openfortivpn - Client for PPP+SSL VPN tunnel services
openfortivpn [<host>:<port>]
[-u <user>] [-p <pass>]
[--otp=<otp>] [--realm=<realm>]
[--set-routes=<bool>] [--no-routes]
[--set-dns=<bool>] [--no-dns]
[--half-internet-routes=<bool>]
[--ca-file=<file>]
[--user-cert=<file>]
[--user-key=<file>] [--use-syslog]
[--trusted-cert=<digest>] [--insecure-ssl]
[--cipher-list=<ciphers>] [--pppd-no-peerdns]
[--pppd-log=<file>]
[--pppd-plugin=<file>]
[--pppd-ipparam=<string>]
[--pppd-ifname=<string>]
[--pppd-call=<name>]
[--persistent=<interval>] [-c
<file>] [-v|-q]
openfortivpn --help
openfortivpn --version
openfortivpn connects to a VPN by setting up a tunnel to
the gateway at <host>:<port>.
- --help
- Show this help message and exit.
- --version
- Show version and exit.
- -c <file>,
--config=<file>
- Specify a custom config file (default: /etc/openfortivpn/config).
- -u <user>,
--username=<user>
- VPN account username.
- -p <pass>,
--password=<pass>
- VPN account password.
- -o <otp>,
--otp=<otp>
- One-Time-Password.
- --realm=<realm>
- Connect to the specified authentication realm. Defaults to empty, which is
usually what you want.
- --set-routes=<bool>,
--no-routes
- Set if openfortivpn should try to configure IP routes through the VPN when
tunnel is up. If used multiple times, the last one takes priority.
--no-routes is the same as
--set-routes=0.
- --half-internet-routes=<bool>
- Set if openfortivpn should add two 0.0.0.0/1 and 128.0.0.0/1 routes with
higher priority instead of replacing the default route.
- --set-dns=<bool>,
--no-dns
- Set if openfortivpn should add VPN nameservers in /etc/resolv.conf when
tunnel is up. If used multiple times, the last one takes priority.
--no-dns is the same as --set-dns=0.
- --ca-file=<file>
- Use specified PEM-encoded certificate bundle instead of system-wide store
to verify the gateway certificate.
- --user-cert=<file>
- Use specified PEM-encoded certificate if the server requires
authentication with a certificate.
- --user-key=<file>
- Use specified PEM-encoded key if the server requires authentication with a
certificate.
- --use-syslog
- Log to syslog instead of terminal.
- --trusted-cert=<digest>
- Trust a given gateway. If classical SSL certificate validation fails, the
gateway certificate will be matched against this value.
<digest> is the X509 certificate's sha256 sum. This option
can be used multiple times to trust several certificates.
- --insecure-ssl
- Do not disable insecure SSL protocols/ciphers. If your server requires a
specific cipher, consider using --cipher-list instead.
- --cipher-list=<ciphers>
- Openssl ciphers to use. If default does not work, you can try alternatives
such as HIGH:!MD5:!RC4 or as suggested by the Cipher: line in the output
of openssl(1) (e.g. AES256-GCM-SHA384):
$ openssl s_client -connect <host:port>
(default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
- --pppd-no-peerdns
- Do not ask peer ppp server for DNS server addresses and do not make pppd
rewrite /etc/resolv.conf.
- --pppd-log=<file>
- Set pppd in debug mode and save its logs into <file>.
- --pppd-plugin=<file>
- Use specified pppd plugin instead of configuring the resolver and routes
directly.
- --pppd-ipparam=<string>
- Provides an extra parameter to the ip-up, ip-pre-up and ip-down scripts.
See man pppd(8) for further details
- --pppd-ifname=<string>
- Set the ppp interface name. Only if supported by pppd. Patched versions of
pppd implement this option but may not be available on your platform.
- --pppd-call=<name>
- Drop usual arguments from pppd command line and add `call <name>'
instead. This can be useful on Debian and Ubuntu, where unprivileged users
in group `dip' can invoke `pppd call <name>' to make pppd read and
apply options from /etc/ppp/peers/<name> (including privileged
ones).
- --persistent=<interval>
- Runs the vpn persistently in an endless loop and tries to reconnect
forever. The reconnect interval may be specified in seconds, where 0 means
no reconnect is done (this is the default).
- -v
- Increase verbosity. Can be used multiple times to be even more
verbose.
- -q
- Decrease verbosity. Can be used multiple times to be even less verbose.
openfortivpn can be run behind a http that supports the
http connect command. It checks if one of the environment variables
https_proxy HTTPS_PROXY all_proxy ALL_PROXY is set which are supposed
to contain a string of the format
http://[host]:[port]
where [host] is the ip or the fully qualified host name of the proxy
server [port] is the tcp port number where the proxy is listening for
incoming connections. If one of these variables is defined,
openfortivpn tries to first establish a tcp connection to this proxy
(plain http, not encrypted), and then makes a request to connect to the vpn
host as given on the command line or in the config file. The proxy is
supposed to forward any subsequent packets transparently to the vpn host, so
that the tls layer of the connection effectively is established between the
client and the vpn host, and the proxy just acts as a forwarding instance on
the lower level of the tcp connection.
The following environment variables are set by openfortivpn
and pppd(8) or its scripts can obtain information this way:
VPN_GATEWAY the ip of the gateway host
and for each route three variables are set up, where an integer number is
appended to the variable names, denoting the number of the current route:
VPN_ROUTE_DEST_... the destination network of the route
VPN_ROUTE_MASK_... the network mask for this route
VPN_ROUTE_GATEWAY_... the gateway for the current route entry
Options can be taken from a configuration file. Options passed in
the command line will override those from the config file, though. The
default config file is /etc/openfortivpn/config, but this can be set using
the -c option. An empty template for the config file is installed to
/usr/share/openfortivpn/config.template
- A config file looks like:
- # this is a comment
host = vpn-gateway
port = 8443
username = foo
password = bar
user-cert = /etc/openfortivpn/user-cert.pem
user-key = /etc/openfortivpn/user-key.pem
# the sha256 digest of the trusted host certs obtained by
# openssl dgst -sha256 server-cert.pem:
trusted-cert = certificatedigest4daa8c5fe6c...
trusted-cert = othercertificatedigest6631bf...
# This would specify a ca bundle instead of system-wide store
# ca-file = /etc/openfortivpn/ca-bundle.pem
set-dns = 0
set-routes = 1
half-internet-routes = 0
pppd-use-peerdns = 1
# alternatively, use a specific pppd plugin instead
# pppd-plugin = /usr/lib/pppd/default/some-plugin.so
# for debugging pppd write logs here
# pppd-log = /var/log/pppd.log
# pass an ipparam string to pppd
# pppd-ipparam = somestringtopasstopppd
insecure-ssl = 0
cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
persistent = 0