1OPENFORTIVPN(1) General Commands Manual OPENFORTIVPN(1)
2
6 openfortivpn - Client for PPP+SSL VPN tunnel services
7
10 openfortivpn [<host>[:<port>]] [-u <user>] [-p <pass>]
11 [--cookie=<cookie>] [--cookie-on-stdin] [--pinentry=<name>]
12 [--otp=<otp>] [--otp-prompt=<prompt>] [--otp-delay=<delay>]
13 [--no-ftm-push] [--realm=<realm>] [--ifname=<interface>]
14 [--set-routes=<bool>] [--no-routes] [--set-dns=<bool>] [--no-dns]
15 [--half-internet-routes=<bool>] [--ca-file=<file>] [--user-cert=<file>]
16 [--user-cert=pkcs11:] [--user-key=<file>] [--use-syslog]
17 [--trusted-cert=<digest>] [--insecure-ssl] [--cipher-list=<ciphers>]
18 [--min-tls=<version>] [--seclevel-1] [--pppd-use-peerdns=<bool>]
19 [--pppd-no-peerdns] [--pppd-log=<file>] [--pppd-plugin=<file>]
20 [--pppd-ipparam=<string>] [--pppd-ifname=<string>] [--pppd-call=<name>]
21 [--pppd-accept-remote=<bool>] [--ppp-system=<string>] [--use-resolv‐
22 conf=<bool>] [--persistent=<interval>] [-c <file>] [-v|-q]
23 openfortivpn --help
24 openfortivpn --version
25
28 openfortivpn connects to a VPN by setting up a tunnel to the gateway at
29 <host>:<port>.
30
33 --help Show the help message and exit.
34 --version
36 Show version and exit.
37 -c <file>, --config=<file>
39 Specify a custom configuration file (default: /etc/open‐
40 fortivpn/config).
41 -u <user>, --username=<user>
43 VPN account username.
44 -p <pass>, --password=<pass>
46 VPN account password in plain text. For a secure alternative,
47 use pinentry or let openfortivpn prompt for the password.
48 --cookie=<cookie>
50 A valid cookie (SVPNCOOKIE) to use in place of username and
51 password.
52 --cookie-on-stdin
54 Read the cookie (SVPNCOOKIE) from standard input.
55 --pinentry=<name>
57 The pinentry program to use. Allows supplying the password in a
58 secure manner. For example: pinentry-gnome3 on Linux, or pinen‐
59 try-mac on macOS.
60 -o <otp>, --otp=<otp>
62 One-Time-Password.
63 --otp-prompt=<prompt>
65 Search for the OTP password prompt starting with the string
66 <prompt>.
67 --otp-delay=<delay>
69 Set the amount of time to wait before sending the One-Time-Pass‐
70 word. The delay time must be specified in seconds, where 0
71 means no wait (this is the default).
72 --no-ftm-push
74 Do not use FTM push if the server provides the option. The
75 server may be configured to allow two factor authentication
76 through a push notification to the mobile application. If this
77 option is provided, authentication based on OTP will be used in‐
78 stead.
79 --realm=<realm>
81 Connect to the specified authentication realm. Defaults to
82 empty, which is usually what you want.
83 --ifname=<interface>
85 Bind the connection to the specified network interface.
86 --set-routes=<bool>, --no-routes
88 Set if openfortivpn should try to configure IP routes through
89 the VPN when tunnel is up. If used multiple times, the last one
90 takes priority.
91 --no-routes is the same as --set-routes=0.
93 --half-internet-routes=<bool>
95 Set if openfortivpn should add two 0.0.0.0/1 and 128.0.0.0/1
96 routes with higher priority instead of replacing the default
97 route.
98 --set-dns=<bool>, --no-dns
100 Set if openfortivpn should add DNS name servers in /etc/re‐
101 solv.conf when tunnel is up. Also a dns-suffix may be received
102 from the peer and added to /etc/resolv.conf in the turn of
103 adding the name servers. resolvconf is instructed to do the up‐
104 date of the resolv.conf file if it is installed and --use-re‐
105 solvconf is activated, otherwise openfortivpn prepends its
106 changes to the existing content of the resolv.conf file. Note
107 that there may be other mechanisms to update /etc/resolv.conf,
108 e.g., --pppd-use-peerdns in conjunction with an ip-up-script,
109 which may require that openfortivpn is called with --no-dns.
