Section: User Commands (1)
Updated: December 11, 2019



openfortivpn - Client for PPP+SSL VPN tunnel services



openfortivpn[<host>[:<port>]][-u <user>][-p <pass>][--otp=<otp>][--otp-prompt=<prompt>][--otp-delay=<delay>][--realm=<realm>][--set-routes=<bool>][--no-routes][--set-dns=<bool>][--no-dns][--half-internet-routes=<bool>][--ca-file=<file>][--user-cert=<file>][--user-cert=pkcs11:][--user-key=<file>][--use-syslog][--trusted-cert=<digest>][--insecure-ssl][--cipher-list=<ciphers>][--pppd-use-peerdns=<bool>][--pppd-no-peerdns][--pppd-log=<file>][--pppd-plugin=<file>][--pppd-ipparam=<string>][--pppd-ifname=<string>][--pppd-call=<name>][--ppp-system=<string>][--persistent=<interval>][-c <file>][-v|-q]



openfortivpnconnects to a VPN by setting up a tunnel to the gateway at<host>:<port>.



Show the help message and exit.
Show version and exit.
-c <file>, --config=<file>
Specify a custom config file (default: /etc/openfortivpn/config).
-u <user>, --username=<user>
VPN account username.
-p <pass>, --password=<pass>
VPN account password.
-o <otp>, --otp=<otp>
Search for the OTP password prompt starting with the string <prompt>.
Set the amount of time to wait before sending the One-Time-Password.The delay time must be specified in seconds, where 0 meansno wait (this is the default).
Connect to the specified authentication realm. Defaults to empty, whichis usually what you want.
--set-routes=<bool>, --no-routes
Set if openfortivpn should try to configure IP routes through the VPN whentunnel is up. If used multiple times, the last one takes priority.

--no-routes is the same as --set-routes=0.

Set if openfortivpn should add two and routes withhigher priority instead of replacing the default route.
--set-dns=<bool>, --no-dns
Set if openfortivpn should add DNS name servers in /etc/resolv.conf whentunnel is up. Also a dns-suffix may be received from the peer and addedto /etc/resolv.conf in the turn of adding the name servers.resolvconf is instructed to do the update of the resolv.conf fileif it is installed, otherwise openfortivpn prepends its changesto the existing content of the resolv.conf file.Note that there may be other mechanisms to update /etc/resolv.conf,e.g., --pppd-use-peerdns in conjunction with an ip-up-script,which may require that openfortivpn is called with --no-dns.--no-dns is the same as --set-dns=0.
Use specified PEM-encoded certificate bundle instead of system-wide store toverify the gateway certificate.
Use specified PEM-encoded certificate if the server requires authenticationwith a certificate.
Use at least the string pkcs11: for using a smartcard. It takes the fullor a partial PKCS11-URI (p11tool --list-token-urls)

  --user-cert = pkcs11:

  --user-cert = pkcs11:token=someuser

  --user-cert = pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser

This feature requires OpenSSL PKCS engine!

Use specified PEM-encoded key if the server requires authentication witha certificate.
Log to syslog instead of terminal.
Trust a given gateway. If classical SSL certificate validation fails, thegateway certificate will be matched against this value. <digest> is theX509 certificate's sha256 sum. The certificate has to be encoded in DER form.This option can be used multiple times to trust several certificates.
Do not disable insecure SSL protocols/ciphers.If your server requires a specific cipher, consider using --cipher-listinstead.
OpenSSL ciphers to use. If default does not work, you can try alternativessuch as HIGH:!MD5:!RC4 or as suggested by the Cipher: line in the output ofopenssl(1) (e.g. AES256-GCM-SHA384):

$ openssl s_client -connect <host:port>

(default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)

--use-peer-dns=<bool>, --pppd-no-peerdns
Whether to ask peer ppp server for DNS server addresses and let pppdrewrite /etc/resolv.conf. There is no mechanism to tell the dns-suffixto pppd. If the DNS server addresses are requested,also --set-dns=1 may race with the mechanisms in pppd.

--pppd-no-peerdns is the same as --pppd-use-peerdns=0.

