Provided by: openfortivpn_1.12.0-1_amd64 bug

NAME

       openfortivpn - Client for PPP+SSL VPN tunnel services

SYNOPSIS

       openfortivpn     [<host>[:<port>]]     [-u     <user>]     [-p    <pass>]    [--otp=<otp>]
       [--otp-prompt=<prompt>]  [--otp-delay=<delay>]   [--realm=<realm>]   [--set-routes=<bool>]
       [--no-routes]      [--set-dns=<bool>]      [--no-dns]      [--half-internet-routes=<bool>]
       [--ca-file=<file>]    [--user-cert=<file>]    [--user-cert=pkcs11:]    [--user-key=<file>]
       [--use-syslog]    [--trusted-cert=<digest>]   [--insecure-ssl]   [--cipher-list=<ciphers>]
       [--pppd-use-peerdns=<bool>] [--pppd-no-peerdns] [--pppd-log=<file>] [--pppd-plugin=<file>]
       [--pppd-ipparam=<string>]           [--pppd-ifname=<string>]          [--pppd-call=<name>]
       [--ppp-system=<string>] [--persistent=<interval>] [-c <file>] [-v|-q]
       openfortivpn --help
       openfortivpn --version

DESCRIPTION

       openfortivpn connects to a VPN by setting up a tunnel to the gateway at <host>:<port>.

OPTIONS

       --help Show the help message and exit.

       --version
              Show version and exit.

       -c <file>, --config=<file>
              Specify a custom config file (default: /etc/openfortivpn/config).

       -u <user>, --username=<user>
              VPN account username.

       -p <pass>, --password=<pass>
              VPN account password.

       -o <otp>, --otp=<otp>
              One-Time-Password.

       --otp-prompt=<prompt>
              Search for the OTP password prompt starting with the string <prompt>.

       --otp-delay=<delay>
              Set the amount of time to wait before sending  the  One-Time-Password.   The  delay
              time must be specified in seconds, where 0 means no wait (this is the default).

       --realm=<realm>
              Connect  to the specified authentication realm. Defaults to empty, which is usually
              what you want.

       --set-routes=<bool>, --no-routes
              Set if openfortivpn should try to configure IP routes through the VPN  when  tunnel
              is up. If used multiple times, the last one takes priority.

              --no-routes is the same as --set-routes=0.

       --half-internet-routes=<bool>
              Set  if  openfortivpn  should  add two 0.0.0.0/1 and 128.0.0.0/1 routes with higher
              priority instead of replacing the default route.

       --set-dns=<bool>, --no-dns
              Set if openfortivpn should add DNS name servers in /etc/resolv.conf when tunnel  is
              up.  Also  a dns-suffix may be received from the peer and added to /etc/resolv.conf
              in the turn of adding the name servers.  resolvconf is instructed to do the  update
              of  the  resolv.conf  file  if it is installed, otherwise openfortivpn prepends its
              changes to the existing content of the resolv.conf file.  Note that  there  may  be
              other   mechanisms   to   update   /etc/resolv.conf,  e.g.,  --pppd-use-peerdns  in
              conjunction with an ip-up-script, which may require  that  openfortivpn  is  called
              with --no-dns.  --no-dns is the same as --set-dns=0.

       --ca-file=<file>
              Use specified PEM-encoded certificate bundle instead of system-wide store to verify
              the gateway certificate.

       --user-cert=<file>
              Use specified PEM-encoded certificate if the server requires authentication with  a
              certificate.

       --user-cert=pkcs11:
              Use  at  least  the  string  pkcs11:  for using a smartcard. It takes the full or a
              partial PKCS11-URI (p11tool --list-token-urls)

                --user-cert = pkcs11:

                --user-cert = pkcs11:token=someuser

                --user-cert                                                                     =
              pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser

              This feature requires OpenSSL PKCS engine!

       --user-key=<file>
              Use specified  PEM-encoded  key  if  the  server  requires  authentication  with  a
              certificate.

       --use-syslog
              Log to syslog instead of terminal.

       --trusted-cert=<digest>
              Trust  a  given gateway. If classical SSL certificate validation fails, the gateway
              certificate will be matched against this value. <digest> is the X509  certificate's
              sha256 sum. The certificate has to be encoded in DER form.  This option can be used
              multiple times to trust several certificates.

       --insecure-ssl
              Do not disable insecure SSL protocols/ciphers.  If your server requires a  specific
              cipher, consider using --cipher-list instead.

       --cipher-list=<ciphers>
              OpenSSL  ciphers to use. If default does not work, you can try alternatives such as
              HIGH:!MD5:!RC4 or as suggested by the Cipher: line  in  the  output  of  openssl(1)
              (e.g. AES256-GCM-SHA384):

              $ openssl s_client -connect <host:port>

              (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)

       --use-peer-dns=<bool>, --pppd-no-peerdns
              Whether  to  ask  peer  ppp  server  for  DNS server addresses and let pppd rewrite
              /etc/resolv.conf. There is no mechanism to tell the dns-suffix to pppd. If the  DNS
              server  addresses  are  requested, also --set-dns=1 may race with the mechanisms in
              pppd.

