Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
OPENFORTIVPN(1)		    General Commands Manual	       OPENFORTIVPN(1)

       openfortivpn - Client for PPP+SSL VPN tunnel services

       openfortivpn   [_host_[:_port_]]	 [-u  _user_]  [-p  _pass_]  [--pinen-
       try=_name_] [--otp=_otp_] [--otp-prompt=_prompt_] [--otp-delay=_delay_]
       [--no-ftm-push]	       [--realm=_realm_]	[--ifname=_interface_]
       [--set-routes=<bool>]   [--no-routes]   [--set-dns=<bool>]   [--no-dns]
       [--half-internet-routes=<bool>] [--ca-file=_file_] [--user-cert=_file_]
       [--user-cert=pkcs11:]	    [--user-key=_file_]		[--use-syslog]
       [--trusted-cert=_digest_]   [--insecure-ssl]  [--cipher-list=_ciphers_]
       [--min-tls=_version_]	[--seclevel-1]	   [--pppd-use-peerdns=<bool>]
       [--pppd-no-peerdns]	[--pppd-log=_file_]	[--pppd-plugin=_file_]
       [--pppd-ipparam=_string_] [--pppd-ifname=_string_] [--pppd-call=_name_]
       [--ppp-system=_string_] [--use-resolvconf=_bool_] [--persistent=_inter-
       val_] [-c _file_] [-v|-q]
       openfortivpn --help
       openfortivpn --version

       openfortivpn connects to	a VPN by setting up a tunnel to	the gateway at

       --help Show the help message and	exit.

	      Show version and exit.

       -c _file_, --config=_file_
	      Specify	a   custom   configuration   file  (default:  /usr/lo-

       -u _user_, --username=_user_
	      VPN account username.

       -p _pass_, --password=_pass_
	      VPN account password in plain text.  For a  secure  alternative,
	      use pinentry or let openfortivpn prompt for the password.

	      The  pinentry program to use. Allows supplying the password in a
	      secure manner.  For example: pinentry-gnome3 on Linux, or	pinen-
	      try-mac on macOS.

       -o _otp_, --otp=_otp_

	      Search  for  the	OTP  password  prompt starting with the	string

	      Set the amount of	time to	wait before sending the	One-Time-Pass-
	      word.   The  delay  time	must  be specified in seconds, where 0
	      means no wait (this is the default).

	      Do not use FTM push if the  server  provides  the	 option.   The
	      server  may  be  configured  to  allow two factor	authentication
	      through a	push notification to the mobile	application.  If  this
	      option is	provided, authentication based on OTP will be used in-

	      Connect to  the  specified  authentication  realm.  Defaults  to
	      empty, which is usually what you want.

	      Bind the connection to the specified network interface.

       --set-routes=_bool_, --no-routes
	      Set  if  openfortivpn  should try	to configure IP	routes through
	      the VPN when tunnel is up. If used multiple times, the last  one
	      takes priority.

	      --no-routes is the same as --set-routes=0.

	      Set  if  openfortivpn  should  add two and
	      routes with higher priority instead  of  replacing  the  default

       --set-dns=_bool_, --no-dns
	      Set  if  openfortivpn  should  add  DNS name servers in /etc/re-
	      solv.conf	when tunnel is up. Also	a dns-suffix may  be  received
	      from  the	 peer  and  added  to  /etc/resolv.conf	in the turn of
	      adding the name servers.	resolvconf is instructed to do the up-
	      date  of	the  resolv.conf file if it is installed and --use-re-
	      solvconf	is  activated,	otherwise  openfortivpn	 prepends  its
	      changes  to  the existing	content	of the resolv.conf file.  Note
	      that there may be	other mechanisms to  update  /etc/resolv.conf,
	      e.g.,  --pppd-use-peerdns	 in  conjunction with an ip-up-script,
	      which may	require	that openfortivpn  is  called  with  --no-dns.
	      --no-dns is the same as --set-dns=0.

	      Set  if  openfortivpn  should  use  resolvconf  to  add DNS name
	      servers in /etc/resolv.conf. If it is set	to false, the  builtin
	      fallback mechanism is used even if resolvconf is available.

