1OPENFORTIVPN(1) General Commands Manual OPENFORTIVPN(1)
2
6 openfortivpn - Client for PPP+SSL VPN tunnel services
7
10 openfortivpn [<host>[:<port>]] [-u <user>] [-p <pass>] [--otp=<otp>]
11 [--otp-prompt=<prompt>] [--otp-delay=<delay>] [--realm=<realm>]
12 [--set-routes=<bool>] [--no-routes] [--set-dns=<bool>] [--no-dns]
13 [--half-internet-routes=<bool>] [--ca-file=<file>] [--user-cert=<file>]
14 [--user-cert=pkcs11:] [--user-key=<file>] [--use-syslog]
15 [--trusted-cert=<digest>] [--insecure-ssl] [--cipher-list=<ciphers>]
16 [--min-tls=<version>] [--seclevel-1] [--pppd-use-peerdns=<bool>]
17 [--pppd-no-peerdns] [--pppd-log=<file>] [--pppd-plugin=<file>]
18 [--pppd-ipparam=<string>] [--pppd-ifname=<string>] [--pppd-call=<name>]
19 [--ppp-system=<string>] [--use-resolvconf=<bool>] [--persistent=<inter‐
20 val>] [-c <file>] [-v|-q]
21 openfortivpn --help
22 openfortivpn --version
23
26 openfortivpn connects to a VPN by setting up a tunnel to the gateway at
27 <host>:<port>.
28
31 --help Show the help message and exit.
32 --version
34 Show version and exit.
35 -c <file>, --config=<file>
37 Specify a custom config file (default: /etc/openfortivpn/con‐
38 fig).
39 -u <user>, --username=<user>
41 VPN account username.
42 -p <pass>, --password=<pass>
44 VPN account password.
45 -o <otp>, --otp=<otp>
47 One-Time-Password.
48 --otp-prompt=<prompt>
50 Search for the OTP password prompt starting with the string
51 <prompt>.
52 --otp-delay=<delay>
54 Set the amount of time to wait before sending the One-Time-Pass‐
55 word. The delay time must be specified in seconds, where 0
56 means no wait (this is the default).
57 --realm=<realm>
59 Connect to the specified authentication realm. Defaults to
60 empty, which is usually what you want.
61 --set-routes=<bool>, --no-routes
63 Set if openfortivpn should try to configure IP routes through
64 the VPN when tunnel is up. If used multiple times, the last one
65 takes priority.
66 --no-routes is the same as --set-routes=0.
68 --half-internet-routes=<bool>
70 Set if openfortivpn should add two 0.0.0.0/1 and 128.0.0.0/1
71 routes with higher priority instead of replacing the default
72 route.
73 --set-dns=<bool>, --no-dns
75 Set if openfortivpn should add DNS name servers in
76 /etc/resolv.conf when tunnel is up. Also a dns-suffix may be
77 received from the peer and added to /etc/resolv.conf in the turn
78 of adding the name servers. resolvconf is instructed to do the
79 update of the resolv.conf file if it is installed and
80 --use-resolvconf is activated, otherwise openfortivpn prepends
81 its changes to the existing content of the resolv.conf file.
82 Note that there may be other mechanisms to update
83 /etc/resolv.conf, e.g., --pppd-use-peerdns in conjunction with
84 an ip-up-script, which may require that openfortivpn is called
85 with --no-dns. --no-dns is the same as --set-dns=0.
86 --use-resolvconf=<bool>
88 Set if openfortivpn should use resolvconf to add DNS name
89 servers in /etc/resolv.conf. If it is set to false, the builtin
90 fallback mechanism is used even if resolvconf is available.
91 --ca-file=<file>
93 Use specified PEM-encoded certificate bundle instead of system-
94 wide store to verify the gateway certificate.
95 --user-cert=<file>
97 Use specified PEM-encoded certificate if the server requires
98 authentication with a certificate.
99 --user-cert=pkcs11:
101 Use at least the string pkcs11: for using a smartcard. It takes
102 the full or a partial PKCS11-URI (p11tool --list-token-urls)
103 --user-cert = pkcs11:
105 --user-cert = pkcs11:token=someuser
107 --user-cert = pkcs11:model=PKCS%2315%20emulated;manufac‐
109 turer=piv_II;serial=012345678;token=someuser
110 This feature requires the OpenSSL PKCS engine!
112 --user-key=<file>
114 Use specified PEM-encoded key if the server requires authentica‐
115 tion with a certificate.
116 --use-syslog
118 Log to syslog instead of terminal.
119 --trusted-cert=<digest>
121 Trust a given gateway. If classical SSL certificate validation
122 fails, the gateway certificate will be matched against this
123 value. <digest> is the X509 certificate's sha256 sum. The cer‐
124 tificate has to be encoded in DER form. This option can be used
125 multiple times to trust several certificates.
126 --insecure-ssl
128 Do not disable insecure SSL protocols/ciphers. If your server
129 requires a specific cipher, consider using --cipher-list
130 instead.
131 --cipher-list=<ciphers>
133 OpenSSL ciphers to use. If default does not work, you can try
134 alternatives such as HIGH:!MD5:!RC4 or as suggested by the
135 Cipher: line in the output of openssl(1) (e.g. AES256-GCM-
136 SHA384):
137 $ openssl s_client -connect <host:port>
139 (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
141 Applies to TLS v1.2 or lower only, not to be used with TLS v1.3
143 ciphers.
144 --min-tls=<version>
146 Use minimum TLS version instead of system default. Valid values
147 are 1.0, 1.1, 1.2, 1.3.
