openforticli is a client for PPP+SSL VPN tunnel services. It spawns a pppd process and operates the communication between the gateway and this process.
It is compatible with Fortinet VPNs.
man openforticli
-
Simply connect to a VPN:
openforticli vpn-gateway:8443 --username=foo
-
Connect to a VPN using an authentication realm:
openforticli vpn-gateway:8443 --username=foo --realm=bar
-
Store password securely with a pinentry program:
openforticli vpn-gateway:8443 --username=foo --pinentry=pinentry-mac
-
Connect with a user certificate and no password:
openforticli vpn-gateway:8443 --username= --password= --user-cert=cert.pem --user-key=key.pem
-
Don't set IP routes and don't add VPN nameservers to
/etc/resolv.conf
:openforticli vpn-gateway:8443 -u foo --no-routes --no-dns --pppd-no-peerdns
-
Using a configuration file:
openforticli -c /etc/openforticli/my-config
With
/etc/openforticli/my-config
containing:host = vpn-gateway port = 8443 username = foo set-dns = 0 pppd-use-peerdns = 0 # X509 certificate sha256 sum, trust only this one! trusted-cert = e46d4aff08ba6914e64daa85bc6112a422fa7ce16631bff0b592a28556f993db
-
For the full list of config options, see the
CONFIGURATION
section ofman openforticli
Smartcard support needs openssl pkcs engine
and opensc
to be installed.
The pkcs11-engine from libp11 needs to be compiled with p11-kit-devel installed.
Check #464 for a discussion
of known issues in this area.
To make use of your smartcard put at least pkcs11:
to the user-cert config or commandline
option. It takes the full or a partial PKCS#11 token URI.
user-cert = pkcs11:
user-cert = pkcs11:token=someuser
user-cert = pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser
username =
password =
In most cases user-cert = pkcs11:
will do it, but if needed you can get the token-URI
with p11tool --list-token-urls
.
Multiple readers are currently not supported.
Smartcard support has been tested with Yubikey under Linux, but other PIV enabled smartcards may work too. On Mac OS X Mojave it is known that the pkcs engine-by-id is not found.
Some Linux distributions provide openforticli
packages:
On macOS both Homebrew and
MacPorts
provide an openforticli
package.
Either install Homebrew then install openforticli:
# Install 'Homebrew'
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
# Install 'openforticli'
brew install openforticli
or install MacPorts then install openforticli:
# Install 'openforticli'
sudo port install openforticli
A more complete overview can be obtained from repology.
For other distros, you'll need to build and install from source:
-
Install build dependencies.
- RHEL/CentOS/Fedora:
gcc
automake
autoconf
openssl-devel
make
pkg-config
- Debian/Ubuntu:
gcc
automake
autoconf
libssl-dev
make
pkg-config
- Arch Linux:
gcc
automake
autoconf
openssl
pkg-config
- Gentoo Linux:
net-dialup/ppp
pkg-config
- openSUSE:
gcc
automake
autoconf
libopenssl-devel
pkg-config
- macOS (Homebrew):
automake
autoconf
openssl@1.1
pkg-config
- FreeBSD:
automake
autoconf
libressl
pkgconf
On Linux, if you manage your kernel yourself, ensure to compile those modules:
CONFIG_PPP=m CONFIG_PPP_ASYNC=m
On macOS, install 'Homebrew' to install the build dependencies:
# Install 'Homebrew' /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" # Install Dependencies brew install automake autoconf openssl@1.1 pkg-config # You may need to make this openssl available to compilers and pkg-config export LDFLAGS="-L/usr/local/opt/openssl/lib $LDFLAGS" export CPPFLAGS="-I/usr/local/opt/openssl/include $CPPFLAGS" export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig:$PKG_CONFIG_PATH"
- RHEL/CentOS/Fedora:
-
Build and install.
./autogen.sh ./configure --prefix=/usr/local --sysconfdir=/etc make sudo make install
If you need to specify the openssl location you can set the
$PKG_CONFIG_PATH
environment variable. For fine-tuning check the available configure arguments with./configure --help
especially when you are cross compiling.Finally, install runtime dependency
ppp
orpppd
.
openforticli needs elevated privileges at three steps during tunnel set up:
- when spawning a
/usr/sbin/pppd
process; - when setting IP routes through VPN (when the tunnel is up);
- when adding nameservers to
/etc/resolv.conf
(when the tunnel is up).
For these reasons, you need to use sudo openforticli
.
If you need it to be usable by non-sudoer users, you might consider adding an
entry in /etc/sudoers
or a file under /etc/sudoers.d
.
For example:
visudo -f /etc/sudoers.d/openforticli
Cmnd_Alias Openforticli = /usr/bin/openforticli
%adm ALL = (ALL) Openforticli
Adapt the above example by changing the openforticli
path or choosing
a group different from adm
- such as a dedicated openforticli
group.
Warning: Make sure only trusted users can run openforticli as root!
As described in #54,
a malicious user could use --pppd-plugin
and --pppd-log
options to divert
the program's behaviour.
Feel free to make pull requests!
C coding style should follow the Linux kernel Documentation/CodingStyle.