Provided by: openconnect_9.01-1_amd64 bug


       openconnect - Multi-protocol VPN client, for Cisco AnyConnect VPNs and others


       openconnect [--config configfile] [-b,--background] [--pid-file pidfile]
                   [-c,--certificate cert] [-e,--cert-expire-warning days] [-k,--sslkey key]
                   [-C,--cookie cookie] [--cookie-on-stdin] [--compression MODE] [-d,--deflate]
                   [-D,--no-deflate] [--force-dpd interval] [--force-trojan interval]
                   [-F,--form-entry form:opt=value] [-g,--usergroup group] [-h,--help]
                   [--http-auth methods] [-i,--interface ifname] [-l,--syslog] [--timestamp]
                   [--passtos] [-U,--setuid user] [--csd-user user] [-m,--mtu mtu]
                   [--base-mtu mtu] [-p,--key-password pass] [-P,--proxy proxyurl]
                   [--proxy-auth methods] [--no-proxy] [--libproxy] [--key-password-from-fsid]
                   [-q,--quiet] [-Q,--queue-len len] [-s,--script vpnc-script] [-S,--script-tun]
                   [-u,--user name] [-V,--version] [-v,--verbose] [-x,--xmlconfig config]
                   [--authgroup group] [--authenticate] [--cookieonly] [--printcookie]
                   [--cafile file] [--disable-ipv6] [--dtls-ciphers list] [--dtls12-ciphers list]
                   [--dtls-local-port port] [--dump-http-traffic] [--no-system-trust] [--pfs]
                   [--no-dtls] [--no-http-keepalive] [--no-passwd] [--no-xmlpost] [--non-inter]
                   [--passwd-on-stdin] [--protocol proto] [--token-mode mode]
                   [--token-secret {secret[,counter]|@file}] [--reconnect-timeout seconds]
                   [--resolve host:ip] [--servercert sha1] [--useragent string]
                   [--version-string string] [--local-hostname string] [--os string] [--server]


       The program openconnect connects to VPN servers which use standard TLS/SSL, DTLS, and  ESP
       protocols for data transport.

       It  was  originally  written to support Cisco "AnyConnect" VPN servers, and has since been
       extended with experimental support for Juniper Network Connect (--protocol=nc) Junos Pulse
       VPN  servers,  (--protocol=pulse) PAN GlobalProtect VPN servers, (--protocol=gp) F5 Big-IP
       VPN servers, (--protocol=f5) Fortinet Fortigate  VPN  servers,  (--protocol=fortinet)  and
       Array Networks SSL VPN servers, (--protocol=array)

       The  connection happens in two phases. First there is a simple HTTPS connection over which
       the user authenticates somehow - by using a certificate,  or  password  or  SecurID,  etc.
       Having authenticated, the user is rewarded with an authentication cookie which can be used
       to make the real VPN connection.

       The second phase uses that cookie to connect to a tunnel via HTTPS, and data  packets  can
       be  passed  over the resulting connection. When possible, a UDP tunnel is also configured:
       AnyConnect uses DTLS, while Juniper and GlobalProtect use UDP-encapsulated  ESP.  The  UDP
       tunnel  may  be  disabled with --no-dtls, but is preferred when correctly supported by the
       server and network for performance reasons. (TCP performs poorly and unreliably over  TCP-
       based tunnels; see


              Read  further options from CONFIGFILE before continuing to process options from the
              command line. The file should contain long-format options as would be  accepted  on
              the  command  line,  but  without  the two leading -- dashes. Empty lines, or lines
              where the first non-space character is a # character, are ignored.

              Any option except the config option may be specified in the file.

              Continue in background after startup

              Save the pid to PIDFILE when backgrounding

       -c,--certificate=CERT [,--mca-certificate=CERT]
              Use SSL client certificate CERT which may be either a file name or, if  OpenConnect
              has been built with an appropriate version of GnuTLS, a PKCS#11 URL.

              The  --mca-certificate  option sets the secondary certificate for multi-certificate
              authentication (according to Cisco's terminology, the  SSL  client  certificate  is
              called  the  "machine" certificate, and the second certificate is called the "user"

              Give a warning when SSL client certificate has DAYS left before expiry

       -k,--sslkey=KEY [,--mca-key=KEY]
              Use SSL private key KEY which may be either a file name or, if OpenConnect has been
              built with an appropriate version of GnuTLS, a PKCS#11 URL.

