1OPENCONNECT(8) System Manager's Manual OPENCONNECT(8)
2
6 openconnect - Multi-protocol VPN client, for Cisco AnyConnect VPNs and
7 others
8
10 openconnect [--config configfile] [-b,--background]
11 [--pid-file pidfile] [-c,--certificate cert]
12 [-e,--cert-expire-warning days] [-k,--sslkey key]
13 [-C,--cookie cookie] [--cookie-on-stdin]
14 [--compression MODE] [-d,--deflate] [-D,--no-deflate]
15 [--force-dpd interval] [--force-trojan interval]
16 [-F,--form-entry form:opt=value] [-g,--usergroup group]
17 [-h,--help] [--http-auth methods]
18 [--external-browser browser] [-i,--interface ifname]
19 [-l,--syslog] [--timestamp] [--passtos] [-U,--setuid user]
20 [--csd-user user] [-m,--mtu mtu] [--base-mtu mtu]
21 [-p,--key-password pass] [-P,--proxy proxyurl]
22 [--proxy-auth methods] [--no-proxy] [--libproxy]
23 [--key-password-from-fsid] [-q,--quiet]
24 [-Q,--queue-len len] [-s,--script vpnc-script]
25 [-S,--script-tun] [-u,--user name] [-V,--version]
26 [-v,--verbose] [-x,--xmlconfig config] [--authgroup group]
27 [--authenticate] [--cookieonly] [--printcookie]
28 [--cafile file] [--disable-ipv6] [--dtls-ciphers list]
29 [--dtls12-ciphers list] [--dtls-local-port port]
30 [--dump-http-traffic] [--no-system-trust] [--pfs]
31 [--no-dtls] [--no-http-keepalive] [--no-passwd]
32 [--no-xmlpost] [--non-inter] [--passwd-on-stdin]
33 [--protocol proto] [--token-mode mode]
34 [--token-secret {secret[,counter]|@file}]
35 [--reconnect-timeout seconds] [--resolve host:ip]
36 [--sni host] [--servercert sha1] [--useragent string]
37 [--version-string string] [--local-hostname string]
38 [--os string] [--server] [https://]host[:port][/group]
39
42 The program openconnect connects to VPN servers which use standard
43 TLS/SSL, DTLS, and ESP protocols for data transport.
44 It was originally written to support Cisco "AnyConnect" VPN servers,
46 and has since been extended with experimental support for Juniper Net‐
47 work Connect (--protocol=nc), Junos/Ivanti Pulse VPN servers (--proto‐
48 col=pulse), PAN GlobalProtect VPN servers (--protocol=gp), F5 Big-IP
49 VPN servers (--protocol=f5), Fortinet Fortigate VPN servers (--proto‐
50 col=fortinet), and Array Networks SSL VPN servers (--protocol=array).
51 The connection happens in two phases. First there is a simple HTTPS
53 connection over which the user authenticates somehow - by using a cer‐
54 tificate, or password or SecurID, etc. Having authenticated, the user
55 is rewarded with an authentication cookie which can be used to make the
56 real VPN connection.
57 The second phase uses that cookie to connect to a tunnel via HTTPS, and
59 data packets can be passed over the resulting connection. When possi‐
60 ble, a UDP tunnel is also configured: AnyConnect uses DTLS, while Ju‐
61 niper and GlobalProtect use UDP-encapsulated ESP. The UDP tunnel may be
62 disabled with --no-dtls, but is preferred when correctly supported by
63 the server and network for performance reasons. (TCP performs poorly
64 and unreliably over TCP-based tunnels; see
65 http://sites.inka.de/~W1011/devel/tcp-tcp.html.)
66
69 --config=CONFIGFILE
70 Read further options from CONFIGFILE before continuing to
71 process options from the command line. The file should contain
72 long-format options as would be accepted on the command line,
73 but without the two leading -- dashes. Empty lines, or lines
74 where the first non-space character is a # character, are ig‐
75 nored.
76 Any option except the config option may be specified in the
78 file.
79 -b,--background
81 Continue in background after startup
82 --pid-file=PIDFILE
84 Save the pid to PIDFILE when backgrounding
85 -c,--certificate=CERT [,--mca-certificate=CERT]
87 Use SSL client certificate CERT which may be either a file name
88 or, if OpenConnect has been built with an appropriate version of
89 GnuTLS, a PKCS#11 URL.
90 The --mca-certificate option sets the secondary certificate for
92 multi-certificate authentication (according to Cisco's terminol‐
93 ogy, the SSL client certificate is called the "machine" certifi‐
94 cate, and the second certificate is called the "user" certifi‐
95 cate).
