Provided by: openfortivpn_1.20.5-1_amd64 bug

NAME

       openfortivpn - Client for PPP+SSL VPN tunnel services

SYNOPSIS

       openfortivpn    [<host>[:<port>]]    [-u    <user>]    [-p   <pass>]   [--cookie=<cookie>]
       [--cookie-on-stdin]     [--pinentry=<name>]     [--otp=<otp>]      [--otp-prompt=<prompt>]
       [--otp-delay=<delay>]     [--no-ftm-push]     [--realm=<realm>]     [--ifname=<interface>]
       [--set-routes=<bool>]         [--no-routes]         [--set-dns=<bool>]          [--no-dns]
       [--half-internet-routes=<bool>]     [--ca-file=<file>]    [--user-cert=<file>]    [--user-
       cert=pkcs11:]      [--user-key=<file>]      [--use-syslog]       [--trusted-cert=<digest>]
       [--insecure-ssl]     [--cipher-list=<ciphers>]     [--min-tls=<version>]    [--seclevel-1]
       [--pppd-use-peerdns=<bool>] [--pppd-no-peerdns] [--pppd-log=<file>] [--pppd-plugin=<file>]
       [--pppd-ipparam=<string>]           [--pppd-ifname=<string>]          [--pppd-call=<name>]
       [--ppp-system=<string>] [--use-resolvconf=<bool>]  [--persistent=<interval>]  [-c  <file>]
       [-v|-q]
       openfortivpn --help
       openfortivpn --version

DESCRIPTION

       openfortivpn connects to a VPN by setting up a tunnel to the gateway at <host>:<port>.

OPTIONS

       --help Show the help message and exit.

       --version
              Show version and exit.

       -c <file>, --config=<file>
              Specify a custom configuration file (default: /etc/openfortivpn/config).

       -u <user>, --username=<user>
              VPN account username.

       -p <pass>, --password=<pass>
              VPN  account password in plain text.  For a secure alternative, use pinentry or let
              openfortivpn prompt for the password.

       --cookie=<cookie>
              A valid cookie (SVPNCOOKIE) to use in place of username and password.

       --cookie-on-stdin
              Read the cookie (SVPNCOOKIE) from standard input.

       --pinentry=<name>
              The pinentry program to use. Allows supplying the password in a secure manner.  For
              example: pinentry-gnome3 on Linux, or pinentry-mac on macOS.

       -o <otp>, --otp=<otp>
              One-Time-Password.

       --otp-prompt=<prompt>
              Search for the OTP password prompt starting with the string <prompt>.

       --otp-delay=<delay>
              Set  the  amount  of  time to wait before sending the One-Time-Password.  The delay
              time must be specified in seconds, where 0 means no wait (this is the default).

       --no-ftm-push
              Do not use FTM push  if  the  server  provides  the  option.   The  server  may  be
              configured  to  allow  two factor authentication through a push notification to the
              mobile application. If this option is provided, authentication based on OTP will be
              used instead.

       --realm=<realm>
              Connect  to the specified authentication realm. Defaults to empty, which is usually
              what you want.

       --ifname=<interface>
              Bind the connection to the specified network interface.

       --set-routes=<bool>, --no-routes
              Set if openfortivpn should try to configure IP routes through the VPN  when  tunnel
              is up. If used multiple times, the last one takes priority.

              --no-routes is the same as --set-routes=0.

       --half-internet-routes=<bool>
              Set  if  openfortivpn  should  add two 0.0.0.0/1 and 128.0.0.0/1 routes with higher
              priority instead of replacing the default route.

       --set-dns=<bool>, --no-dns
              Set if openfortivpn should add DNS name servers in /etc/resolv.conf when tunnel  is
              up.  Also  a dns-suffix may be received from the peer and added to /etc/resolv.conf
              in the turn of adding the name servers.  resolvconf is instructed to do the  update
              of  the  resolv.conf  file  if  it  is installed and --use-resolvconf is activated,
              otherwise openfortivpn  prepends  its  changes  to  the  existing  content  of  the
              resolv.conf   file.    Note   that   there   may  be  other  mechanisms  to  update
              /etc/resolv.conf, e.g., --pppd-use-peerdns in  conjunction  with  an  ip-up-script,
              which  may require that openfortivpn is called with --no-dns.  --no-dns is the same
              as --set-dns=0.