              The  --mca-key  option  sets  the  private  key  for the secondary certificate (see
              --mca-certificate ).

              Use authentication cookie COOKIE.

              Read cookie from standard input.

              Enable all compression,  including  stateful  modes.  By  default,  only  stateless
              compression algorithms are enabled.

              Disable all compression.

              Set compression mode, where MODE is one of stateless, none, or all.

              By  default, only stateless compression algorithms which do not maintain state from
              one packet to the next (and which can be used on UDP transports)  are  enabled.  By
              setting  the  mode  to all stateful algorithms (currently only zlib deflate) can be
              enabled. Or all compression can be disabled by setting the mode to none.

              Use INTERVAL as Dead Peer Detection interval (in  seconds).  This  will  cause  the
              client to use DPD at the specified interval even if the server hasn't requested it,
              or at a different interval from the one requested by the server.

              DPD mechanisms vary by protocol and by transport (TLS or  DTLS/ESP),  but  are  all
              functionally  similar:  they  enable  either  the  VPN  client or the VPN server to
              transmit a signal to the peer, requesting an immediate reply which can be  used  to
              confirm that the link between the two peers is still working.

              Use GROUP as login UserGroup

              Provide  authentication  form input, where FORM and OPTION are the identifiers from
              the form and the specific input field, and VALUE is the  string  to  be  filled  in
              automatically. For example, the standard username field (also handled by the --user
              option)  could   also   be   provided   with   this   option   thus:   --form-entry

              This  option  should  not  be used to enter passwords.  --passwd-on-stdin should be
              used for that purpose. Not only will this option expose the password value via  the
              OpenConnect  process's  command line, but unlike --passwd-on-stdin this option will
              not recognize the case of an incorrect password, and stop  trying  to  re-enter  it

              Display help text

              Use  only  the  specified methods for HTTP authentication to a server.  By default,
              only Negotiate, NTLM and Digest authentication are enabled. Basic authentication is
              also  supported  but  because  it  is  insecure  it must be explicitly enabled. The
              argument is a comma-separated list of methods to be enabled. Note  that  the  order
              does   not   matter:  OpenConnect  will  use  Negotiate,  NTLM,  Digest  and  Basic
              authentication in that order, if each is enabled, regardless of the order specified
              in the METHODS string.

              Use IFNAME for tunnel interface

              After tunnel is brought up, use syslog for further progress messages

              Prepend a timestamp to each progress message

              Copy  TOS  / TCLASS of payload packet into DTLS and ESP packets. This is not set by
              default because it  may  leak  information  about  the  payload  (for  example,  by
              differentiating voice/video traffic).

              Drop privileges after connecting, to become user USER

              Drop privileges during execution of trojan binary or script (CSD, TNCC, or HIP).

              Run SCRIPT instead of the trojan binary or script.

              Use  INTERVAL  as  interval  (in  seconds) for repeat execution of Trojan binary or
              script, overriding default and/or server-set interval.

              Request MTU from server as the MTU of the tunnel.

              Indicate MTU as the path MTU between client and server on the unencrypted  network.
              Newer  servers  will  automatically calculate the MTU to be used on the tunnel from
              this value.

       -p,--key-password=PASS [,--mca-key-password=PASS]
              Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM

              --mca-key-password provides the  passphrase  for  the  secondary  certificate  (see
              --mca-certificate ).

              Use  HTTP or SOCKS proxy for connection. A username and password can be provided in
              the given URL, and will be used for authentication. If authentication  is  required
              but  no  credentials  are  given,  GSSAPI  and  automatic NTLM authentication using
              Samba's ntlm_auth helper tool may be attempted.

              Use only the specified methods for HTTP authentication to  a  proxy.   By  default,
              only Negotiate, NTLM and Digest authentication are enabled. Basic authentication is
              also supported but because it is  insecure  it  must  be  explicitly  enabled.  The
              argument  is  a  comma-separated list of methods to be enabled. Note that the order
              does  not  matter:  OpenConnect  will  use  Negotiate,  NTLM,  Digest   and   Basic
              authentication in that order, if each is enabled, regardless of the order specified
              in the METHODS string.