96 -e,--cert-expire-warning=DAYS
98 Give a warning when SSL client certificate has DAYS left before
99 expiry
100 -k,--sslkey=KEY [,--mca-key=KEY]
102 Use SSL private key KEY which may be either a file name or, if
103 OpenConnect has been built with an appropriate version of
104 GnuTLS, a PKCS#11 URL.
105 The --mca-key option sets the private key for the secondary cer‐
107 tificate (see --mca-certificate).
108 -C,--cookie=COOKIE
110 Use authentication cookie COOKIE.
111 --cookie-on-stdin
113 Read cookie from standard input.
114 -d,--deflate
116 Enable all compression, including stateful modes. By default,
117 only stateless compression algorithms are enabled.
118 -D,--no-deflate
120 Disable all compression.
121 --compression=MODE
123 Set compression mode, where MODE is one of stateless, none, or
124 all.
125 By default, only stateless compression algorithms which do not
127 maintain state from one packet to the next (and which can be
128 used on UDP transports) are enabled. By setting the mode to all
129 stateful algorithms (currently only zlib deflate) can be en‐
130 abled. Or all compression can be disabled by setting the mode to
131 none.
132 --force-dpd=INTERVAL
134 Use INTERVAL as Dead Peer Detection interval (in seconds). This
135 will cause the client to use DPD at the specified interval even
136 if the server hasn't requested it, or at a different interval
137 from the one requested by the server.
138 DPD mechanisms vary by protocol and by transport (TLS or
140 DTLS/ESP), but are all functionally similar: they enable either
141 the VPN client or the VPN server to transmit a signal to the
142 peer, requesting an immediate reply which can be used to confirm
143 that the link between the two peers is still working.
144 -g,--usergroup=GROUP
146 Set the URL path of the initial HTTPS connection to the server.
147 With some protocols, this path may function as a login group or
149 realm, hence the naming of this option. For example, the follow‐
150 ing invocations of OpenConnect are equivalent:
151 openconnect --usergroup=loginPath vpn.server.com
152 openconnect https://vpn.server.com/loginPath
153 -F,--form-entry=FORM:OPTION[=VALUE]
156 Provide authentication form input, where FORM and OPTION are the
157 identifiers from the form and the specific input field, and
158 VALUE is the string to be filled in automatically. For example,
159 the standard username field (also handled by the --user option)
160 could also be provided with this option thus: --form-entry
161 main:username=joebloggs.
162 If VALUE is not specified, this option will cause a hidden form
164 field to be treated as a standard text-input field.
165 This option should not be used to enter passwords.
167 --passwd-on-stdin should be used for that purpose. Not only will
168 this option expose the password value via the OpenConnect
169 process's command line, but unlike --passwd-on-stdin this option
170 will not recognize the case of an incorrect password, and stop
171 trying to re-enter it repeatedly.
172 -h,--help
174 Display help text
175 --http-auth=METHODS
177 Use only the specified methods for HTTP authentication to a
178 server. By default, only Negotiate, NTLM and Digest authentica‐
179 tion are enabled. Basic authentication is also supported but
180 because it is insecure it must be explicitly enabled. The argu‐
181 ment is a comma-separated list of methods to be enabled. Note
182 that the order does not matter: OpenConnect will use Negotiate,
183 NTLM, Digest and Basic authentication in that order, if each is
184 enabled, regardless of the order specified in the METHODS
185 string.
186 --external-browser=BROWSER
188 Set BROWSER as the executable used by OpenConnect to handle the
189 authentication process with gateways that support the single-
190 sign-on-external-browser authentication method.
191 -i,--interface=IFNAME
193 Use IFNAME for tunnel interface
194 -l,--syslog
196 After tunnel is brought up, use syslog for further progress mes‐
197 sages
198 --timestamp
200 Prepend a timestamp to each progress message
201 --passtos
203 Copy TOS / TCLASS of payload packet into DTLS and ESP packets.
204 This is not set by default because it may leak information about
205 the payload (for example, by differentiating voice/video traf‐
206 fic).
207 -U,--setuid=USER
209 Drop privileges after connecting, to become user USER
210 --csd-user=USER
212 Drop privileges during execution of trojan binary or script
213 (CSD, TNCC, or HIP).
