1OPENFORTIVPN(1) General Commands Manual OPENFORTIVPN(1)
2
6 openfortivpn - Client for PPP+SSL VPN tunnel services
7
10 openfortivpn [<host>[:<port>]] [-u <user>] [-p <pass>] [--pinen‐
11 try=<name>] [--otp=<otp>] [--otp-prompt=<prompt>] [--otp-delay=<delay>]
12 [--no-ftm-push] [--realm=<realm>] [--ifname=<interface>]
13 [--set-routes=<bool>] [--no-routes] [--set-dns=<bool>] [--no-dns]
14 [--half-internet-routes=<bool>] [--ca-file=<file>] [--user-cert=<file>]
15 [--user-cert=pkcs11:] [--user-key=<file>] [--use-syslog]
16 [--trusted-cert=<digest>] [--insecure-ssl] [--cipher-list=<ciphers>]
17 [--min-tls=<version>] [--seclevel-1] [--pppd-use-peerdns=<bool>]
18 [--pppd-no-peerdns] [--pppd-log=<file>] [--pppd-plugin=<file>]
19 [--pppd-ipparam=<string>] [--pppd-ifname=<string>] [--pppd-call=<name>]
20 [--ppp-system=<string>] [--use-resolvconf=<bool>] [--persistent=<inter‐
21 val>] [-c <file>] [-v|-q]
22 openfortivpn --help
23 openfortivpn --version
24
27 openfortivpn connects to a VPN by setting up a tunnel to the gateway at
28 <host>:<port>.
29
32 --help Show the help message and exit.
33 --version
35 Show version and exit.
36 -c <file>, --config=<file>
38 Specify a custom configuration file (default: /etc/open‐
39 fortivpn/config).
40 -u <user>, --username=<user>
42 VPN account username.
43 -p <pass>, --password=<pass>
45 VPN account password in plain text. For a secure alternative,
46 use pinentry or let openfortivpn prompt for the password.
47 --pinentry=<name>
49 The pinentry program to use. Allows supplying the password in a
50 secure manner. For example: pinentry-gnome3 on Linux, or pinen‐
51 try-mac on macOS.
52 -o <otp>, --otp=<otp>
54 One-Time-Password.
55 --otp-prompt=<prompt>
57 Search for the OTP password prompt starting with the string
58 <prompt>.
59 --otp-delay=<delay>
61 Set the amount of time to wait before sending the One-Time-Pass‐
62 word. The delay time must be specified in seconds, where 0
63 means no wait (this is the default).
64 --no-ftm-push
66 Do not use FTM push if the server provides the option. The
67 server may be configured to allow two factor authentication
68 through a push notification to the mobile application. If this
69 option is provided, authentication based on OTP will be used in‐
70 stead.
71 --realm=<realm>
73 Connect to the specified authentication realm. Defaults to
74 empty, which is usually what you want.
75 --ifname=<interface>
77 Bind the connection to the specified network interface.
78 --set-routes=<bool>, --no-routes
80 Set if openfortivpn should try to configure IP routes through
81 the VPN when tunnel is up. If used multiple times, the last one
82 takes priority.
83 --no-routes is the same as --set-routes=0.
85 --half-internet-routes=<bool>
87 Set if openfortivpn should add two 0.0.0.0/1 and 128.0.0.0/1
88 routes with higher priority instead of replacing the default
89 route.
90 --set-dns=<bool>, --no-dns
92 Set if openfortivpn should add DNS name servers in /etc/re‐
93 solv.conf when tunnel is up. Also a dns-suffix may be received
94 from the peer and added to /etc/resolv.conf in the turn of
95 adding the name servers. resolvconf is instructed to do the up‐
96 date of the resolv.conf file if it is installed and --use-re‐
97 solvconf is activated, otherwise openfortivpn prepends its
98 changes to the existing content of the resolv.conf file. Note
99 that there may be other mechanisms to update /etc/resolv.conf,
100 e.g., --pppd-use-peerdns in conjunction with an ip-up-script,
101 which may require that openfortivpn is called with --no-dns.
102 --no-dns is the same as --set-dns=0.