	      Use  specified PEM-encoded certificate bundle instead of system-
	      wide store to verify the gateway certificate.

	      Use specified PEM-encoded	certificate if the server requires au-
	      thentication with	a certificate.

	      Use  at least the	string pkcs11: for using a smartcard. It takes
	      the full or a partial PKCS11-URI (p11tool	--list-token-urls)

		--user-cert = pkcs11:

		--user-cert = pkcs11:token=someuser

		--user-cert    =    pkcs11:model=PKCS%2315%20emulated;manufac-

	      This feature requires the	OpenSSL	PKCS engine!

	      Use specified PEM-encoded	key if the server requires authentica-
	      tion with	a certificate.

	      Pass phrase for the PEM-encoded key.

	      Log to syslog instead of terminal.

	      Trust a given gateway. If	classical SSL  certificate  validation
	      fails,  the  gateway  certificate	 will  be matched against this
	      value. _digest_ is the X509 certificate's	sha256 sum.  The  cer-
	      tificate has to be encoded in DER	form.  This option can be used
	      multiple times to	trust several certificates.

	      Do not disable insecure SSL protocols/ciphers.  If  your	server
	      requires	a  specific  cipher,  consider using --cipher-list in-

	      OpenSSL ciphers to use. If default does not work,	 you  can  try
	      alternatives  such  as HIGH:!MD5:!RC4 or as suggested by the Ci-
	      pher: line in the	output of openssl(1) (e.g. AES256-GCM-SHA384):

	      $	openssl	s_client -connect _host:port_

	      (default:	HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)

	      Applies to TLS v1.2 or lower only, not to	be used	with TLS  v1.3

	      Use  minimum TLS version instead of system default. Valid	values
	      are 1.0, 1.1, 1.2, 1.3.

	      If --cipher-list is not specified, add @SECLEVEL=1 to  the  list
	      of ciphers. This lowers limits on	dh key.

	      Applies to TLS v1.2 or lower only.

       --use-peer-dns=_bool_, --pppd-no-peerdns
	      Whether  to ask peer ppp server for DNS server addresses and let
	      pppd rewrite /etc/resolv.conf. There is no mechanism to tell the
	      dns-suffix  to  pppd. If the DNS server addresses	are requested,
	      also --set-dns=1 may race	with the mechanisms in pppd.

	      --pppd-no-peerdns	is the same as --pppd-use-peerdns=0.

	      Set pppd in debug	mode and save its logs into _file_.

	      Use specified pppd plugin	instead	of  configuring	 the  resolver
	      and routes directly.

	      Provides	an extra parameter to the ip-up, ip-pre-up and ip-down
	      scripts. See man pppd(8) for further details

	      Set the ppp interface name. Only if supported by	pppd.  Patched
	      versions	of pppd	implement this option but may not be available
	      on your platform.

	      Drop usual arguments  from  pppd	command	 line  and  add	 `call
	      <name>' instead.	This can be useful on Debian and Ubuntu, where
	      unprivileged users in group `dip'	can invoke `pppd call  <name>'
	      to  make	pppd read and apply options from /etc/ppp/peers/<name>
	      (including privileged ones).

	      Only available if	compiled for ppp user space  client  (e.g.  on
	      FreeBSD).	  Connect  to  the  specified  system  as  defined  in

	      Run the VPN persistently in an endless loop and try to reconnect
	      forever.	 The  reconnect	 interval may be specified in seconds,
	      where 0 means no reconnect is done (this is the default).