214 --csd-wrapper=SCRIPT
216 Run SCRIPT instead of the trojan binary or script.
217 --force-trojan=INTERVAL
219 Use INTERVAL as interval (in seconds) for repeat execution of
220 Trojan binary or script, overriding default and/or server-set
221 interval.
222 -m,--mtu=MTU
224 Request MTU from server as the MTU of the tunnel.
225 --base-mtu=MTU
227 Indicate MTU as the path MTU between client and server on the
228 unencrypted network. Newer servers will automatically calculate
229 the MTU to be used on the tunnel from this value.
230 -p,--key-password=PASS [,--mca-key-password=PASS]
232 Provide passphrase for certificate file, or SRK (System Root
233 Key) PIN for TPM
234 --mca-key-password provides the passphrase for the secondary
236 certificate (see --mca-certificate).
237 -P,--proxy=PROXYURL
239 Use HTTP or SOCKS proxy for connection. A username and password
240 can be provided in the given URL, and will be used for authenti‐
241 cation. If authentication is required but no credentials are
242 given, GSSAPI and automatic NTLM authentication using Samba's
243 ntlm_auth helper tool may be attempted.
244 --proxy-auth=METHODS
246 Use only the specified methods for HTTP authentication to a
247 proxy. By default, only Negotiate, NTLM and Digest authentica‐
248 tion are enabled. Basic authentication is also supported but be‐
249 cause it is insecure it must be explicitly enabled. The argument
250 is a comma-separated list of methods to be enabled. Note that
251 the order does not matter: OpenConnect will use Negotiate, NTLM,
252 Digest and Basic authentication in that order, if each is en‐
253 abled, regardless of the order specified in the METHODS string.
254 --no-proxy
256 Disable use of proxy
257 --libproxy
259 Use libproxy to configure proxy automatically (when built with
260 libproxy support)
261 --key-password-from-fsid
263 Passphrase for certificate file is automatically generated from
264 the fsid of the file system on which it is stored. The fsid is
265 obtained from the statvfs(2) or statfs(2) system call, depending
266 on the operating system. On a Linux or similar system with GNU
267 coreutils, the fsid used by this option should be equal to the
268 output of the command:
269 stat --file-system --printf=%i\\n $CERTIFICATE
270 It is not the same as the 128-bit UUID of the file system.
271 -q,--quiet
273 Less output
274 -Q,--queue-len=LEN
276 Set packet queue limit to LEN packets. The default is 32. A high
277 value may allow better overall bandwidth but at a cost of la‐
278 tency. If you run Voice over IP or other interactive traffic
279 over the VPN, you don't want those packets to be queued behind
280 thousands of other large packets which are part of a bulk trans‐
281 fer.
282 This option sets the maximum inbound and outbound packet queue
284 sizes in OpenConnect itself, which control how many packets will
285 be sent and received in a single batch, as well as affecting
286 other buffering such as the socket send buffer (SO_SNDBUF) for
287 network connections and the OS tunnel device.
288 Ultimately, the right size for a queue is "just enough packets
290 that it never quite gets empty before more are pushed to it".
291 Any higher than that is simply introducing bufferbloat and addi‐
292 tional latency with no benefit. With the default of 32, we are
293 able to saturate a single Gigabit Ethernet from modest hardware,
294 which is more than enough for most VPN users.
295 If OpenConnect is built with vhost-net support, it will only be
297 used if the queue length is set to 16 or more. This is because
298 vhost-net introduces a small amount of additional latency, but
299 improves total bandwidth quite considerably for those operating
300 at high traffic rates. Thus it makes sense to use it when the
301 user has indicated a preference for bandwidth over latency, by
302 increasing the queue size.
303 -s,--script=SCRIPT
306 Invoke SCRIPT to configure the network after connection. Without
307 this, routing and name service are unlikely to work correctly.
308 The script is expected to be compatible with the vpnc-script
309 which is shipped with the "vpnc" VPN client. See https://www.in‐
310 fradead.org/openconnect/vpnc-script.html for more information.
311 This version of OpenConnect is configured to use /etc/vpnc/vpnc-
312 script by default.
313 On Windows, a relative directory for the default script will be
315 handled as starting from the directory that the openconnect exe‐
316 cutable is running from, rather than the current directory. The
317 script will be invoked with the command-based script host
318 cscript.exe.
319 -S,--script-tun
321 Pass traffic to 'script' program over a UNIX socket, instead of
322 to a kernel tun/tap device. This allows the VPN IP traffic to be
323 handled entirely in userspace, for example by a program which
324 uses lwIP to provide SOCKS access into the VPN.
