openfortivpn

Connect to a VPN with a username and password

$ openfortivpn [[-u|--username]] [username] [[-p|--password]] [password]

$ sudo openfortivpn [[-c|--config]] [path/to/config]

$ openfortivpn [host]:[port]

$ openfortivpn --trusted-cert [sha256_sum]

openfortivpn [options] host[:port]

--config=
    Specify an alternative configuration file.

--username=
    Specify the VPN username.

--password=
    Specify the VPN password (not recommended on command line for security reasons).

--otp=
    Provide a One-Time Password (TOTP or FortiToken).

--trusted-cert=
    Specify the SHA256 hash of the server certificate to trust for authentication.

--ca-cert=
    Path to a CA certificate file for validating the server's certificate.

--client-cert=
    Path to a client certificate file for certificate-based authentication.

--client-key=
    Path to the private key file for the client certificate.

--port=
    Override the default SSL port (443). Can also be specified in host:port.

--persistent
    Stay connected and re-establish the connection if it drops.

--set-routes=<0|1>
    Control automatic routing table modifications (1=enable, 0=disable).

--set-dns=<0|1>
    Control automatic DNS resolver modifications (1=enable, 0=disable).

--no-pppd
    Do not use pppd for IP configuration and routing setup.

--verbose
    Enable verbose output for debugging and informational messages.

--proxy=:
    Connect to the VPN server through an HTTP or SOCKS proxy.

--insecure-ssl
    Bypass server certificate validation (highly insecure, not recommended for production!).

--device=
    Specify the name of the TUN device to create (e.g., tun0).

--version
    Display version information and exit.

--help
    Display a help message and exit.

openfortivpn is an open-source client implementation for the Fortinet FortiGate SSL VPN protocol. It allows Linux and other Unix-like systems to establish a secure VPN connection to a FortiGate firewall, providing access to internal network resources. The client creates a virtual network interface (typically a TUN device) through which all VPN traffic is routed. It supports various authentication methods, including username and password, client certificates, and two-factor authentication (e.g., FortiToken, TOTP).

Beyond establishing the encrypted tunnel, openfortivpn also handles network configuration aspects like assigning an IP address to the virtual interface, setting up routing tables to direct traffic through the VPN, and managing DNS resolver settings to ensure proper name resolution within the VPN context. It aims to be a lightweight and robust alternative to the official FortiClient, offering compatibility with a wide range of FortiGate firmware versions.

• Requires root privileges to set up the TUN device, configure IP addresses, and manipulate routing tables.
• The effectiveness of DNS resolution management depends on the system's DNS setup (e.g., resolvconf, systemd-resolved).
• Using --insecure-ssl compromises security by disabling server certificate validation, making the connection vulnerable to Man-in-the-Middle attacks.
• Compatibility with specific FortiGate firmware versions may vary; regular updates are recommended.

Many command-line options can be specified in a configuration file, typically found at /etc/openfortivpn/config or ~/.openfortivpn/config. This makes invocation simpler and avoids exposing sensitive information on the command line.
The format is option = value. For example:
host = vpn.example.com
port = 10443
username = myuser
trusted-cert = abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234

Due to its network configuration tasks (creating a TUN device, setting IP addresses, and modifying routing tables), openfortivpn generally requires root privileges. It is commonly executed using sudo or configured to run as a system service.

By default, openfortivpn attempts to update the system's DNS resolver configuration (often /etc/resolv.conf) to use DNS servers provided by the VPN. On systems using resolvconf or systemd-resolved, it tries to integrate seamlessly. If automatic DNS modification is undesirable or problematic, it can be disabled using --set-dns=0, requiring manual DNS configuration.

openfortivpn emerged as an open-source alternative to the proprietary FortiClient for Linux, which was often less flexible or not consistently updated across various distributions. Initial development aimed to provide a robust and user-friendly client for FortiGate SSL VPNs, focusing on broad compatibility with different FortiGate firmware versions and support for a wide range of authentication methods. It has since become a popular choice for Linux users needing to connect to FortiGate environments, with active community contributions continuously improving and maintaining the project.

ip(8), route(8), resolvconf(8), nmcli(1), nmtui(1)