110 --no-dns is the same as --set-dns=0.
111 --use-resolvconf=<bool>
113 Set if openfortivpn should use resolvconf to add DNS name
114 servers in /etc/resolv.conf. If it is set to false, the builtin
115 fallback mechanism is used even if resolvconf is available.
116 --ca-file=<file>
118 Use specified PEM-encoded certificate bundle instead of system-
119 wide store to verify the gateway certificate.
120 --user-cert=<file>
122 Use specified PEM-encoded certificate if the server requires au‐
123 thentication with a certificate.
124 --user-cert=pkcs11:
126 Use at least the string pkcs11: for using a smartcard. It takes
127 the full or a partial PKCS11-URI (p11tool --list-token-urls)
128 --user-cert = pkcs11:
130 --user-cert = pkcs11:token=someuser
132 --user-cert = pkcs11:model=PKCS%2315%20emulated;manufac‐
134 turer=piv_II;serial=012345678;token=someuser
135 This feature requires the OpenSSL PKCS engine!
137 --user-key=<file>
139 Use specified PEM-encoded key if the server requires authentica‐
140 tion with a certificate.
141 --pem-passphrase=<pass>
143 Pass phrase for the PEM-encoded key.
144 --use-syslog
146 Log to syslog instead of terminal.
147 --trusted-cert=<digest>
149 Trust a given gateway. If classical SSL certificate validation
150 fails, the gateway certificate will be matched against this
151 value. <digest> is the X509 certificate's sha256 sum. The cer‐
152 tificate has to be encoded in DER form. This option can be used
153 multiple times to trust several certificates.
154 --insecure-ssl
156 Do not disable insecure SSL protocols/ciphers. If your server
157 requires a specific cipher, consider using --cipher-list in‐
158 stead.
159 --cipher-list=<ciphers>
161 OpenSSL ciphers to use. If default does not work, you can try
162 alternatives such as HIGH:!MD5:!RC4 or as suggested by the Ci‐
163 pher: line in the output of openssl(1) (e.g. AES256-GCM-SHA384):
164 $ openssl s_client -connect <host:port>
166 (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
168 Applies to TLS v1.2 or lower only, not to be used with TLS v1.3
170 ciphers.
171 --min-tls=<version>
173 Use minimum TLS version instead of system default. Valid values
174 are 1.0, 1.1, 1.2, 1.3.
175 --seclevel-1
177 If --cipher-list is not specified, add @SECLEVEL=1 to the list
178 of ciphers. This lowers limits on dh key.
179 Applies to TLS v1.2 or lower only.
181 --pppd-use-peerdns=<bool>, --pppd-no-peerdns
183 Whether to ask peer ppp server for DNS server addresses and let
184 pppd rewrite /etc/resolv.conf. There is no mechanism to tell the
185 dns-suffix to pppd. If the DNS server addresses are requested,
186 also --set-dns=1 may race with the mechanisms in pppd.
187 --pppd-no-peerdns is the same as --pppd-use-peerdns=0.
189 --pppd-log=<file>
191 Set pppd in debug mode and save its logs into <file>.
192 --pppd-plugin=<file>
194 Use specified pppd plugin instead of configuring the resolver
195 and routes directly.
196 --pppd-ipparam=<string>
198 Provides an extra parameter to the ip-up, ip-pre-up and ip-down
199 scripts. See man pppd(8) for further details
200 --pppd-ifname=<string>
202 Set the ppp interface name. Only if supported by pppd. Patched
203 versions of pppd implement this option but may not be available
204 on your platform.
205 --pppd-call=<name>
207 Drop usual arguments from pppd command line and add `call
208 <name>' instead. This can be useful on Debian and Ubuntu, where
209 unprivileged users in group `dip' can invoke `pppd call <name>'
210 to make pppd read and apply options from /etc/ppp/peers/<name>
211 (including privileged ones).
212 --pppd-accept-remote=<bool>
214 Whether to invoke pppd with `ipcp-accept-remote'. Enabling this
215 option breaks pppd < 2.5.0 but is required by newer pppd ver‐
216 sions.
217 --ppp-system=<string>
219 Only available if compiled for ppp user space client (e.g. on
220 FreeBSD). Connect to the specified system as defined in
221 /etc/ppp/ppp.conf
222 --persistent=<interval>
224 Run the VPN persistently in an endless loop and try to reconnect
225 forever. The reconnect interval may be specified in seconds,
226 where 0 means no reconnect is done (this is the default).