Set pppd in debug mode and save its logs into <file>.
Use specified pppd plugin instead of configuring the resolver and routesdirectly.
Provides an extra parameter to the ip-up, ip-pre-up and ip-down scripts. See manpppd(8)for further details
Set the ppp interface name. Only if supported by pppd. Patched versions of pppdimplement this option but may not be available on your platform.
Drop usual arguments from pppd command line and add `call <name>' instead.This can be useful on Debian and Ubuntu, where unprivileged users ingroup `dip' can invoke `pppd call <name>' to make pppd read and applyoptions from /etc/ppp/peers/<name> (including privileged ones).
Only available if compiled for ppp user space client (e.g. on FreeBSD).Connect to the specified system as defined in /etc/ppp/ppp.conf
Run the VPN persistently in an endless loop and try to reconnect forever.The reconnect interval may be specified in seconds, where 0 meansno reconnect is done (this is the default).
Increase verbosity. Can be used multiple times to be even more verbose.
Decrease verbosity. Can be used multiple times to be even less verbose.


ENVIRONMENT and proxy support

openfortivpncan be run behind an HTTP proxy that supports the HTTP connect command.It checks if one of the environment variableshttps_proxy HTTPS_PROXY all_proxy ALL_PROXYis set which are supposed to contain a string of the format
where[host]is the ip or the fully qualified host name of the proxy server[port]is the TCP port number where the proxy is listening forincoming connections. If one of these variables is defined,openfortivpntries to first establish a TCP connection to this proxy (plain HTTP, not encrypted),and then makes a request to connect to the VPN host as given on the command lineor in the config file. The proxy is supposed to forward any subsequent packetstransparently to the VPN host, so that the TLS layer of the connection effectivelyis established between the client and the VPN host, and the proxy just acts as aforwarding instance on the lower level of the TCP connection.

The following environment variables are set byopenfortivpnandpppd(8)or its scripts can obtain information this way:
VPN_GATEWAY the ip of the gateway host
and for each route three variables are set up, where an integer numberis appended to the variable names, denoting the number of the current route:
VPN_ROUTE_DEST_... the destination network of the route
VPN_ROUTE_MASK_... the network mask for this route
VPN_ROUTE_GATEWAY_... the gateway for the current route entry

If not compiled for pppd the pppd options and features that rely on them are notavailable. On FreeBSD --ppp-system is available instead.



Options can be taken from a configuration file. Options passed in the commandline will override those from the config file, though. The default config fileis /etc/openfortivpn/config, but this can be set using the -c option.An empty template for the config file is installed to/usr/share/openfortivpn/config.template

A config file looks like:
# this is a comment
host = vpn-gateway
port = 443
username = foo
password = bar
# realm = some-realm
# useful for a gui that passes a config file to openfortivpn
# otp = 123456
# otp-delay = 0
# otp-prompt = Please
# pinentry = pinentry program
user-cert = /etc/openfortivpn/user-cert.pem
# user-cert = pkcs1: # use smartcard as client certificate
user-key = /etc/openfortivpn/user-key.pem
# the sha256 digest of the trusted host certs obtained by
# openssl dgst -sha256 server-cert.crt:
trusted-cert = certificatedigest4daa8c5fe6c...
trusted-cert = othercertificatedigest6631bf...
# This would specify a ca bundle instead of system-wide store
# ca-file = /etc/openfortivpn/ca-bundle.pem
set-dns = 0
set-routes = 1
half-internet-routes = 0
pppd-use-peerdns = 1
# alternatively, use a specific pppd plugin instead
# pppd-plugin = /usr/lib/pppd/default/
# for debugging pppd write logs here
# pppd-log = /var/log/pppd.log
# pass ppp interface name to pppd (if supported by a patched pppd)
# pppd-ifname = ppp1
# pass an ipparam string to pppd, e.g. the device name (a similar use case)
# pppd-ipparam = 'device=$DEVICE'
# instruct pppd to call a script instead of passing arguments (if pppd supports it)
# pppd-call = script
# use-syslog = 0
insecure-ssl = 0
cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
persistent = 0
seclevel-1 = 0



ENVIRONMENT and proxy support

This document was created byman2html,using the manual pages.