From 70ddecde60669915703a4b938abd22282921bf89 Mon Sep 17 00:00:00 2001
From: Dimitri Papadopoulos
<3234522+DimitriPapadopoulos@users.noreply.github.com>
Date: Mon, 4 Mar 2024 11:13:52 +0100
Subject: [PATCH] Partially revert 'Revert "Address integer overflows reported
by a code analyser"'
This partially reverts commit dec663cba0ffb8508bdc3cd3bcb93afeec79efa7.
Something went very wrong while reverting, for some reason the doc file
got changed into an HTML file!
---
doc/openfortivpn.1.in | 616 +++++++++++++++++++++++++++---------------
1 file changed, 400 insertions(+), 216 deletions(-)
diff --git a/doc/openfortivpn.1.in b/doc/openfortivpn.1.in
index 7a23f516..62e2ad1d 100644
--- a/doc/openfortivpn.1.in
+++ b/doc/openfortivpn.1.in
@@ -1,216 +1,400 @@
-
NAME
-openfortivpn - Client for PPP+TLS VPN tunnel services
-SYNOPSIS
-openfortivpn [<host>[:<port>]] [-u <user>] [-p <pass>] [--cookie=<cookie>] [--cookie-on-stdin] [--pinentry=<name>] [--otp=<otp>] [--otp-prompt=<prompt>] [--otp-delay=<delay>] [--no-ftm-push] [--realm=<realm>] [--ifname=<interface>] [--set-routes=<bool>] [--no-routes] [--set-dns=<bool>] [--no-dns] [--half-internet-routes=<bool>] [--ca-file=<file>] [--user-cert=<file>] [--user-cert=pkcs11:] [--user-key=<file>] [--use-syslog] [--trusted-cert=<digest>] [--insecure-ssl] [--cipher-list=<ciphers>] [--min-tls=<version>] [--seclevel-1] [--pppd-use-peerdns=<bool>] [--pppd-no-peerdns] [--pppd-log=<file>] [--pppd-plugin=<file>] [--pppd-ipparam=<string>] [--pppd-ifname=<string>] [--pppd-call=<name>] [--pppd-accept-remote=<bool>] [--ppp-system=<string>] [--use-resolvconf=<bool>] [--persistent=<interval>] [-c <file>] [-v|-q]
-openfortivpn --help
-openfortivpn --version
-DESCRIPTION
-openfortivpn connects to a VPN by setting up a tunnel to the gateway at <host>:<port>.
-OPTIONS
-
-- --help
-Show the help message and exit.
-
-- --version
-Show version and exit.
-
-- -c <file>, --config=<file>
-Specify a custom configuration file (default: /volatile/local/openfortivpn/etc/openfortivpn/config).
-
-- -u <user>, --username=<user>
-VPN account username.
-
-- -p <pass>, --password=<pass>
-VPN account password in plain text. For a secure alternative, use pinentry or let openfortivpn prompt for the password.
-
-- --cookie=<cookie>
-A valid cookie (SVPNCOOKIE) to use in place of username and password.
-
-- --cookie-on-stdin
-Read the cookie (SVPNCOOKIE) from standard input.
-
-- --pinentry=<name>
-The pinentry program to use. Allows supplying the password in a secure manner. For example: pinentry-gnome3 on Linux, or pinentry-mac on macOS.
-
-- -o <otp>, --otp=<otp>
-One-Time-Password.
-
-- --otp-prompt=<prompt>
-Search for the OTP password prompt starting with the string <prompt>.
-
-- --otp-delay=<delay>
-Set the amount of time to wait before sending the One-Time-Password. The delay time must be specified in seconds, where 0 means no wait (this is the default).
-
-- --no-ftm-push
-Do not use FTM push if the server provides the option. The server may be configured to allow two factor authentication through a push notification to the mobile application. If this option is provided, authentication based on OTP will be used instead.
-
-- --realm=<realm>
-Connect to the specified authentication realm. Defaults to empty, which is usually what you want.
-
-- --ifname=<interface>
-Bind the connection to the specified network interface.
-
-- --set-routes=<bool>, --no-routes
-Set if openfortivpn should try to configure IP routes through the VPN when tunnel is up. If used multiple times, the last one takes priority.
-
-
---no-routes is the same as --set-routes=0.
-
-- --half-internet-routes=<bool>
-Set if openfortivpn should add two 0.0.0.0/1 and 128.0.0.0/1 routes with higher priority instead of replacing the default route.
-
-- --set-dns=<bool>, --no-dns
-Set if openfortivpn should add DNS name servers in /etc/resolv.conf when tunnel is up. Also a dns-suffix may be received from the peer and added to /etc/resolv.conf in the turn of adding the name servers. resolvconf is instructed to do the update of the resolv.conf file if it is installed and --use-resolvconf is activated, otherwise openfortivpn prepends its changes to the existing content of the resolv.conf file. Note that there may be other mechanisms to update /etc/resolv.conf, e.g., --pppd-use-peerdns in conjunction with an ip-up-script, which may require that openfortivpn is called with --no-dns. --no-dns is the same as --set-dns=0.
-
-- --use-resolvconf=<bool>
-Set if openfortivpn should use resolvconf to add DNS name servers in /etc/resolv.conf. If it is set to false, the builtin fallback mechanism is used even if resolvconf is available.
-
-- --ca-file=<file>
-Use specified PEM-encoded certificate bundle instead of system-wide store to verify the gateway certificate.