103 --use-resolvconf=<bool>
105 Set if openfortivpn should use resolvconf to add DNS name
106 servers in /etc/resolv.conf. If it is set to false, the builtin
107 fallback mechanism is used even if resolvconf is available.
108 --ca-file=<file>
110 Use specified PEM-encoded certificate bundle instead of system-
111 wide store to verify the gateway certificate.
112 --user-cert=<file>
114 Use specified PEM-encoded certificate if the server requires au‐
115 thentication with a certificate.
116 --user-cert=pkcs11:
118 Use at least the string pkcs11: for using a smartcard. It takes
119 the full or a partial PKCS11-URI (p11tool --list-token-urls)
120 --user-cert = pkcs11:
122 --user-cert = pkcs11:token=someuser
124 --user-cert = pkcs11:model=PKCS%2315%20emulated;manufac‐
126 turer=piv_II;serial=012345678;token=someuser
127 This feature requires the OpenSSL PKCS engine!
129 --user-key=<file>
131 Use specified PEM-encoded key if the server requires authentica‐
132 tion with a certificate.
133 --pem-passphrase=<pass>
135 Pass phrase for the PEM-encoded key.
136 --use-syslog
138 Log to syslog instead of terminal.
139 --trusted-cert=<digest>
141 Trust a given gateway. If classical SSL certificate validation
142 fails, the gateway certificate will be matched against this
143 value. <digest> is the X509 certificate's sha256 sum. The cer‐
144 tificate has to be encoded in DER form. This option can be used
145 multiple times to trust several certificates.
146 --insecure-ssl
148 Do not disable insecure SSL protocols/ciphers. If your server
149 requires a specific cipher, consider using --cipher-list in‐
150 stead.
151 --cipher-list=<ciphers>
153 OpenSSL ciphers to use. If default does not work, you can try
154 alternatives such as HIGH:!MD5:!RC4 or as suggested by the Ci‐
155 pher: line in the output of openssl(1) (e.g. AES256-GCM-SHA384):
156 $ openssl s_client -connect <host:port>
158 (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
160 Applies to TLS v1.2 or lower only, not to be used with TLS v1.3
162 ciphers.
163 --min-tls=<version>
165 Use minimum TLS version instead of system default. Valid values
166 are 1.0, 1.1, 1.2, 1.3.
167 --seclevel-1
169 If --cipher-list is not specified, add @SECLEVEL=1 to the list
170 of ciphers. This lowers limits on dh key.
171 Applies to TLS v1.2 or lower only.
173 --use-peer-dns=<bool>, --pppd-no-peerdns
175 Whether to ask peer ppp server for DNS server addresses and let
176 pppd rewrite /etc/resolv.conf. There is no mechanism to tell the
177 dns-suffix to pppd. If the DNS server addresses are requested,
178 also --set-dns=1 may race with the mechanisms in pppd.
179 --pppd-no-peerdns is the same as --pppd-use-peerdns=0.
181 --pppd-log=<file>
183 Set pppd in debug mode and save its logs into <file>.
184 --pppd-plugin=<file>
186 Use specified pppd plugin instead of configuring the resolver
187 and routes directly.
188 --pppd-ipparam=<string>
190 Provides an extra parameter to the ip-up, ip-pre-up and ip-down
191 scripts. See man pppd(8) for further details
192 --pppd-ifname=<string>
194 Set the ppp interface name. Only if supported by pppd. Patched
195 versions of pppd implement this option but may not be available
196 on your platform.
197 --pppd-call=<name>
199 Drop usual arguments from pppd command line and add `call
200 <name>' instead. This can be useful on Debian and Ubuntu, where
201 unprivileged users in group `dip' can invoke `pppd call <name>'
202 to make pppd read and apply options from /etc/ppp/peers/<name>
203 (including privileged ones).
204 --ppp-system=<string>
206 Only available if compiled for ppp user space client (e.g. on
207 FreeBSD). Connect to the specified system as defined in
208 /etc/ppp/ppp.conf
209 --persistent=<interval>
211 Run the VPN persistently in an endless loop and try to reconnect
212 forever. The reconnect interval may be specified in seconds,
213 where 0 means no reconnect is done (this is the default).
214 -v Increase verbosity. Can be used multiple times to be even more
216 verbose.
