1OPENFORTIVPN(1)             General Commands Manual            OPENFORTIVPN(1)
2
3
4

NAME

6       openfortivpn - Client for PPP+SSL VPN tunnel services
7
8

SYNOPSIS

10       openfortivpn  [<host>[:<port>]]  [-u  <user>] [-p <pass>] [--otp=<otp>]
11       [--otp-prompt=<prompt>]     [--otp-delay=<delay>]     [--realm=<realm>]
12       [--set-routes=<bool>]   [--no-routes]   [--set-dns=<bool>]   [--no-dns]
13       [--half-internet-routes=<bool>] [--ca-file=<file>] [--user-cert=<file>]
14       [--user-cert=pkcs11:]         [--user-key=<file>]        [--use-syslog]
15       [--trusted-cert=<digest>]  [--insecure-ssl]   [--cipher-list=<ciphers>]
16       [--min-tls=<version>]     [--seclevel-1]    [--pppd-use-peerdns=<bool>]
17       [--pppd-no-peerdns]     [--pppd-log=<file>]      [--pppd-plugin=<file>]
18       [--pppd-ipparam=<string>] [--pppd-ifname=<string>] [--pppd-call=<name>]
19       [--ppp-system=<string>] [--use-resolvconf=<bool>] [--persistent=<inter‐
20       val>] [-c <file>] [-v|-q]
21       openfortivpn --help
22       openfortivpn --version
23
24

DESCRIPTION

26       openfortivpn connects to a VPN by setting up a tunnel to the gateway at
27       <host>:<port>.
28
29