227 -v Increase verbosity. Can be used multiple times to be even more
229 verbose.
230 -q Decrease verbosity. Can be used multiple times to be even less
232 verbose.
233
236 openfortivpn can be run behind an HTTP proxy that supports the HTTP
237 connect command. It checks if one of the environment variables
238 https_proxy HTTPS_PROXY all_proxy ALL_PROXY is set which are supposed
239 to contain a string of the format
240 http://[host]:[port]
241 where [host] is the ip or the fully qualified host name of the proxy
242 server [port] is the TCP port number where the proxy is listening for
243 incoming connections. If one of these variables is defined, open‐
244 fortivpn tries to first establish a TCP connection to this proxy (plain
245 HTTP, not encrypted), and then makes a request to connect to the VPN
246 host as given on the command line or in the configuration file. The
247 proxy is supposed to forward any subsequent packets transparently to
248 the VPN host, so that the TLS layer of the connection effectively is
249 established between the client and the VPN host, and the proxy just
250 acts as a forwarding instance on the lower level of the TCP connection.
251 The following environment variables are set by openfortivpn and pppd(8)
253 or its scripts can obtain information this way:
254 VPN_GATEWAY the ip of the gateway host
255 and for each route three variables are set up, where an integer number
256 is appended to the variable names, denoting the number of the current
257 route:
258 VPN_ROUTE_DEST_... the destination network of the route
259 VPN_ROUTE_MASK_... the network mask for this route
260 VPN_ROUTE_GATEWAY_... the gateway for the current route entry
261 If not compiled for pppd the pppd options and features that rely on
263 them are not available. On FreeBSD --ppp-system is available instead.
264
267 Options can be taken from a configuration file. Options passed in the
268 command line will override those from the configuration file, though.
269 The default configuration file is /etc/openfortivpn/config, but this
270 can be set using the -c option. An empty template for the configura‐
271 tion file is installed to /usr/share/openfortivpn/config.template
272 A configuration file looks like:
275 # this is a comment
276 host = vpn-gateway
277 port = 443
278 username = foo
279 # Password in plain text.
280 # For a secure alternative, use pinentry or let openfortivpn
281 prompt for the password.
282 # password = bar
283 # The pinentry program to use. Allows supplying the password in
284 a secure manner.
285 # pinentry = pinentry-mac
286 # realm = some-realm
287 # useful for a gui that passes a configuration file to open‐
288 fortivpn
289 # otp = 123456
290 # otp-delay = 0
291 # otp-prompt = Please
292 # This would disable FTM push notification support, and use OTP
293 instead
294 # no-ftm-push = 1
295 user-cert = /etc/openfortivpn/user-cert.pem
296 # user-cert = pkcs1: # use smartcard as client certificate
297 user-key = /etc/openfortivpn/user-key.pem
298 pem-passphrase = baz
299 # the sha256 digest of the trusted host certs obtained by
300 # openssl dgst -sha256 server-cert.crt:
301 trusted-cert = certificatedigest4daa8c5fe6c...
302 trusted-cert = othercertificatedigest6631bf...
303 # This would specify a ca bundle instead of system-wide store
304 # ca-file = /etc/openfortivpn/ca-bundle.pem
305 set-dns = 0
306 use-resolvconf = 1
307 set-routes = 1
308 half-internet-routes = 0
309 pppd-use-peerdns = 1
310 # alternatively, use a specific pppd plugin instead
311 # pppd-plugin = /usr/lib/pppd/default/some-plugin.so
312 # for debugging pppd write logs here
313 # pppd-log = /var/log/pppd.log
314 # pass ppp interface name to pppd (if supported by a patched
315 pppd)
316 # pppd-ifname = ppp1
317 # pass an ipparam string to pppd, e.g. the device name (a simi‐
318 lar use case)
319 # pppd-ipparam = 'device=$DEVICE'
320 # instruct pppd to call a script instead of passing arguments
321 (if pppd supports it)
322 # pppd-call = script
323 # use-syslog = 0
324 insecure-ssl = 0
325 cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
326 persistent = 0
327 seclevel-1 = 0
328
331 The openfortivpn home page (https://github.com/adrienverge/open‐
332 fortivpn) provides a short introduction in the README file and addi‐
333 tional information under the Wiki tab.
334 May 4, 2020 OPENFORTIVPN(1)