325 --server=[https://]HOST[:PORT][/PATH]
327 Define the VPN server as a simple HOST or as an URL containing
328 the HOST and optionally the PORT number and the PATH; with some
329 protocols, the path may function as a login group or realm, and
330 it may equivalently be specified with --usergroup.
331 As an alternative, define the VPN server as non-option command
333 line argument.
334 -u,--user=NAME
336 Set login username to NAME
337 -V,--version
339 Report version number
340 -v,--verbose
342 More output (may be specified multiple times for additional out‐
343 put)
344 -x,--xmlconfig=CONFIG
346 XML config file
347 --authgroup=GROUP
349 Select GROUP from authentication dropdown or list entry.
350 Many VPNs require a selection from a dropdown or list during the
352 authentication process. This selection may be known as authgroup
353 (on Cisco VPNs), realm (Juniper, Pulse, Fortinet), domain (F5),
354 and gateway (GlobalProtect). This option attempts to automati‐
355 cally fill the appropriate protocol-specific field with the de‐
356 sired value.
357 --authenticate
359 Authenticate to the VPN, output the information needed to make
360 the connection in a form which can be used to set shell environ‐
361 ment variables, and then exit.
362 When invoked with this option, OpenConnect will not actually
364 create the VPN connection or configure a tunnel interface, but
365 if successful will print something like the following to stdout:
366 COOKIE='3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...'
367 HOST='10.0.0.1'
368 CONNECT_URL='https://vpnserver.example.com'
369 FINGERPRINT='469bb424ec8835944d30bc77c77e8fc1d8e23a42'
370 RESOLVE='vpnserver.example.com:10.0.0.1'
371 Thus, you can invoke openconnect as a non-privileged user (with
372 access to the user's PKCS#11 tokens, etc.) for authentication,
373 and then invoke openconnect separately to make the actual con‐
374 nection as root:
375 eval `openconnect --authenticate https://vpnserver.example.com`;
376 [ -n ["$COOKIE"] ] && echo ["$COOKIE"] |
377 sudo openconnect --cookie-on-stdin $CONNECT_URL --servercert $FINGERPRINT --resolve $RESOLVE
378 Earlier versions of OpenConnect produced only the HOST variable
380 (containing the numeric server address), and not the CONNECT_URL
381 or RESOLVE variables. Subsequently, we discovered that servers
382 behind proxies may not respond correctly unless the correct DNS
383 name is present in the connection phase, and we added support
384 for VPN protocols where the server URL's path component may be
385 significant in the connection phase, prompting the addition of
386 CONNECT_URL and RESOLVE, and the recommendation to use them as
387 described above. If you are not certain that you are invoking a
388 newer version of OpenConnect which outputs these variables, use
389 the following command-line (compatible with most Bourne shell
390 derivatives) which will work with either a newer or older ver‐
391 sion:
392 sudo openconnect --cookie-on-stdin ${CONNECT_URL:-$HOST} --servercert $FINGERPRINT ${RESOLVE:+--resolve=$RESOLVE}
393 --cookieonly
395 Fetch and print cookie only; don't connect (this is essentially
396 a subset of --authenticate).
397 --printcookie
399 Print cookie to stdout before connecting (see --authenticate for
400 the meaning of this cookie)
401 --cafile=FILE
403 Additional CA file for server verification. By default, this
404 simply causes OpenConnect to trust additional root CA certifi‐
405 cate(s) in addition to those trusted by the system. Use
406 --no-system-trust to prevent OpenConnect from trusting the sys‐
407 tem default certificate authorities.
408 --no-system-trust
410 Do not trust the system default certificate authorities. If this
411 option is given, only certificate authorities given with the
412 --cafile option, if any, will be trusted automatically.
413 --disable-ipv6
415 Do not advertise IPv6 capability to server
416 --dtls-ciphers=LIST
418 Set OpenSSL ciphers to support for DTLS
419 --dtls12-ciphers=LIST
421 Set OpenSSL ciphers for Cisco's DTLS v1.2
422 --dtls-local-port=PORT
424 Use PORT as the local port for DTLS and UDP datagrams
425 --dump-http-traffic
427 Enable verbose output of all HTTP requests and the bodies of all
428 responses received from the server.
429 --pfs Enforces Perfect Forward Secrecy (PFS). That ensures that if the
432 server's long-term key is compromised, any session keys estab‐
433 lished before the compromise will be unaffected. If this option
434 is provided and the server does not support PFS in the TLS chan‐
435 nel the connection will fail.