OPTIONS

31       --help Show the help message and exit.
32
33       --version
34              Show version and exit.
35
36       -c <file>, --config=<file>
37              Specify a custom config  file  (default:  /etc/openfortivpn/con‐
38              fig).
39
40       -u <user>, --username=<user>
41              VPN account username.
42
43       -p <pass>, --password=<pass>
44              VPN account password.
45
46       -o <otp>, --otp=<otp>
47              One-Time-Password.
48
49       --otp-prompt=<prompt>
50              Search  for  the  OTP  password  prompt starting with the string
51              <prompt>.
52
53       --otp-delay=<delay>
54              Set the amount of time to wait before sending the One-Time-Pass‐
55              word.   The  delay  time  must  be specified in seconds, where 0
56              means no wait (this is the default).
57
58       --realm=<realm>
59              Connect to  the  specified  authentication  realm.  Defaults  to
60              empty, which is usually what you want.
61
62       --set-routes=<bool>, --no-routes
63              Set  if  openfortivpn  should try to configure IP routes through
64              the VPN when tunnel is up. If used multiple times, the last  one
65              takes priority.
66
67              --no-routes is the same as --set-routes=0.
68
69       --half-internet-routes=<bool>
70              Set  if  openfortivpn  should  add two 0.0.0.0/1 and 128.0.0.0/1
71              routes with higher priority instead  of  replacing  the  default
72              route.
73
74       --set-dns=<bool>, --no-dns
75              Set   if   openfortivpn   should   add   DNS   name  servers  in
76              /etc/resolv.conf when tunnel is up. Also  a  dns-suffix  may  be
77              received from the peer and added to /etc/resolv.conf in the turn
78              of adding the name servers.  resolvconf is instructed to do  the
79              update   of   the  resolv.conf  file  if  it  is  installed  and
80              --use-resolvconf is activated, otherwise  openfortivpn  prepends
81              its  changes  to  the  existing content of the resolv.conf file.
82              Note  that   there   may   be   other   mechanisms   to   update
83              /etc/resolv.conf,  e.g.,  --pppd-use-peerdns in conjunction with
84              an ip-up-script, which may require that openfortivpn  is  called
85              with --no-dns.  --no-dns is the same as --set-dns=0.
86
87       --use-resolvconf=<bool>
88              Set  if  openfortivpn  should  use  resolvconf  to  add DNS name
89              servers in /etc/resolv.conf. If it is set to false, the  builtin
90              fallback mechanism is used even if resolvconf is available.
91
92       --ca-file=<file>
93              Use  specified PEM-encoded certificate bundle instead of system-
94              wide store to verify the gateway certificate.
95
96       --user-cert=<file>
97              Use specified PEM-encoded certificate  if  the  server  requires
98              authentication with a certificate.
99
100       --user-cert=pkcs11:
101              Use  at least the string pkcs11: for using a smartcard. It takes
102              the full or a partial PKCS11-URI (p11tool --list-token-urls)
103
104                --user-cert = pkcs11:
105
106                --user-cert = pkcs11:token=someuser
107
108                --user-cert    =    pkcs11:model=PKCS%2315%20emulated;manufac‐
109              turer=piv_II;serial=012345678;token=someuser
110
111              This feature requires the OpenSSL PKCS engine!
112
113       --user-key=<file>
114              Use specified PEM-encoded key if the server requires authentica‐
115              tion with a certificate.
116
117       --use-syslog
118              Log to syslog instead of terminal.
119
120       --trusted-cert=<digest>
121              Trust a given gateway. If classical SSL  certificate  validation
122              fails,  the  gateway  certificate  will  be matched against this
123              value. <digest> is the X509 certificate's sha256 sum.  The  cer‐
124              tificate has to be encoded in DER form.  This option can be used
125              multiple times to trust several certificates.
126
127       --insecure-ssl
128              Do not disable insecure SSL protocols/ciphers.  If  your  server
129              requires   a   specific  cipher,  consider  using  --cipher-list
130              instead.
131
132       --cipher-list=<ciphers>
133              OpenSSL ciphers to use. If default does not work,  you  can  try
134              alternatives  such  as  HIGH:!MD5:!RC4  or  as  suggested by the
135              Cipher: line in  the  output  of  openssl(1)  (e.g.  AES256-GCM-
136              SHA384):
137
138              $ openssl s_client -connect <host:port>
139
140              (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
141
142              Applies  to TLS v1.2 or lower only, not to be used with TLS v1.3
143              ciphers.
144
145       --min-tls=<version>
146              Use minimum TLS version instead of system default. Valid  values
147              are 1.0, 1.1, 1.2, 1.3.
148
149       --seclevel-1
150              If  --cipher-list  is not specified, add @SECLEVEL=1 to the list
151              of ciphers. This lowers limits on dh key.
152
153              Applies to TLS v1.2 or lower only.
154
155       --use-peer-dns=<bool>, --pppd-no-peerdns
156              Whether to ask peer ppp server for DNS server addresses and  let
157              pppd rewrite /etc/resolv.conf. There is no mechanism to tell the
158              dns-suffix to pppd. If the DNS server addresses  are  requested,
159              also --set-dns=1 may race with the mechanisms in pppd.
160
161              --pppd-no-peerdns is the same as --pppd-use-peerdns=0.
162
163       --pppd-log=<file>
164              Set pppd in debug mode and save its logs into <file>.
165
166       --pppd-plugin=<file>
167              Use  specified  pppd  plugin instead of configuring the resolver
168              and routes directly.
169
170       --pppd-ipparam=<string>
171              Provides an extra parameter to the ip-up, ip-pre-up and  ip-down
172              scripts. See man pppd(8) for further details
173
174       --pppd-ifname=<string>
175              Set  the  ppp interface name. Only if supported by pppd. Patched
176              versions of pppd implement this option but may not be  available
177              on your platform.
178
179       --pppd-call=<name>
180              Drop  usual  arguments  from  pppd  command  line  and add `call
181              <name>' instead.  This can be useful on Debian and Ubuntu, where
182              unprivileged  users in group `dip' can invoke `pppd call <name>'
183              to make pppd read and apply options  from  /etc/ppp/peers/<name>
184              (including privileged ones).
185
186       --ppp-system=<string>
187              Only  available  if  compiled for ppp user space client (e.g. on
188              FreeBSD).   Connect  to  the  specified  system  as  defined  in
189              /etc/ppp/ppp.conf
190
191       --persistent=<interval>
192              Run the VPN persistently in an endless loop and try to reconnect
193              forever.  The reconnect interval may be  specified  in  seconds,
194              where 0 means no reconnect is done (this is the default).
195
196       -v     Increase  verbosity.  Can be used multiple times to be even more
197              verbose.
198
199       -q     Decrease verbosity. Can be used multiple times to be  even  less
200              verbose.
201
202

