openfortivpn man page

openfortivpn — Client for PPP+SSL VPN tunnel services

Synopsis

openfortivpn [<host>:<port>] [-u <user>] [-p <pass>] [--realm=<realm>] [--no-routes] [--no-dns] [--ca-file=<file>] [--user-cert=<file>] [--user-key=<file>] [--use-syslog] [--trusted-cert=<digest>] [--insecure-ssl] [--cipher-list=<ciphers>] [--pppd-no-peerdns] [--pppd-log=<file>] [--pppd-plugin=<file>] [-c <file>] [-v|-q]
openfortivpn --help
openfortivpn --version

Description

openfortivpn connects to a VPN by setting up a tunnel to the gateway at <host>:<port>.

Options

--help

Show this help message and exit.

--version

Show version and exit.

-c <file>, --config=<file>

Specify a custom config file (default: /etc/openfortivpn/config).

-u <user>, --username=<user>

VPN account username.

-p <pass>, --password=<pass>

VPN account password.

--realm=<realm>

Connect to the specified authentication realm. Defaults to empty, which is usually what you want.

--no-routes

Do not try to configure IP routes through the VPN when tunnel is up.

--no-dns

Do not add VPN nameservers in /etc/resolv.conf when tunnel is up.

--ca-file=<file>

Use specified PEM-encoded certificate bundle instead of system-wide store to verify the gateway certificate.

--user-cert=<file>

Use specified PEM-encoded certificate if the server requires authentication with a certificate.

--user-key=<file>

Use specified PEM-encoded key if the server requires authentication with a certificate.

--use-syslog

Log to syslog instead of terminal.

--trusted-cert=<digest>

Trust a given gateway. If classical SSL certificate validation fails, the gateway certificate will be matched against this value. <digest> is the X509 certificate's sha256 sum. This option can be used multiple times to trust several certificates.

--insecure-ssl

Do not disable insecure SSL protocols/ciphers. If your server requires a specific cipher, consider using --cipher-list instead.

--cipher-list=<ciphers>

Openssl ciphers to use. If default does not work, you can try alternatives such as HIGH:!MD5:!RC4 or as suggested by the Cipher: line in the output of openssl(1) (e.g. AES256-GCM-SHA384):

$ openssl s_client -connect <host:port>

(default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)

--pppd-no-peerdns

Do not ask peer ppp server for DNS addresses and do not make pppd rewrite /etc/resolv.conf.

--pppd-log=<file>

Set pppd in debug mode and save its logs into <file>.

--pppd-plugin=<file>

Use specified pppd plugin instead of configuring the resolver and routes directly.

-v

Increase verbosity. Can be used multiple times to be even more verbose.

-q

Decrease verbosity. Can be used multiple times to be even less verbose.

Config File

Options can be taken from a configuration file. Options passed in the command line will override those from the config file, though. The default config file is /etc/openfortivpn/config, but this can be set using the -c option.

A config file looks like:

# this is a comment
host = vpn-gateway
port = 8443
username = foo
password = bar
user-cert = /etc/openfortivpn/user-cert.pem
user-key = /etc/openfortivpn/user-key.pem
trusted-cert = certificatedigest4daa8c5fe6c...
trusted-cert = othercertificatedigest6631bf...
# This would specify a ca bundle instead of system-wide store
# ca-file = /etc/openfortivpn/ca-bundle.pem
set-dns = 1
set-routes = 1
pppd-use-peerdns = 1
insecure-ssl = 0
cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4

Info

November 10, 2016