OPENCONNECT - Manpage
From Wiki.IT-Arts.net
For Fortigate :
openconnect --protocol=fortinet fortigate.example.com
openconnect --help
Usage: openconnect [options] <server>
Open client for multiple VPN protocols, version v9.01-3
Using GnuTLS 3.7.9. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
--config=CONFIGFILE Read options from config file
-V, --version Report version number
-h, --help Display help text
Set VPN protocol:
--protocol=anyconnect Compatible with Cisco AnyConnect SSL VPN, as well as ocserv (default)
--protocol=nc Compatible with Juniper Network Connect
--protocol=gp Compatible with Palo Alto Networks (PAN) GlobalProtect SSL VPN
--protocol=pulse Compatible with Pulse Connect Secure SSL VPN
--protocol=f5 Compatible with F5 BIG-IP SSL VPN
--protocol=fortinet Compatible with FortiGate SSL VPN
--protocol=array Compatible with Array Networks SSL VPN
Authentication:
-u, --user=NAME Set login username
--no-passwd Disable password/SecurID authentication
--non-inter Do not expect user input; exit if it is required
--passwd-on-stdin Read password from standard input
--authgroup=GROUP Choose authentication login selection
-F, --form-entry=FORM:OPT=VALUE Provide authentication form responses
-c, --certificate=CERT Use SSL client certificate CERT
-k, --sslkey=KEY Use SSL private key file KEY
-e, --cert-expire-warning=DAYS Warn when certificate lifetime < DAYS
-g, --usergroup=GROUP Set login usergroup
-p, --key-password=PASS Set key passphrase or TPM SRK PIN
--external-browser=BROWSER Set external browser executable
--key-password-from-fsid Key passphrase is fsid of file system
--token-mode=MODE Software token type: rsa, totp, hotp or oidc
--token-secret=STRING Software token secret or oidc token
Server validation:
--servercert=FINGERPRINT Accept only server certificate with this fingerprint
--no-system-trust Disable default system certificate authorities
--cafile=FILE Cert file for server verification
Internet connectivity:
--server=SERVER Set VPN server
-P, --proxy=URL Set proxy server
--proxy-auth=METHODS Set proxy authentication methods
--no-proxy Disable proxy
--libproxy Use libproxy to automatically configure proxy
--reconnect-timeout=SECONDS Reconnection retry timeout (default is 300 seconds)
--resolve=HOST:IP Use IP when connecting to HOST
--passtos Copy TOS / TCLASS field into DTLS and ESP packets
--dtls-local-port=PORT Set local port for DTLS and ESP datagrams
Authentication (two-phase):
-C, --cookie=COOKIE Use authentication cookie COOKIE
--cookie-on-stdin Read cookie from standard input
--authenticate Authenticate only and print login info
--cookieonly Fetch and print cookie only; don't connect
--printcookie Print cookie before connecting
Process control:
-b, --background Continue in background after startup
--pid-file=PIDFILE Write the daemon's PID to this file
-U, --setuid=USER Drop privileges after connecting
Logging (two-phase):
-l, --syslog Use syslog for progress messages
-v, --verbose More output
-q, --quiet Less output
--dump-http-traffic Dump HTTP authentication traffic (implies --verbose)
--timestamp Prepend timestamp to progress messages
VPN configuration script:
-i, --interface=IFNAME Use IFNAME for tunnel interface
-s, --script=SCRIPT Shell command line for using a vpnc-compatible config script
default: "/usr/share/vpnc-scripts/vpnc-script"
-S, --script-tun Pass traffic to 'script' program, not tun
Tunnel control:
--disable-ipv6 Do not ask for IPv6 connectivity
-x, --xmlconfig=CONFIG XML config file
-m, --mtu=MTU Request MTU from server (legacy servers only)
--base-mtu=MTU Indicate path MTU to/from server
-d, --deflate Enable stateful compression (default is stateless only)
-D, --no-deflate Disable all compression
--force-dpd=INTERVAL Set Dead Peer Detection interval (in seconds)
--pfs Require perfect forward secrecy
--no-dtls Disable DTLS and ESP
--dtls-ciphers=LIST OpenSSL ciphers to support for DTLS
-Q, --queue-len=LEN Set packet queue limit to LEN pkts
Local system information:
--useragent=STRING HTTP header User-Agent: field
--local-hostname=STRING Local hostname to advertise to server
--os=STRING OS type to report. Allowed values are the following:
linux, linux-64, win, mac-intel, android, apple-ios
--version-string=STRING reported version string during authentication
(default: v9.01-3)
Trojan binary (CSD) execution:
--csd-user=USER Drop privileges during trojan execution
--csd-wrapper=SCRIPT Run SCRIPT instead of trojan binary
--force-trojan=INTERVAL Set minimum interval between trojan runs (in seconds)
Server bugs:
--no-http-keepalive Disable HTTP connection re-use
--no-xmlpost Do not attempt XML POST authentication
--allow-insecure-crypto Allow use of the ancient, insecure 3DES and RC4 ciphers
Multiple certificate authentication (MCA):
--mca-certificate=MCACERT Use MCA certificate MCACERT
--mca-key=MCAKEY Use MCA key MCAKEY
--mca-key-password=MCAPASS Passphrase MCAPASS for MCACERT/MCAKEY
Usefull Links
For assistance with OpenConnect, please see the web page at :