       -v     Increase verbosity. Can be used multiple times to	be  even  more

       -q     Decrease	verbosity.  Can	be used	multiple times to be even less

ENVIRONMENT and	proxy support
       openfortivpn can	be run behind an HTTP proxy  that  supports  the  HTTP
       connect	command.   It  checks  if  one	of  the	 environment variables
       https_proxy HTTPS_PROXY all_proxy ALL_PROXY is set which	 are  supposed
       to contain a string of the format
       where  [host]  is  the ip or the	fully qualified	host name of the proxy
       server [port] is	the TCP	port number where the proxy is	listening  for
       incoming	 connections.  If  one	of  these  variables is	defined, open-
       fortivpn	tries to first establish a TCP connection to this proxy	(plain
       HTTP,  not  encrypted),	and then makes a request to connect to the VPN
       host as given on	the command line or in	the  configuration  file.  The
       proxy  is  supposed  to forward any subsequent packets transparently to
       the VPN host, so	that the TLS layer of the  connection  effectively  is
       established  between  the  client  and the VPN host, and	the proxy just
       acts as a forwarding instance on	the lower level	of the TCP connection.

       The following environment variables are set by openfortivpn and pppd(8)
       or its scripts can obtain information this way:
       VPN_GATEWAY the ip of the gateway host
       and  for	each route three variables are set up, where an	integer	number
       is appended to the variable names, denoting the number of  the  current
       VPN_ROUTE_DEST_... the destination network of the route
       VPN_ROUTE_MASK_... the network mask for this route
       VPN_ROUTE_GATEWAY_... the gateway for the current route entry

       If  not	compiled  for  pppd the	pppd options and features that rely on
       them are	not available. On FreeBSD --ppp-system is available instead.

       Options can be taken from a configuration file. Options passed  in  the
       command	line  will override those from the configuration file, though.
       The default configuration file  is  /usr/local/etc/openfortivpn/config,
       but  this  can  be  set using the -c option.  An	empty template for the
       configuration file is installed	to  /usr/local/share/openfortivpn/con-

       A configuration file looks like:
	      #	this is	a comment
	      host = vpn-gateway
	      port = 443
	      username = foo
	      #	Password in plain text.
	      #	 For  a	 secure	 alternative, use pinentry or let openfortivpn
	      prompt for the password.
	      #	password = bar
	      #	The pinentry program to	use. Allows supplying the password  in
	      a	secure manner.
	      #	pinentry = pinentry-mac
	      #	realm =	some-realm
	      #	 useful	 for  a	 gui that passes a configuration file to open-
	      #	otp = 123456
	      #	otp-delay = 0
	      #	otp-prompt = Please
	      #	This would disable FTM push notification support, and use  OTP
	      #	no-ftm-push = 1
	      user-cert	= /usr/local/etc/openfortivpn/user-cert.pem
	      #	user-cert = pkcs1: # use smartcard as client certificate
	      user-key = /usr/local/etc/openfortivpn/user-key.pem
	      pem-passphrase = baz
	      #	the sha256 digest of the trusted host certs obtained by
	      #	openssl	dgst -sha256 server-cert.crt:
	      trusted-cert = certificatedigest4daa8c5fe6c...
	      trusted-cert = othercertificatedigest6631bf...
	      #	This would specify a ca	bundle instead of system-wide store
	      #	ca-file	= /usr/local/etc/openfortivpn/ca-bundle.pem
	      set-dns =	0
	      use-resolvconf = 1
	      set-routes = 1
	      half-internet-routes = 0
	      pppd-use-peerdns = 1
	      #	alternatively, use a specific pppd plugin instead
	      #	pppd-plugin = /usr/lib/pppd/default/
	      #	for debugging pppd write logs here
	      #	pppd-log = /var/log/pppd.log
	      #	 pass  ppp  interface  name to pppd (if	supported by a patched
	      #	pppd-ifname = ppp1
	      #	pass an	ipparam	string to pppd,	e.g. the device	name (a	 simi-
	      lar use case)
	      #	pppd-ipparam = 'device=$DEVICE'
	      #	 instruct  pppd	 to call a script instead of passing arguments
	      (if pppd supports	it)
	      #	pppd-call = script
	      #	use-syslog = 0
	      insecure-ssl = 0
	      cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
	      persistent = 0
	      seclevel-1 = 0

       The  openfortivpn   home	  page	 (
       fortivpn)  provides  a  short introduction in the README	file and addi-
       tional information under	the Wiki tab.

				  May 4, 2020		       OPENFORTIVPN(1)


Want to link to this manual page? Use this URL:

home | help