OPENCONNECT - Manpage

From Wiki.IT-Arts.net


For Fortigate :

openconnect --protocol=fortinet fortigate.example.com


Manpage

openconnect --help
Usage:  openconnect [options] <server>
Open client for multiple VPN protocols, version v9.01-3

Using GnuTLS 3.7.9. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
      --config=CONFIGFILE         Read options from config file
  -V, --version                   Report version number
  -h, --help                      Display help text

Set VPN protocol:
      --protocol=anyconnect       Compatible with Cisco AnyConnect SSL VPN, as well as ocserv (default)
      --protocol=nc               Compatible with Juniper Network Connect
      --protocol=gp               Compatible with Palo Alto Networks (PAN) GlobalProtect SSL VPN
      --protocol=pulse            Compatible with Pulse Connect Secure SSL VPN
      --protocol=f5               Compatible with F5 BIG-IP SSL VPN
      --protocol=fortinet         Compatible with FortiGate SSL VPN
      --protocol=array            Compatible with Array Networks SSL VPN

Authentication:
  -u, --user=NAME                 Set login username
      --no-passwd                 Disable password/SecurID authentication
      --non-inter                 Do not expect user input; exit if it is required
      --passwd-on-stdin           Read password from standard input
      --authgroup=GROUP           Choose authentication login selection
  -F, --form-entry=FORM:OPT=VALUE Provide authentication form responses
  -c, --certificate=CERT          Use SSL client certificate CERT
  -k, --sslkey=KEY                Use SSL private key file KEY
  -e, --cert-expire-warning=DAYS  Warn when certificate lifetime < DAYS
  -g, --usergroup=GROUP           Set login usergroup
  -p, --key-password=PASS         Set key passphrase or TPM SRK PIN
      --external-browser=BROWSER  Set external browser executable
      --key-password-from-fsid    Key passphrase is fsid of file system
      --token-mode=MODE           Software token type: rsa, totp, hotp or oidc
      --token-secret=STRING       Software token secret or oidc token

Server validation:
      --servercert=FINGERPRINT    Accept only server certificate with this fingerprint
      --no-system-trust           Disable default system certificate authorities
      --cafile=FILE               Cert file for server verification

Internet connectivity:
      --server=SERVER             Set VPN server
  -P, --proxy=URL                 Set proxy server
      --proxy-auth=METHODS        Set proxy authentication methods
      --no-proxy                  Disable proxy
      --libproxy                  Use libproxy to automatically configure proxy
      --reconnect-timeout=SECONDS Reconnection retry timeout (default is 300 seconds)
      --resolve=HOST:IP           Use IP when connecting to HOST
      --passtos                   Copy TOS / TCLASS field into DTLS and ESP packets
      --dtls-local-port=PORT      Set local port for DTLS and ESP datagrams

Authentication (two-phase):
  -C, --cookie=COOKIE             Use authentication cookie COOKIE
      --cookie-on-stdin           Read cookie from standard input
      --authenticate              Authenticate only and print login info
      --cookieonly                Fetch and print cookie only; don't connect
      --printcookie               Print cookie before connecting

Process control:
  -b, --background                Continue in background after startup
      --pid-file=PIDFILE          Write the daemon's PID to this file
  -U, --setuid=USER               Drop privileges after connecting

Logging (two-phase):
  -l, --syslog                    Use syslog for progress messages
  -v, --verbose                   More output
  -q, --quiet                     Less output
      --dump-http-traffic         Dump HTTP authentication traffic (implies --verbose)
      --timestamp                 Prepend timestamp to progress messages

VPN configuration script:
  -i, --interface=IFNAME          Use IFNAME for tunnel interface
  -s, --script=SCRIPT             Shell command line for using a vpnc-compatible config script
                                  default: "/usr/share/vpnc-scripts/vpnc-script"
  -S, --script-tun                Pass traffic to 'script' program, not tun

Tunnel control:
      --disable-ipv6              Do not ask for IPv6 connectivity
  -x, --xmlconfig=CONFIG          XML config file
  -m, --mtu=MTU                   Request MTU from server (legacy servers only)
      --base-mtu=MTU              Indicate path MTU to/from server
  -d, --deflate                   Enable stateful compression (default is stateless only)
  -D, --no-deflate                Disable all compression
      --force-dpd=INTERVAL        Set Dead Peer Detection interval (in seconds)
      --pfs                       Require perfect forward secrecy
      --no-dtls                   Disable DTLS and ESP
      --dtls-ciphers=LIST         OpenSSL ciphers to support for DTLS
  -Q, --queue-len=LEN             Set packet queue limit to LEN pkts

Local system information:
      --useragent=STRING          HTTP header User-Agent: field
      --local-hostname=STRING     Local hostname to advertise to server
      --os=STRING                 OS type to report. Allowed values are the following:
                                  linux, linux-64, win, mac-intel, android, apple-ios
      --version-string=STRING     reported version string during authentication
                                  (default: v9.01-3)

Trojan binary (CSD) execution:
      --csd-user=USER             Drop privileges during trojan execution
      --csd-wrapper=SCRIPT        Run SCRIPT instead of trojan binary
      --force-trojan=INTERVAL     Set minimum interval between trojan runs (in seconds)

Server bugs:
      --no-http-keepalive         Disable HTTP connection re-use
      --no-xmlpost                Do not attempt XML POST authentication
      --allow-insecure-crypto     Allow use of the ancient, insecure 3DES and RC4 ciphers

Multiple certificate authentication (MCA):
      --mca-certificate=MCACERT   Use MCA certificate MCACERT
      --mca-key=MCAKEY            Use MCA key MCAKEY
      --mca-key-password=MCAPASS  Passphrase MCAPASS for MCACERT/MCAKEY


Usefull Links

For assistance with OpenConnect, please see the web page at :