              --pppd-no-peerdns is the same as --pppd-use-peerdns=0.

       --pppd-log=<file>
              Set pppd in debug mode and save its logs into <file>.

       --pppd-plugin=<file>
              Use specified pppd plugin instead of configuring the resolver and routes directly.

       --pppd-ipparam=<string>
              Provides an extra parameter to the ip-up, ip-pre-up and ip-down  scripts.  See  man
              pppd(8) for further details

       --pppd-ifname=<string>
              Set  the  ppp  interface  name. Only if supported by pppd. Patched versions of pppd
              implement this option but may not be available on your platform.

       --pppd-call=<name>
              Drop usual arguments from pppd command line and add `call  <name>'  instead.   This
              can  be  useful  on  Debian and Ubuntu, where unprivileged users in group `dip' can
              invoke  `pppd  call  <name>'  to  make   pppd   read   and   apply   options   from
              /etc/ppp/peers/<name> (including privileged ones).

       --ppp-system=<string>
              Only available if compiled for ppp user space client (e.g. on FreeBSD).  Connect to
              the specified system as defined in /etc/ppp/ppp.conf

       --persistent=<interval>
              Run the VPN persistently in an endless loop and  try  to  reconnect  forever.   The
              reconnect  interval may be specified in seconds, where 0 means no reconnect is done
              (this is the default).

       -v     Increase verbosity. Can be used multiple times to be even more verbose.

       -q     Decrease verbosity. Can be used multiple times to be even less verbose.

ENVIRONMENT and proxy support

       openfortivpn can be run behind an HTTP proxy that supports the HTTP connect  command.   It
       checks  if one of the environment variables https_proxy HTTPS_PROXY all_proxy ALL_PROXY is
       set which are supposed to contain a string of the format
       http://[host]:[port]
       where [host] is the ip or the fully qualified host name of the proxy server [port] is  the
       TCP  port  number  where  the proxy is listening for incoming connections. If one of these
       variables is defined, openfortivpn tries to first establish a TCP connection to this proxy
       (plain  HTTP, not encrypted), and then makes a request to connect to the VPN host as given
       on the command line or in the config file. The proxy is supposed to forward any subsequent
       packets transparently to the VPN host, so that the TLS layer of the connection effectively
       is established between the client and  the  VPN  host,  and  the  proxy  just  acts  as  a
       forwarding instance on the lower level of the TCP connection.

       The following environment variables are set by openfortivpn and pppd(8) or its scripts can
       obtain information this way:
       VPN_GATEWAY the ip of the gateway host
       and for each route three variables are set up, where an integer number is appended to  the
       variable names, denoting the number of the current route:
       VPN_ROUTE_DEST_... the destination network of the route
       VPN_ROUTE_MASK_... the network mask for this route
       VPN_ROUTE_GATEWAY_... the gateway for the current route entry

       If  not  compiled  for  pppd  the  pppd  options  and  features  that rely on them are not
       available. On FreeBSD --ppp-system is available instead.

CONFIG FILE

       Options can be taken from a configuration file. Options passed in the  command  line  will
       override   those   from   the   config   file,   though.   The   default  config  file  is
       /etc/openfortivpn/config, but this can be set using the -c option.  An empty template  for
       the config file is installed to /usr/share/openfortivpn/config.template

       A config file looks like:
              # this is a comment
              host = vpn-gateway
              port = 443
              username = foo
              password = bar
              # realm = some-realm
              # useful for a gui that passes a config file to openfortivpn
              # otp = 123456
              # otp-delay = 0
              # otp-prompt = Please
              # pinentry = pinentry program
              user-cert = /etc/openfortivpn/user-cert.pem
              # user-cert = pkcs1: # use smartcard as client certificate
              user-key = /etc/openfortivpn/user-key.pem
              # the sha256 digest of the trusted host certs obtained by
              # openssl dgst -sha256 server-cert.crt:
              trusted-cert = certificatedigest4daa8c5fe6c...
              trusted-cert = othercertificatedigest6631bf...
              # This would specify a ca bundle instead of system-wide store
              # ca-file = /etc/openfortivpn/ca-bundle.pem
              set-dns = 0
              set-routes = 1
              half-internet-routes = 0
              pppd-use-peerdns = 1
              # alternatively, use a specific pppd plugin instead
              # pppd-plugin = /usr/lib/pppd/default/some-plugin.so
              # for debugging pppd write logs here
              # pppd-log = /var/log/pppd.log
              # pass ppp interface name to pppd (if supported by a patched pppd)
              # pppd-ifname = ppp1
              # pass an ipparam string to pppd, e.g. the device name (a similar use case)
              # pppd-ipparam = 'device=$DEVICE'
              # instruct pppd to call a script instead of passing arguments (if pppd supports it)
              # pppd-call = script
              # use-syslog = 0
              insecure-ssl = 0
              cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
              persistent = 0
              seclevel-1 = 0

                                        December 11, 2019                         OPENFORTIVPN(1)