              Disable use of proxy

              Use libproxy to configure proxy automatically (when built with libproxy support)

              Passphrase for certificate file is automatically generated from  the  fsid  of  the
              file  system  on  which  it  is stored. The fsid is obtained from the statvfs(2) or
              statfs(2) system call, depending on the operating system. On  a  Linux  or  similar
              system  with  GNU  coreutils,  the  fsid used by this option should be equal to the
              output of the command:
              stat --file-system --printf=%i\\n $CERTIFICATE
              It is not the same as the 128-bit UUID of the file system.

              Less output

              Set packet queue limit to LEN packets. The default is 10. A high  value  may  allow
              better  overall  bandwidth  but  at  a cost of latency. If you run Voice over IP or
              other interactive traffic over the VPN, you don't want those packets to  be  queued
              behind thousands of other large packets which are part of a bulk transfer.

              This option sets the maximum inbound and outbound packet queue sizes in OpenConnect
              itself, which control how many packets will be sent and received in a single batch,
              as well as affecting other buffering such as the socket send buffer (SO_SNDBUF) for
              network connections and the OS tunnel device.

              Ultimately, the right size for a queue is "just enough packets that it never  quite
              gets  empty  before  more  are  pushed  to  it".  Any  higher  than  that is simply
              introducing bufferbloat and additional latency with no benefit. With the default of
              10,  we  are able to saturate a single Gigabit Ethernet from modest hardware, which
              is more than enough for most VPN users.

              If OpenConnect is built with vhost-net support, it will only be used if  the  queue
              length is set to 16 or more. This is because vhost-net introduces a small amount of
              additional latency, but improves  total  bandwidth  quite  considerably  for  those
              operating  at  high  traffic rates. Thus it makes sense to use it when the user has
              indicated a preference for bandwidth over latency, by increasing the queue size.

              Invoke SCRIPT to configure the network after connection. Without this, routing  and
              name  service  are  unlikely  to  work  correctly.  The  script  is  expected to be
              compatible with the vpnc-script which is shipped with the "vpnc"  VPN  client.  See
      for  more information. This
              version of OpenConnect is configured to use /usr/share/vpnc-scripts/vpnc-script  by

              On Windows, a relative directory for the default script will be handled as starting
              from the directory that the openconnect executable is running from, rather than the
              current  directory.  The  script will be invoked with the command-based script host

              Pass traffic to 'script' program over a UNIX socket, instead of to a kernel tun/tap
              device.  This  allows  the  VPN IP traffic to be handled entirely in userspace, for
              example by a program which uses lwIP to provide SOCKS access into the VPN.

              Define the VPN server as a simple HOST  or  as  an  URL  containing  the  HOST  and
              optionally the PORT number and the login GROUP or realm.

              As an alternative, define the VPN server as non-option command line argument.

              Set login username to NAME

              Report version number

              More output (may be specified multiple times for additional output)

              XML config file

              Choose authentication login selection

              Authenticate  to the VPN, output the information needed to make the connection in a
              form which can be used to set shell environment variables, and then exit.

              When invoked with this  option,  OpenConnect  will  not  actually  create  the  VPN
              connection  or configure a tunnel interface, but if successful will print something
              like the following to stdout:
              Thus, you can invoke openconnect as a  non-privileged  user  (with  access  to  the
              user's  PKCS#11  tokens,  etc.)   for  authentication,  and then invoke openconnect
              separately to make the actual connection as root:
              eval `openconnect --authenticate`;
              [ -n $COOKIE ] && echo $COOKIE |
                sudo openconnect --cookie-on-stdin $CONNECT_URL --servercert $FINGERPRINT --resolve $RESOLVE

              Earlier versions of OpenConnect produced only the  HOST  variable  (containing  the
              numeric   server   address),   and   not  the  CONNECT_URL  or  RESOLVE  variables.
              Subsequently, we discovered that servers behind proxies may not  respond  correctly
              unless  the  correct  DNS  name  is  present  in the connection phase, and we added
              support for VPN protocols where the server URL's path component may be  significant
              in the connection phase, prompting the addition of CONNECT_URL and RESOLVE, and the
              recommendation to use them as described above.  If you are not certain that you are
              invoking  a  newer  version  of  OpenConnect which outputs these variables, use the
              following command-line (compatible with most Bourne shell derivatives)  which  will
              work with either a newer or older version:
              sudo openconnect --cookie-on-stdin ${CONNECT_URL:-$HOST} --servercert $FINGERPRINT ${RESOLVE:+--resolve=$RESOLVE}