436 PFS is available in Cisco ASA releases 9.1(2) and higher; a
438 suitable cipher suite may need to be manually enabled by the ad‐
439 ministrator using the ssl encryption setting.
440 --no-dtls
443 Disable DTLS and ESP
444 --no-http-keepalive
446 Version 8.2.2.5 of the Cisco ASA software has a bug where it
447 will forget the client's SSL certificate when HTTP connections
448 are being re-used for multiple requests. So far, this has only
449 been seen on the initial connection, where the server gives an
450 HTTP/1.0 redirect response with an explicit Connection:
451 Keep-Alive directive. OpenConnect as of v2.22 has an uncondi‐
452 tional workaround for this, which is never to obey that direc‐
453 tive after an HTTP/1.0 response.
454 However, Cisco's support team has failed to give any competent
456 response to the bug report and we don't know under what other
457 circumstances their bug might manifest itself. So this option
458 exists to disable ALL re-use of HTTP sessions and cause a new
459 connection to be made for each request. If your server seems not
460 to be recognizing your certificate, try this option. If it makes
461 a difference, please report this information to the opencon‐
462 nect-devel@lists.infradead.org mailing list.
463 --no-passwd
465 Never attempt password (or SecurID) authentication.
466 --no-external-auth
468 Prevent OpenConnect from advertising to the server that it sup‐
469 ports any kind of authentication mode that requires an external
470 browser.
471 Some servers will force the client to use such an authentication
473 mode if the client advertises it, but fallback to a more
474 "scriptable" authentication mode if the client doesn't appear to
475 support it.
476 --no-xmlpost
478 Do not attempt to post an XML authentication/configuration re‐
479 quest to the server; use the old style GET method which was used
480 by older clients and servers instead.
481 This option is a temporary safety net, to work around potential
483 compatibility issues with the code which falls back to the old
484 method automatically. It causes OpenConnect to behave more like
485 older versions (4.08 and below) did. If you find that you need
486 to use this option, then you have found a bug in OpenConnect.
487 Please see https://www.infradead.org/openconnect/mail.html and
488 report this to the developers.
489 --allow-insecure-crypto
491 The ancient, broken 3DES and RC4 ciphers are insecure; we ex‐
492 plicitly disable them by default. However, some still-in-use VPN
493 servers can't do any better.
494 This option enables use of these insecure ciphers, as well as
496 the use of SHA1 for server certificate validation.
497 --non-inter
499 Do not expect user input; exit if it is required.
500 --passwd-on-stdin
502 Read password from standard input
503 --protocol=PROTO
505 Select VPN protocol PROTO to be used for the connection. Sup‐
506 ported protocols are anyconnect for Cisco AnyConnect (the de‐
507 fault), nc for experimental support for Juniper Network Connect
508 (also supported by most Junos/Ivanti Pulse servers), pulse for
509 experimental support for Junos/Ivanti Pulse, gp for experimental
510 support for PAN GlobalProtect, f5 for experimental support for
511 F5 Big-IP, fortinet for experimental support for Fortinet Forti‐
512 gate, and array for experimental support for Array Networks SSL
513 VPN.
514 See https://www.infradead.org/openconnect/protocols.html for de‐
516 tails on features and deficiencies of the individual protocols.
517 OpenConnect does not yet support all of the authentication op‐
519 tions used by Pulse, nor does it support Host Checker/TNCC with
520 Pulse. If your Junos/Ivanti Pulse VPN is not yet supported with
521 --protocol=pulse, then --protocol=nc may be a useful fallback
522 option.
523 --token-mode=MODE
525 Enable one-time password generation using the MODE algorithm.
526 --token-mode=rsa will call libstoken to generate an RSA SecurID
527 tokencode, --token-mode=totp will generate an RFC 6238 time-
528 based password, and --token-mode=hotp will generate an RFC 4226
529 HMAC-based password. Yubikey tokens which generate OATH codes in
530 hardware are supported with --token-mode=yubioath. --to‐
531 ken-mode=oidc will use the provided OpenIDConnect token as an
532 RFC 6750 bearer token.
533 --token-secret={ SECRET[,COUNTER] | @FILENAME }
535 The secret to use when generating one-time passwords/verifica‐
536 tion codes. Base 32-encoded TOTP/HOTP secrets can be used by
537 specifying "base32:" at the beginning of the secret, and for
538 HOTP secrets the token counter can be specified following a
539 comma.
540 RSA SecurID secrets can be specified as an Android/iPhone URI or
542 a raw numeric CTF string (with or without dashes).