       --use-resolvconf=<bool>
              Set  if  openfortivpn  should  use  resolvconf  to  add   DNS   name   servers   in
              /etc/resolv.conf.  If  it  is  set to false, the builtin fallback mechanism is used
              even if resolvconf is available.

       --ca-file=<file>
              Use specified PEM-encoded certificate bundle instead of system-wide store to verify
              the gateway certificate.

       --user-cert=<file>
              Use  specified PEM-encoded certificate if the server requires authentication with a
              certificate.

       --user-cert=pkcs11:
              Use at least the string pkcs11: for using a smartcard.  It  takes  the  full  or  a
              partial PKCS11-URI (p11tool --list-token-urls)

                --user-cert = pkcs11:

                --user-cert = pkcs11:token=someuser

                --user-cert                                                                     =
              pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser

              This feature requires the OpenSSL PKCS engine!

       --user-key=<file>
              Use  specified  PEM-encoded  key  if  the  server  requires  authentication  with a
              certificate.

       --pem-passphrase=<pass>
              Pass phrase for the PEM-encoded key.

       --use-syslog
              Log to syslog instead of terminal.

       --trusted-cert=<digest>
              Trust a given gateway. If classical SSL certificate validation fails,  the  gateway
              certificate  will be matched against this value. <digest> is the X509 certificate's
              sha256 sum. The certificate has to be encoded in DER form.  This option can be used
              multiple times to trust several certificates.

       --insecure-ssl
              Do  not disable insecure SSL protocols/ciphers.  If your server requires a specific
              cipher, consider using --cipher-list instead.

       --cipher-list=<ciphers>
              OpenSSL ciphers to use. If default does not work, you can try alternatives such  as
              HIGH:!MD5:!RC4  or  as  suggested  by  the Cipher: line in the output of openssl(1)
              (e.g. AES256-GCM-SHA384):

              $ openssl s_client -connect <host:port>

              (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)

              Applies to TLS v1.2 or lower only, not to be used with TLS v1.3 ciphers.

       --min-tls=<version>
              Use minimum TLS version instead of system default. Valid values are 1.0, 1.1,  1.2,
              1.3.

       --seclevel-1
              If  --cipher-list  is  not  specified, add @SECLEVEL=1 to the list of ciphers. This
              lowers limits on dh key.

              Applies to TLS v1.2 or lower only.

       --pppd-use-peerdns=<bool>, --pppd-no-peerdns
              Whether to ask peer ppp server for  DNS  server  addresses  and  let  pppd  rewrite
              /etc/resolv.conf.  There is no mechanism to tell the dns-suffix to pppd. If the DNS
              server addresses are requested, also --set-dns=1 may race with  the  mechanisms  in
              pppd.

              --pppd-no-peerdns is the same as --pppd-use-peerdns=0.

       --pppd-log=<file>
              Set pppd in debug mode and save its logs into <file>.

       --pppd-plugin=<file>
              Use specified pppd plugin instead of configuring the resolver and routes directly.

       --pppd-ipparam=<string>
              Provides  an  extra  parameter to the ip-up, ip-pre-up and ip-down scripts. See man
              pppd(8) for further details

       --pppd-ifname=<string>
              Set the ppp interface name. Only if supported by pppd.  Patched  versions  of  pppd
              implement this option but may not be available on your platform.

       --pppd-call=<name>
              Drop  usual  arguments  from pppd command line and add `call <name>' instead.  This
              can be useful on Debian and Ubuntu, where unprivileged users  in  group  `dip'  can
              invoke   `pppd   call   <name>'   to   make   pppd  read  and  apply  options  from
              /etc/ppp/peers/<name> (including privileged ones).

       --ppp-system=<string>
              Only available if compiled for ppp user space client (e.g. on FreeBSD).  Connect to
              the specified system as defined in /etc/ppp/ppp.conf

       --persistent=<interval>
              Run  the  VPN  persistently  in  an endless loop and try to reconnect forever.  The
              reconnect interval may be specified in seconds, where 0 means no reconnect is  done
              (this is the default).