              Fetch  and  print  cookie  only;  don't  connect  (this  is essentially a subset of

              Print cookie to stdout before connecting (see --authenticate  for  the  meaning  of
              this cookie)

              Additional  CA  file  for  server  verification.  By  default,  this  simply causes
              OpenConnect to trust additional root CA certificate(s) in addition to those trusted
              by  the  system.  Use  --no-system-trust  to  prevent OpenConnect from trusting the
              system default certificate authorities.

              Do not trust the system default certificate authorities. If this option  is  given,
              only  certificate  authorities  given  with  the  --cafile  option, if any, will be
              trusted automatically.

              Do not advertise IPv6 capability to server

              Set OpenSSL ciphers to support for DTLS

              Set OpenSSL ciphers for Cisco's DTLS v1.2

              Use PORT as the local port for DTLS and UDP datagrams

              Enable verbose output of all HTTP requests and the bodies of all responses received
              from the server.

       --pfs  Enforces Perfect Forward Secrecy (PFS). That ensures that if the server's long-term
              key is compromised, any session keys established  before  the  compromise  will  be
              unaffected.  If  this option is provided and the server does not support PFS in the
              TLS channel the connection will fail.

              PFS is available in Cisco ASA releases 9.1(2) and higher; a suitable  cipher  suite
              may  need  to  be  manually  enabled  by the administrator using the ssl encryption

              Disable DTLS and ESP

              Version of the Cisco ASA software has  a  bug  where  it  will  forget  the
              client's  SSL  certificate  when  HTTP  connections  are being re-used for multiple
              requests. So far, this has only been seen on  the  initial  connection,  where  the
              server  gives an HTTP/1.0 redirect response with an explicit Connection: Keep-Alive
              directive. OpenConnect as of v2.22 has an unconditional workaround for this,  which
              is never to obey that directive after an HTTP/1.0 response.

              However,  Cisco's support team has failed to give any competent response to the bug
              report and we don't know under what other circumstances their  bug  might  manifest
              itself.  So  this  option exists to disable ALL re-use of HTTP sessions and cause a
              new connection to be made for  each  request.  If  your  server  seems  not  to  be
              recognizing  your  certificate,  try  this option. If it makes a difference, please
              report this information to the mailing list.

              Never attempt password (or SecurID) authentication.

              Do not attempt to post an XML authentication/configuration request to  the  server;
              use the old style GET method which was used by older clients and servers instead.

              This  option  is  a  temporary  safety  net, to work around potential compatibility
              issues with the code which falls back to the old method  automatically.  It  causes
              OpenConnect  to  behave  more like older versions (4.08 and below) did. If you find
              that you need to use this option, then you have found a bug in OpenConnect.  Please
              see   and   report  this  to  the

              The ancient, broken 3DES and RC4 ciphers are insecure; we explicitly  disable  them
              by default. However, some still-in-use VPN servers can't do any better.

              This  option  enables use of these insecure ciphers, as well as the use of SHA1 for
              server certificate validation.

              Do not expect user input; exit if it is required.

              Read password from standard input

              Select VPN protocol PROTO to be used for the connection.  Supported  protocols  are
              anyconnect  for  Cisco  AnyConnect  (the  default), nc for experimental support for
              Juniper Network Connect (also supported by most Junos  Pulse  servers),  pulse  for
              experimental  support  for  Junos  Pulse,  gp  for  experimental  support  for  PAN
              GlobalProtect, f5 for experimental support for F5 Big-IP, fortinet for experimental
              support  for  Fortinet  Fortigate,  and  array  for  experimental support for Array
              Networks SSL VPN.

              See for  details  on  features
              and deficiencies of the individual protocols.