ENVIRONMENT and proxy support

204       openfortivpn  can  be  run  behind an HTTP proxy that supports the HTTP
205       connect command.   It  checks  if  one  of  the  environment  variables
206       https_proxy  HTTPS_PROXY  all_proxy ALL_PROXY is set which are supposed
207       to contain a string of the format
208       http://[host]:[port]
209       where [host] is the ip or the fully qualified host name  of  the  proxy
210       server  [port]  is the TCP port number where the proxy is listening for
211       incoming connections. If one  of  these  variables  is  defined,  open‐
212       fortivpn tries to first establish a TCP connection to this proxy (plain
213       HTTP, not encrypted), and then makes a request to connect  to  the  VPN
214       host  as  given on the command line or in the config file. The proxy is
215       supposed to forward any subsequent packets  transparently  to  the  VPN
216       host,  so  that  the  TLS layer of the connection effectively is estab‐
217       lished between the client and the VPN host, and the proxy just acts  as
218       a forwarding instance on the lower level of the TCP connection.
219
220       The following environment variables are set by openfortivpn and pppd(8)
221       or its scripts can obtain information this way:
222       VPN_GATEWAY the ip of the gateway host
223       and for each route three variables are set up, where an integer  number
224       is  appended  to the variable names, denoting the number of the current
225       route:
226       VPN_ROUTE_DEST_... the destination network of the route
227       VPN_ROUTE_MASK_... the network mask for this route
228       VPN_ROUTE_GATEWAY_... the gateway for the current route entry
229
230       If not compiled for pppd the pppd options and  features  that  rely  on
231       them are not available. On FreeBSD --ppp-system is available instead.
232
233

CONFIG FILE

235       Options  can  be taken from a configuration file. Options passed in the
236       command line will override those from  the  config  file,  though.  The
237       default  config  file  is /etc/openfortivpn/config, but this can be set
238       using the -c  option.   An  empty  template  for  the  config  file  is
239       installed to /usr/share/openfortivpn/config.template
240
241
242       A config file looks like:
243              # this is a comment
244              host = vpn-gateway
245              port = 443
246              username = foo
247              password = bar
248              # realm = some-realm
249              # useful for a gui that passes a config file to openfortivpn
250              # otp = 123456
251              # otp-delay = 0
252              # otp-prompt = Please
253              # pinentry = pinentry program
254              user-cert = /etc/openfortivpn/user-cert.pem
255              # user-cert = pkcs1: # use smartcard as client certificate
256              user-key = /etc/openfortivpn/user-key.pem
257              # the sha256 digest of the trusted host certs obtained by
258              # openssl dgst -sha256 server-cert.crt:
259              trusted-cert = certificatedigest4daa8c5fe6c...
260              trusted-cert = othercertificatedigest6631bf...
261              # This would specify a ca bundle instead of system-wide store
262              # ca-file = /etc/openfortivpn/ca-bundle.pem
263              set-dns = 0
264              use-resolvconf = 1
265              set-routes = 1
266              half-internet-routes = 0
267              pppd-use-peerdns = 1
268              # alternatively, use a specific pppd plugin instead
269              # pppd-plugin = /usr/lib/pppd/default/some-plugin.so
270              # for debugging pppd write logs here
271              # pppd-log = /var/log/pppd.log
272              #  pass  ppp  interface  name to pppd (if supported by a patched
273              pppd)
274              # pppd-ifname = ppp1
275              # pass an ipparam string to pppd, e.g. the device name (a  simi‐
276              lar use case)
277              # pppd-ipparam = 'device=$DEVICE'
278              #  instruct  pppd  to call a script instead of passing arguments
279              (if pppd supports it)
280              # pppd-call = script
281              # use-syslog = 0
282              insecure-ssl = 0
283              cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
284              persistent = 0
285              seclevel-1 = 0
286
287
288
289                                  May 4, 2020                  OPENFORTIVPN(1)
Impressum