543 For Yubikey OATH the token secret specifies the name of the cre‐
545 dential to be used. If not provided, the first OATH credential
546 found on the device will be used.
547 For OIDC the secret is the bearer token to be used.
549 FILENAME, if specified, can contain any of the above strings.
551 Or, it can contain a SecurID XML (SDTID) seed.
552 If this option is omitted, and --token-mode is "rsa", libstoken
554 will try to use the software token seed saved in ~/.stokenrc by
555 the "stoken import" command.
556 --reconnect-timeout=SECONDS
558 After disconnection or Dead Peer Detection, keep trying to re‐
559 connect for SECONDS. The default is 300 seconds, which means
560 that openconnect can recover a VPN connection after a temporary
561 network outage lasting up to 300 seconds.
562 --resolve=HOST:IP
564 Automatically resolve the hostname HOST to IP instead of using
565 the normal resolver to look it up.
566 --sni=HOST
568 When creating new TLS connections, always present the hostname
569 HOST as the SNI (Server Name Indication) in place of the correct
570 hostname, which will still be sent in the HTTP 'Host:' header,
571 and expect the peer's certificate to match the SNI rather than
572 the correct hostname. This may be useful for Domain Fronting,
573 by which some filtered or censored Internet connections can be
574 bypassed.
575 Note that sending different values for the SNI and 'Host:'
577 header violates HTTP standards and is prevented by many cloud
578 hosting providers.
579 --servercert=HASH
581 Accept server's SSL certificate only if it matches the provided
582 fingerprint. This option implies --no-system-trust, and may be
583 specified multiple times in order to accept multiple possible
584 fingerprints.
585 The allowed fingerprint types are SHA1, SHA256, and PIN-SHA256.
587 They are distinguished by the 'sha1:', 'sha256:' and 'pin-
588 sha256:' prefixes to the encoded hash. The first two are custom
589 identifiers providing hex encoding of the peer's public key,
590 while 'pin-sha256:' is the RFC7469 key PIN, which utilizes
591 base64 encoding. To ease certain testing use-cases, a partial
592 match of the hash will also be accepted, if it is at least 4
593 characters past the prefix.
594 --useragent=STRING
596 Use STRING as 'User-Agent:' field value in HTTP header.
597 Some VPN servers may require specific values matching those sent
599 by proprietary VPN clients in order to successfully authenticate
600 or connect. For example, when connecting to a Cisco VPN server,
601 --useragent 'AnyConnect Windows 4.10.06079' or --useragent
602 'Cisco AnyConnect VPN Agent for Windows 2.2.0133', or when con‐
603 necting to a Pulse server, --useragent 'Pulse-Se‐
604 cure/9.1.11.6725'.
605 --version-string=STRING
607 Use STRING as the software version reported to the head end.
608 (e.g. --version-string '2.2.0133')
609 --local-hostname=STRING
611 Use STRING as 'X-CSTP-Hostname:' field value in HTTP header. For
612 example --local-hostname 'mypc', will advertise the value 'mypc'
613 as the suggested hostname to point to the provided IP address.
614 --os=STRING
616 OS type to report to gateway. Recognized values are: linux,
617 linux-64, win, mac-intel, android, apple-ios. Reporting a dif‐
618 ferent OS type may affect the dynamic access policy (DAP) ap‐
619 plied to the VPN session. If the gateway requires CSD, it will
620 also cause the corresponding CSD trojan binary to be downloaded,
621 so you may need to use --csd-wrapper if this code is not exe‐
622 cutable on the local machine.
623
625 In the data phase of the connection, the following signals are handled:
626 SIGINT / SIGTERM
628 performs a clean shutdown by logging the session off, discon‐
629 necting from the gateway, and running the vpnc-script to restore
630 the network configuration.
631 SIGHUP disconnects from the gateway and runs the vpnc-script, but does
633 not log the session off; this allows for reconnection later us‐
634 ing --cookie.
635 SIGUSR1
637 writes progress message with detailed connection information and
638 statistics.
639 SIGUSR2
641 forces an immediate disconnection and reconnection; this can be
642 used to quickly recover from LAN IP address changes.
643
645 See https://www.infradead.org/openconnect/contribute.html for various
646 features that we wish OpenConnect had, and https://www.in‐
647 fradead.org/openconnect/protocols.html for information on the quirks
648 and limitations of the individual VPN protocols.
649
651 ocserv(8)
652
655 David Woodhouse <dwmw2@infradead.org>
656 OPENCONNECT(8)