              OpenConnect  does  not yet support all of the authentication options used by Pulse,
              nor does it support Host Checker/TNCC with Pulse. If your Junos Pulse  VPN  is  not
              yet  supported  with  --protocol=pulse, then --protocol=nc may be a useful fallback

              Enable one-time password generation using  the  MODE  algorithm.   --token-mode=rsa
              will  call  libstoken  to generate an RSA SecurID tokencode, --token-mode=totp will
              call liboath to generate an RFC 6238  time-based  password,  and  --token-mode=hotp
              will call liboath to generate an RFC 4226 HMAC-based password. Yubikey tokens which
              generate  OATH  codes  in  hardware  are  supported   with   --token-mode=yubioath.
              --token-mode=oidc  will  use the provided OpenIDConnect token as an RFC 6750 bearer

       --token-secret={ SECRET[,COUNTER] | @FILENAME }
              The secret to use when  generating  one-time  passwords/verification  codes.   Base
              32-encoded  TOTP/HOTP  secrets can be used by specifying "base32:" at the beginning
              of the secret, and for HOTP secrets the token counter can be specified following  a

              RSA  SecurID secrets can be specified as an Android/iPhone URI or a raw numeric CTF
              string (with or without dashes).

              For Yubikey OATH the token secret specifies the name of the credential to be  used.
              If not provided, the first OATH credential found on the device will be used.

              For OIDC the secret is the bearer token to be used.

              FILENAME, if specified, can contain any of the above strings.  Or, it can contain a
              SecurID XML (SDTID) seed.

              If this option is omitted, and --token-mode is "rsa", libstoken will try to use the
              software token seed saved in ~/.stokenrc by the "stoken import" command.

              After  disconnection  or Dead Peer Detection, keep trying to reconnect for SECONDS.
              The default is 300  seconds,  which  means  that  openconnect  can  recover  a  VPN
              connection after a temporary network outage lasting up to 300 seconds.

              Automatically  resolve the hostname HOST to IP instead of using the normal resolver
              to look it up.

              Accept server's SSL certificate only if it matches the provided fingerprint.   This
              option  implies  --no-system-trust, and may be specified multiple times in order to
              accept multiple possible fingerprints.

              The  allowed  fingerprint  types  are  SHA1,  SHA256,  and  PIN-SHA256.   They  are
              distinguished  by  the 'sha1:', 'sha256:' and 'pin-sha256:' prefixes to the encoded
              hash. The first two are custom identifiers providing hex  encoding  of  the  peer's
              public  key,  while  'pin-sha256:'  is  the  RFC7469 key PIN, which utilizes base64
              encoding. To ease certain testing use-cases, a partial match of the hash will  also
              be accepted, if it is at least 4 characters past the prefix.

              Use  STRING  as 'User-Agent:' field value in HTTP header.  (e.g. --useragent 'Cisco
              AnyConnect VPN Agent for Windows 2.2.0133')

              Use  STRING  as  the  software  version  reported   to   the   head   end.    (e.g.
              --version-string '2.2.0133')

              Use   STRING  as  'X-CSTP-Hostname:'  field  value  in  HTTP  header.  For  example
              --local-hostname 'mypc', will advertise the value 'mypc' as the suggested  hostname
              to point to the provided IP address.

              OS  type  to  report  to  gateway.   Recognized  values  are: linux, linux-64, win,
              mac-intel, android, apple-ios.  Reporting  a  different  OS  type  may  affect  the
              dynamic  access  policy  (DAP) applied to the VPN session.  If the gateway requires
              CSD, it will also cause the corresponding CSD trojan binary to  be  downloaded,  so
              you  may  need  to  use  --csd-wrapper  if this code is not executable on the local


       In the data phase of the connection, the following signals are handled:

              performs a clean shutdown by  logging  the  session  off,  disconnecting  from  the
              gateway, and running the vpnc-script to restore the network configuration.

       SIGHUP disconnects from the gateway and runs the vpnc-script, but does not log the session
              off; this allows for reconnection later using --cookie.

              writes progress message with detailed connection information and statistics.

              forces an immediate disconnection and reconnection; this can  be  used  to  quickly
              recover from LAN IP address changes.

              Note  that  although  IPv6 has been tested on all platforms on which openconnect is
              known to run, it depends on a suitable vpnc-script to configure  the  network.  The
              standard  vpnc-script  shipped  with  vpnc  0.5.3 is not capable of setting up IPv6
              routes; the one from will be required.




       David Woodhouse <>