       -v     Increase verbosity. Can be used multiple times to be even more verbose.

       -q     Decrease verbosity. Can be used multiple times to be even less verbose.

ENVIRONMENT and proxy support

       openfortivpn  can  be run behind an HTTP proxy that supports the HTTP connect command.  It
       checks if one of the environment variables https_proxy HTTPS_PROXY all_proxy ALL_PROXY  is
       set which are supposed to contain a string of the format
       http://[host]:[port]
       where  [host] is the ip or the fully qualified host name of the proxy server [port] is the
       TCP port number where the proxy is listening for incoming connections.  If  one  of  these
       variables is defined, openfortivpn tries to first establish a TCP connection to this proxy
       (plain HTTP, not encrypted), and then makes a request to connect to the VPN host as  given
       on  the  command  line  or in the configuration file. The proxy is supposed to forward any
       subsequent packets transparently to the VPN host, so that the TLS layer of the  connection
       effectively is established between the client and the VPN host, and the proxy just acts as
       a forwarding instance on the lower level of the TCP connection.

       The following environment variables are set by openfortivpn and pppd(8) or its scripts can
       obtain information this way:
       VPN_GATEWAY the ip of the gateway host
       and  for each route three variables are set up, where an integer number is appended to the
       variable names, denoting the number of the current route:
       VPN_ROUTE_DEST_... the destination network of the route
       VPN_ROUTE_MASK_... the network mask for this route
       VPN_ROUTE_GATEWAY_... the gateway for the current route entry

       If not compiled for pppd the  pppd  options  and  features  that  rely  on  them  are  not
       available. On FreeBSD --ppp-system is available instead.

CONFIGURATION

       Options  can  be  taken from a configuration file. Options passed in the command line will
       override those from the configuration file, though.  The  default  configuration  file  is
       /etc/openfortivpn/config,  but this can be set using the -c option.  An empty template for
       the configuration file is installed to /usr/share/openfortivpn/config.template

       A configuration file looks like:
              # this is a comment
              host = vpn-gateway
              port = 443
              username = foo
              # Password in plain text.
              # For a secure alternative,  use  pinentry  or  let  openfortivpn  prompt  for  the
              password.
              # password = bar
              # The pinentry program to use. Allows supplying the password in a secure manner.
              # pinentry = pinentry-mac
              # realm = some-realm
              # useful for a gui that passes a configuration file to openfortivpn
              # otp = 123456
              # otp-delay = 0
              # otp-prompt = Please
              # This would disable FTM push notification support, and use OTP instead
              # no-ftm-push = 1
              user-cert = /etc/openfortivpn/user-cert.pem
              # user-cert = pkcs1: # use smartcard as client certificate
              user-key = /etc/openfortivpn/user-key.pem
              pem-passphrase = baz
              # the sha256 digest of the trusted host certs obtained by
              # openssl dgst -sha256 server-cert.crt:
              trusted-cert = certificatedigest4daa8c5fe6c...
              trusted-cert = othercertificatedigest6631bf...
              # This would specify a ca bundle instead of system-wide store
              # ca-file = /etc/openfortivpn/ca-bundle.pem
              set-dns = 0
              use-resolvconf = 1
              set-routes = 1
              half-internet-routes = 0
              pppd-use-peerdns = 1
              # alternatively, use a specific pppd plugin instead
              # pppd-plugin = /usr/lib/pppd/default/some-plugin.so
              # for debugging pppd write logs here
              # pppd-log = /var/log/pppd.log
              # pass ppp interface name to pppd (if supported by a patched pppd)
              # pppd-ifname = ppp1
              # pass an ipparam string to pppd, e.g. the device name (a similar use case)
              # pppd-ipparam = 'device=$DEVICE'
              # instruct pppd to call a script instead of passing arguments (if pppd supports it)
              # pppd-call = script
              # use-syslog = 0
              insecure-ssl = 0
              cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
              persistent = 0
              seclevel-1 = 0

SEE ALSO

       The  openfortivpn home page (https://github.com/adrienverge/openfortivpn) provides a short
       introduction in the README file and additional information under the Wiki tab.

                                           May 4, 2020                            OPENFORTIVPN(1)