openfortivpn man page

openfortivpn — Client for PPP+SSL VPN tunnel services


openfortivpn [<host>:<port>] [-u <user>] [-p <pass>] [--realm=<realm>] [--no-routes] [--no-dns] [--ca-file=<file>] [--user-cert=<file>] [--user-key=<file>] [--use-syslog] [--trusted-cert=<digest>] [--insecure-ssl] [--cipher-list=<ciphers>] [--pppd-no-peerdns] [--pppd-log=<file>] [--pppd-plugin=<file>] [-c <file>] [-v|-q]
openfortivpn --help
openfortivpn --version


openfortivpn connects to a VPN by setting up a tunnel to the gateway at <host>:<port>.



Show this help message and exit.


Show version and exit.

-c <file>, --config=<file>

Specify a custom config file (default: /etc/openfortivpn/config).

-u <user>, --username=<user>

VPN account username.

-p <pass>, --password=<pass>

VPN account password.


Connect to the specified authentication realm. Defaults to empty, which is usually what you want.


Do not try to configure IP routes through the VPN when tunnel is up.


Do not add VPN nameservers in /etc/resolv.conf when tunnel is up.


Use specified PEM-encoded certificate bundle instead of system-wide store to verify the gateway certificate.


Use specified PEM-encoded certificate if the server requires authentication with a certificate.


Use specified PEM-encoded key if the server requires authentication with a certificate.


Log to syslog instead of terminal.


Trust a given gateway. If classical SSL certificate validation fails, the gateway certificate will be matched against this value. <digest> is the X509 certificate's sha256 sum. This option can be used multiple times to trust several certificates.


Do not disable insecure SSL protocols/ciphers. If your server requires a specific cipher, consider using --cipher-list instead.


Openssl ciphers to use. If default does not work, you can try alternatives such as HIGH:!MD5:!RC4 or as suggested by the Cipher: line in the output of openssl(1) (e.g. AES256-GCM-SHA384):

$ openssl s_client -connect <host:port>

(default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)


Do not ask peer ppp server for DNS addresses and do not make pppd rewrite /etc/resolv.conf.


Set pppd in debug mode and save its logs into <file>.


Use specified pppd plugin instead of configuring the resolver and routes directly.


Increase verbosity. Can be used multiple times to be even more verbose.


Decrease verbosity. Can be used multiple times to be even less verbose.

Config File

Options can be taken from a configuration file. Options passed in the command line will override those from the config file, though. The default config file is /etc/openfortivpn/config, but this can be set using the -c option.

A config file looks like:

# this is a comment
host = vpn-gateway
port = 8443
username = foo
password = bar
user-cert = /etc/openfortivpn/user-cert.pem
user-key = /etc/openfortivpn/user-key.pem
trusted-cert = certificatedigest4daa8c5fe6c...
trusted-cert = othercertificatedigest6631bf...
# This would specify a ca bundle instead of system-wide store
# ca-file = /etc/openfortivpn/ca-bundle.pem
set-dns = 1
set-routes = 1
pppd-use-peerdns = 1
insecure-ssl = 0
cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4


November 10, 2016