specific cipher, consider using --cipher-list
129 instead.
130 --cipher-list=<ciphers>
132 OpenSSL ciphers to use. If default does not work, you can try
133 alternatives such as HIGH:!MD5:!RC4 or as suggested by the
134 Cipher: line in the output of openssl(1) (e.g. AES256-GCM-
135 SHA384):
136 $ openssl s_client -connect <host:port>
138 (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
140 --use-peer-dns=<bool>, --pppd-no-peerdns
142 Whether to ask peer ppp server for DNS server addresses and let
143 pppd rewrite /etc/resolv.conf. There is no mechanism to tell the
144 dns-suffix to pppd. If the DNS server addresses are requested,
145 also --set-dns=1 may race with the mechanisms in pppd.
146 --pppd-no-peerdns is the same as --pppd-use-peerdns=0.
148 --pppd-log=<file>
150 Set pppd in debug mode and save its logs into <file>.
151 --pppd-plugin=<file>
153 Use specified pppd plugin instead of configuring the resolver
154 and routes directly.
155 --pppd-ipparam=<string>
157 Provides an extra parameter to the ip-up, ip-pre-up and ip-down
158 scripts. See man pppd(8) for further details
159 --pppd-ifname=<string>
161 Set the ppp interface name. Only if supported by pppd. Patched
162 versions of pppd implement this option but may not be available
163 on your platform.
164 --pppd-call=<name>
166 Drop usual arguments from pppd command line and add `call
167 <name>' instead. This can be useful on Debian and Ubuntu, where
168 unprivileged users in group `dip' can invoke `pppd call <name>'
169 to make pppd read and apply options from /etc/ppp/peers/<name>
170 (including privileged ones).
171 --ppp-system=<string>
173 Only available if compiled for ppp user space client (e.g. on
174 FreeBSD). Connect to the specified system as defined in
175 /etc/ppp/ppp.conf
176 --persistent=<interval>
178 Run the VPN persistently in an endless loop and try to reconnect
179 forever. The reconnect interval may be specified in seconds,
180 where 0 means no reconnect is done (this is the default).
181 -v Increase verbosity. Can be used multiple times to be even more
183 verbose.
184 -q Decrease verbosity. Can be used multiple times to be even less
186 verbose.
187
190 openfortivpn can be run behind an HTTP proxy that supports the HTTP
191 connect command. It checks if one of the environment variables
192 https_proxy HTTPS_PROXY all_proxy ALL_PROXY is set which are supposed
193 to contain a string of the format
194 http://[host]:[port]
195 where [host] is the ip or the fully qualified host name of the proxy
196 server [port] is the TCP port number where the proxy is listening for
197 incoming connections. If one of these variables is defined, open‐
198 fortivpn tries to first establish a TCP connection to this proxy (plain
199 HTTP, not encrypted), and then makes a request to connect to the VPN
200 host as given on the command line or in the config file. The proxy is
201 supposed to forward any subsequent packets transparently to the VPN
202 host, so that the TLS layer of the connection effectively is estab‐
203 lished between the client and the VPN host, and the proxy just acts as
204 a forwarding instance on the lower level of the TCP connection.
205 The following environment variables are set by openfortivpn and pppd(8)
207 or its scripts can obtain information this way:
208 VPN_GATEWAY the ip of the gateway host
209 and for each route three variables are set up, where an integer number
210 is appended to the variable names, denoting the number of the current
211 route:
212 VPN_ROUTE_DEST_... the destination network of the route
213 VPN_ROUTE_MASK_... the network mask for this route
214 VPN_ROUTE_GATEWAY_... the gateway for the current route entry
215 If not compiled for pppd the pppd options and features that rely on
217 them are not available. On FreeBSD --ppp-system is available instead.
218
221 Options can be taken from a configuration file. Options passed in the
222 command line will override those from the config file, though. The
223 default config file is /etc/openfortivpn/config, but this can be set
224 using the -c option. An empty template for the config file is
225 installed to /usr/share/openfortivpn/config.template
226 A config file looks like:
229 # this is a comment
230 host = vpn-gateway
231 port = 443
232 username = foo
233 password = bar
234 # realm = some-realm
235 # useful for a gui that passes a config file to openfortivpn
236 # otp = 123456
237 # otp-delay = 0
238 # otp-prompt = Please
239 # pinentry = pinentry program
240 user-cert = /etc/openfortivpn/user-cert.pem
241 # user-cert = pkcs1: # use smartcard as client certificate
242 user-key = /etc/openfortivpn/user-key.pem
243 # the sha256 digest of the trusted host certs obtained by
244 # openssl dgst -sha256 server-cert.crt:
245 trusted-cert = certificatedigest4daa8c5fe6c...
246 trusted-cert = othercertificatedigest6631bf...
247 # This would specify a ca bundle instead of system-wide store
248 # ca-file = /etc/openfortivpn/ca-bundle.pem
249 set-dns = 0
250 use-resolvconf = 1
251 set-routes = 1
252 half-internet-routes = 0
253 pppd-use-peerdns = 1
254 # alternatively, use a specific pppd plugin instead
255 # pppd-plugin = /usr/lib/pppd/default/some-plugin.so
256 # for debugging pppd write logs here
257 # pppd-log = /var/log/pppd.log
258 # pass ppp interface name to pppd (if supported by a patched
259 pppd)
260 # pppd-ifname = ppp1
261 # pass an ipparam string to pppd, e.g. the device name (a simi‐
262 lar use case)
263 # pppd-ipparam = 'device=$DEVICE'
264 # instruct pppd to call a script instead of passing arguments
265 (if pppd supports it)
266 # pppd-call = script
267 # use-syslog = 0
268 insecure-ssl = 0
269 cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
270 persistent = 0
271 seclevel-1 = 0
272 March 13, 2020 OPENFORTIVPN(1)