217 -q Decrease verbosity. Can be used multiple times to be even less
219 verbose.
220
223 openfortivpn can be run behind an HTTP proxy that supports the HTTP
224 connect command. It checks if one of the environment variables
225 https_proxy HTTPS_PROXY all_proxy ALL_PROXY is set which are supposed
226 to contain a string of the format
227 http://[host]:[port]
228 where [host] is the ip or the fully qualified host name of the proxy
229 server [port] is the TCP port number where the proxy is listening for
230 incoming connections. If one of these variables is defined, open‐
231 fortivpn tries to first establish a TCP connection to this proxy (plain
232 HTTP, not encrypted), and then makes a request to connect to the VPN
233 host as given on the command line or in the configuration file. The
234 proxy is supposed to forward any subsequent packets transparently to
235 the VPN host, so that the TLS layer of the connection effectively is
236 established between the client and the VPN host, and the proxy just
237 acts as a forwarding instance on the lower level of the TCP connection.
238 The following environment variables are set by openfortivpn and pppd(8)
240 or its scripts can obtain information this way:
241 VPN_GATEWAY the ip of the gateway host
242 and for each route three variables are set up, where an integer number
243 is appended to the variable names, denoting the number of the current
244 route:
245 VPN_ROUTE_DEST_... the destination network of the route
246 VPN_ROUTE_MASK_... the network mask for this route
247 VPN_ROUTE_GATEWAY_... the gateway for the current route entry
248 If not compiled for pppd the pppd options and features that rely on
250 them are not available. On FreeBSD --ppp-system is available instead.
251
254 Options can be taken from a configuration file. Options passed in the
255 command line will override those from the configuration file, though.
256 The default configuration file is /etc/openfortivpn/config, but this
257 can be set using the -c option. An empty template for the configura‐
258 tion file is installed to /usr/share/openfortivpn/config.template
259 A configuration file looks like:
262 # this is a comment
263 host = vpn-gateway
264 port = 443
265 username = foo
266 # Password in plain text.
267 # For a secure alternative, use pinentry or let openfortivpn
268 prompt for the password.
269 # password = bar
270 # The pinentry program to use. Allows supplying the password in
271 a secure manner.
272 # pinentry = pinentry-mac
273 # realm = some-realm
274 # useful for a gui that passes a configuration file to open‐
275 fortivpn
276 # otp = 123456
277 # otp-delay = 0
278 # otp-prompt = Please
279 # This would disable FTM push notification support, and use OTP
280 instead
281 # no-ftm-push = 1
282 user-cert = /etc/openfortivpn/user-cert.pem
283 # user-cert = pkcs1: # use smartcard as client certificate
284 user-key = /etc/openfortivpn/user-key.pem
285 pem-passphrase = baz
286 # the sha256 digest of the trusted host certs obtained by
287 # openssl dgst -sha256 server-cert.crt:
288 trusted-cert = certificatedigest4daa8c5fe6c...
289 trusted-cert = othercertificatedigest6631bf...
290 # This would specify a ca bundle instead of system-wide store
291 # ca-file = /etc/openfortivpn/ca-bundle.pem
292 set-dns = 0
293 use-resolvconf = 1
294 set-routes = 1
295 half-internet-routes = 0
296 pppd-use-peerdns = 1
297 # alternatively, use a specific pppd plugin instead
298 # pppd-plugin = /usr/lib/pppd/default/some-plugin.so
299 # for debugging pppd write logs here
300 # pppd-log = /var/log/pppd.log
301 # pass ppp interface name to pppd (if supported by a patched
302 pppd)
303 # pppd-ifname = ppp1
304 # pass an ipparam string to pppd, e.g. the device name (a simi‐
305 lar use case)
306 # pppd-ipparam = 'device=$DEVICE'
307 # instruct pppd to call a script instead of passing arguments
308 (if pppd supports it)
309 # pppd-call = script
310 # use-syslog = 0
311 insecure-ssl = 0
312 cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
313 persistent = 0
314 seclevel-1 = 0
315
318 The openfortivpn home page (https://github.com/adrienverge/open‐
319 fortivpn) provides a short introduction in the README file and addi‐
320 tional information under the Wiki tab.
321 May 4, 2020 OPENFORTIVPN(1)