openfortivpn is a client for PPP+TLS VPN tunnel services. It spawns a pppd process and operates the communication between the gateway and this process.
It is compatible with Fortinet VPNs.
man openfortivpnSimply connect to a VPN:
openfortivpn vpn-gateway:8443 --username=fooConnect to a VPN using an authentication realm:
openfortivpn vpn-gateway:8443 --username=foo --realm=barStore password securely with a pinentry program:
openfortivpn vpn-gateway:8443 --username=foo --pinentry=pinentry-macConnect with a user certificate and no password:
openfortivpn vpn-gateway:8443 --username= --password= --user-cert=cert.pem --user-key=key.pemDon't set IP routes and don't add VPN nameservers to /etc/resolv.conf:
openfortivpn vpn-gateway:8443 -u foo --no-routes --no-dns --pppd-no-peerdnsUsing a configuration file:
openfortivpn -c /etc/openfortivpn/my-configWith /etc/openfortivpn/my-config containing:
host = vpn-gateway
port = 8443
username = foo
set-dns = 0
pppd-use-peerdns = 0
# X509 certificate sha256 sum, trust only this one!
trusted-cert = e46d4aff08ba6914e64daa85bc6112a422fa7ce16631bff0b592a28556f993dbFor the full list of config options, see the CONFIGURATION section of
man openfortivpnSmartcard support needs openssl pkcs engine and opensc to be installed.
The pkcs11-engine from libp11 needs to be compiled with p11-kit-devel installed.
Check #464 for a discussion
of known issues in this area.
To make use of your smartcard put at least pkcs11: to the user-cert config or commandline
option. It takes the full or a partial PKCS#11 token URI.
user-cert = pkcs11:
user-cert = pkcs11:token=someuser
user-cert = pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser
username =
password =In most cases user-cert = pkcs11: will do it, but if needed you can get the token-URI
with p11tool --list-token-urls.
Multiple readers are currently not supported.
Smartcard support has been tested with Yubikey under Linux, but other PIV enabled smartcards may work too. On Mac OS X Mojave it is known that the pkcs engine-by-id is not found.
Some Linux distributions provide openfortivpn packages:
On macOS both Homebrew and
MacPorts
provide an openfortivpn package.
Either install Homebrew then install openfortivpn:
# Install 'Homebrew'
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
# Install 'openfortivpn'
brew install openfortivpnor install MacPorts then install openfortivpn:
# Install 'openfortivpn'
sudo port install openfortivpnA more complete overview can be obtained from repology.
For other distros, you'll need to build and install from source:
Install build dependencies.
gcc automake autoconf openssl-devel make pkg-configgcc automake autoconf libssl-dev make pkg-configgcc automake autoconf openssl pkg-confignet-dialup/ppp pkg-configgcc automake autoconf libopenssl-devel pkg-configautomake autoconf openssl@1.1 pkg-configautomake autoconf libressl pkgconfOn Linux, if you manage your kernel yourself, ensure to compile those modules:
CONFIG_PPP=m
CONFIG_PPP_ASYNC=mOn macOS, install 'Homebrew' to install the build dependencies:
# Install 'Homebrew'
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
# Install Dependencies
brew install automake autoconf openssl@1.1 pkg-config
# You may need to make this openssl available to compilers and pkg-config
export LDFLAGS="-L/usr/local/opt/openssl/lib $LDFLAGS"
export CPPFLAGS="-I/usr/local/opt/openssl/include $CPPFLAGS"
export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig:$PKG_CONFIG_PATH"Build and install.
./autogen.sh
./configure --prefix=/usr/local --sysconfdir=/etc
make
sudo make installIf targeting platforms with pppd < 2.5.0 such as current version of macOS, we suggest you configure with option --enable-legacy-pppd:
./autogen.sh
./configure --prefix=/usr/local --sysconfdir=/etc --enable-legacy-pppd
make
sudo make installIf you need to specify the openssl location you can set the $PKG_CONFIG_PATH
environment variable. For fine-tuning check the available configure arguments
with ./configure --help especially when you are cross compiling.
Finally, install runtime dependency ppp or pppd.
openfortivpn needs elevated privileges at three steps during tunnel set up:
/usr/sbin/pppd process;/etc/resolv.conf (when the tunnel is up).For these reasons, you need to use sudo openfortivpn.
If you need it to be usable by non-sudoer users, you might consider adding an
entry in /etc/sudoers or a file under /etc/sudoers.d.
For example:
visudo -f /etc/sudoers.d/openfortivpnCmnd_Alias OPENFORTIVPN = /usr/bin/openfortivpn
%adm ALL = (ALL) OPENFORTIVPNAdapt the above example by changing the openfortivpn path or choosing
a group different from adm - such as a dedicated openfortivpn group.
Warning: Make sure only trusted users can run openfortivpn as root!
As described in #54,
a malicious user could use --pppd-plugin and --pppd-log options to divert
the program's behaviour.
In some cases, the server may require the VPN client to load and interact with a web page containing JavaScript. Depending on the complexity of the web page, interpreting the web page might be beyond the reach of a command line program such as openfortivpn.
In such cases, you may use an external program spawning a full-fledged
web browser such as
openfortivpn-webview
to authenticate and retrieve a session cookie. This cookie can be fed
to openfortivpn using option --cookie-on-stdin. Obviously, such a
solution requires a graphic session.
Feel free to make pull requests!
C coding style should follow the Linux kernel coding style.