148 --seclevel-1
150 If --cipher-list is not specified, add @SECLEVEL=1 to the list
151 of ciphers. This lowers limits on dh key.
152 Applies to TLS v1.2 or lower only.
154 --use-peer-dns=<bool>, --pppd-no-peerdns
156 Whether to ask peer ppp server for DNS server addresses and let
157 pppd rewrite /etc/resolv.conf. There is no mechanism to tell the
158 dns-suffix to pppd. If the DNS server addresses are requested,
159 also --set-dns=1 may race with the mechanisms in pppd.
160 --pppd-no-peerdns is the same as --pppd-use-peerdns=0.
162 --pppd-log=<file>
164 Set pppd in debug mode and save its logs into <file>.
165 --pppd-plugin=<file>
167 Use specified pppd plugin instead of configuring the resolver
168 and routes directly.
169 --pppd-ipparam=<string>
171 Provides an extra parameter to the ip-up, ip-pre-up and ip-down
172 scripts. See man pppd(8) for further details
173 --pppd-ifname=<string>
175 Set the ppp interface name. Only if supported by pppd. Patched
176 versions of pppd implement this option but may not be available
177 on your platform.
178 --pppd-call=<name>
180 Drop usual arguments from pppd command line and add `call
181 <name>' instead. This can be useful on Debian and Ubuntu, where
182 unprivileged users in group `dip' can invoke `pppd call <name>'
183 to make pppd read and apply options from /etc/ppp/peers/<name>
184 (including privileged ones).
185 --ppp-system=<string>
187 Only available if compiled for ppp user space client (e.g. on
188 FreeBSD). Connect to the specified system as defined in
189 /etc/ppp/ppp.conf
190 --persistent=<interval>
192 Run the VPN persistently in an endless loop and try to reconnect
193 forever. The reconnect interval may be specified in seconds,
194 where 0 means no reconnect is done (this is the default).
195 -v Increase verbosity. Can be used multiple times to be even more
197 verbose.
198 -q Decrease verbosity. Can be used multiple times to be even less
200 verbose.
201
204 openfortivpn can be run behind an HTTP proxy that supports the HTTP
205 connect command. It checks if one of the environment variables
206 https_proxy HTTPS_PROXY all_proxy ALL_PROXY is set which are supposed
207 to contain a string of the format
208 http://[host]:[port]
209 where [host] is the ip or the fully qualified host name of the proxy
210 server [port] is the TCP port number where the proxy is listening for
211 incoming connections. If one of these variables is defined, open‐
212 fortivpn tries to first establish a TCP connection to this proxy (plain
213 HTTP, not encrypted), and then makes a request to connect to the VPN
214 host as given on the command line or in the config file. The proxy is
215 supposed to forward any subsequent packets transparently to the VPN
216 host, so that the TLS layer of the connection effectively is estab‐
217 lished between the client and the VPN host, and the proxy just acts as
218 a forwarding instance on the lower level of the TCP connection.
219 The following environment variables are set by openfortivpn and pppd(8)
221 or its scripts can obtain information this way:
222 VPN_GATEWAY the ip of the gateway host
223 and for each route three variables are set up, where an integer number
224 is appended to the variable names, denoting the number of the current
225 route:
226 VPN_ROUTE_DEST_... the destination network of the route
227 VPN_ROUTE_MASK_... the network mask for this route
228 VPN_ROUTE_GATEWAY_... the gateway for the current route entry
229 If not compiled for pppd the pppd options and features that rely on
231 them are not available. On FreeBSD --ppp-system is available instead.
232
235 Options can be taken from a configuration file. Options passed in the
236 command line will override those from the config file, though. The
237 default config file is /etc/openfortivpn/config, but this can be set
238 using the -c option. An empty template for the config file is
239 installed to /usr/share/openfortivpn/config.template
240 A config file looks like:
243 # this is a comment
244 host = vpn-gateway
245 port = 443
246 username = foo
247 password = bar
248 # realm = some-realm
249 # useful for a gui that passes a config file to openfortivpn
250 # otp = 123456
251 # otp-delay = 0
252 # otp-prompt = Please
253 # pinentry = pinentry program
254 user-cert = /etc/openfortivpn/user-cert.pem
255 # user-cert = pkcs1: # use smartcard as client certificate
256 user-key = /etc/openfortivpn/user-key.pem
257 # the sha256 digest of the trusted host certs obtained by
258 # openssl dgst -sha256 server-cert.crt:
259 trusted-cert = certificatedigest4daa8c5fe6c...
260 trusted-cert = othercertificatedigest6631bf...
261 # This would specify a ca bundle instead of system-wide store
262 # ca-file = /etc/openfortivpn/ca-bundle.pem
263 set-dns = 0
264 use-resolvconf = 1
265 set-routes = 1
266 half-internet-routes = 0
267 pppd-use-peerdns = 1
268 # alternatively, use a specific pppd plugin instead
269 # pppd-plugin = /usr/lib/pppd/default/some-plugin.so
270 # for debugging pppd write logs here
271 # pppd-log = /var/log/pppd.log
272 # pass ppp interface name to pppd (if supported by a patched
273 pppd)
274 # pppd-ifname = ppp1
275 # pass an ipparam string to pppd, e.g. the device name (a simi‐
276 lar use case)
277 # pppd-ipparam = 'device=$DEVICE'
278 # instruct pppd to call a script instead of passing arguments
279 (if pppd supports it)
280 # pppd-call = script
281 # use-syslog = 0
282 insecure-ssl = 0
283 cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
284 persistent = 0
285 seclevel-1 = 0
286 May 4, 2020 OPENFORTIVPN(1)