-
-- --user-cert=<file>
-Use specified PEM-encoded certificate if the server requires authentication with a certificate.
-
-- --user-cert=pkcs11:
-Use at least the string pkcs11: for using a smartcard. It takes the full or a partial PKCS11-URI (p11tool --list-token-urls)
-
-
---user-cert = pkcs11:
---user-cert = pkcs11:token=someuser
---user-cert = pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser
-This feature requires the OpenSSL PKCS engine!
-
-- --user-key=<file>
-Use specified PEM-encoded key if the server requires authentication with a certificate.
-
-- --pem-passphrase=<pass>
-Pass phrase for the PEM-encoded key.
-
-- --use-syslog
-Log to syslog instead of terminal.
-
-- --trusted-cert=<digest>
-Trust a given gateway. If classical TLS certificate validation fails, the gateway certificate will be matched against this value. <digest> is the X509 certificate's sha256 sum. The certificate has to be encoded in DER form. This option can be used multiple times to trust several certificates.
-
-- --insecure-ssl
-Do not disable insecure TLS protocols/ciphers. If your server requires a specific cipher, consider using --cipher-list instead.
-
-- --cipher-list=<ciphers>
-OpenSSL ciphers to use. If default does not work, you can try alternatives such as HIGH:!MD5:!RC4 or as suggested by the Cipher: line in the output of openssl(1) (e.g. AES256-GCM-SHA384):
-
-
-$ openssl s_client -connect <host:port>
-(default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
-Applies to TLS v1.2 or lower only, not to be used with TLS v1.3 ciphers.
-
-- --min-tls=<version>
-Use minimum TLS version instead of system default. Valid values are 1.0, 1.1, 1.2, 1.3.
-
-- --seclevel-1
-If --cipher-list is not specified, add @SECLEVEL=1 to the list of ciphers. This lowers limits on dh key.
-
-
-Applies to TLS v1.2 or lower only.
-
-- --pppd-use-peerdns=<bool>, --pppd-no-peerdns
-Whether to ask peer ppp server for DNS server addresses and let pppd rewrite /etc/resolv.conf. There is no mechanism to tell the dns-suffix to pppd. If the DNS server addresses are requested, also --set-dns=1 may race with the mechanisms in pppd.
-
-
---pppd-no-peerdns is the same as --pppd-use-peerdns=0.
-
-- --pppd-log=<file>
-Set pppd in debug mode and save its logs into <file>.
-
-- --pppd-plugin=<file>
-Use specified pppd plugin instead of configuring the resolver and routes directly.
-
-- --pppd-ipparam=<string>
-Provides an extra parameter to the ip-up, ip-pre-up and ip-down scripts. See man pppd(8) for further details
-
-- --pppd-ifname=<string>
-Set the ppp interface name. Only if supported by pppd. Patched versions of pppd implement this option but may not be available on your platform.
-
-- --pppd-call=<name>
-Drop usual arguments from pppd command line and add `call <name>' instead. This can be useful on Debian and Ubuntu, where unprivileged users in group `dip' can invoke `pppd call <name>' to make pppd read and apply options from /etc/ppp/peers/<name> (including privileged ones).
-
-- --pppd-accept-remote=<bool>
-Whether to invoke pppd with `ipcp-accept-remote'. Enabling this option breaks pppd < 2.5.0 but is required by newer pppd versions.
-
-- --ppp-system=<string>
-Only available if compiled for ppp user space client (e.g. on FreeBSD). Connect to the specified system as defined in /etc/ppp/ppp.conf
-
-- --persistent=<interval>
-Run the VPN persistently in an endless loop and try to reconnect forever. The reconnect interval may be specified in seconds, where 0 means no reconnect is done (this is the default).
-
-- -v
-Increase verbosity. Can be used multiple times to be even more verbose.
-
-- -q
-Decrease verbosity. Can be used multiple times to be even less verbose.
-
-
-ENVIRONMENT and proxy support
-openfortivpn can be run behind an HTTP proxy that supports the HTTP connect command. It checks if one of the environment variables https_proxy HTTPS_PROXY all_proxy ALL_PROXY is set which are supposed to contain a string of the format
-http://[host]:[port]
-where [host] is the ip or the fully qualified host name of the proxy server [port] is the TCP port number where the proxy is listening for incoming connections. If one of these variables is defined, openfortivpn tries to first establish a TCP connection to this proxy (plain HTTP, not encrypted), and then makes a request to connect to the VPN host as given on the command line or in the configuration file. The proxy is supposed to forward any subsequent packets transparently to the VPN host, so that the TLS layer of the connection effectively is established between the client and the VPN host, and the proxy just acts as a forwarding instance on the lower level of the TCP connection.
-The following environment variables are set by openfortivpn and pppd(8) or its scripts can obtain information this way:
-VPN_GATEWAY the ip of the gateway host
-and for each route three variables are set up, where an integer number is appended to the variable names, denoting the number of the current route:
-VPN_ROUTE_DEST_... the destination network of the route
-VPN_ROUTE_MASK_... the network mask for this route
-VPN_ROUTE_GATEWAY_... the gateway for the current route entry
-If not compiled for pppd the pppd options and features that rely on them are not available. On FreeBSD --ppp-system is available instead.
-CONFIGURATION
-Options can be taken from a configuration file. Options passed in the command line will override those from the configuration file, though. The default configuration file is /volatile/local/openfortivpn/etc/openfortivpn/config, but this can be set using the -c option. An empty template for the configuration file is installed to /volatile/local/openfortivpn/share/openfortivpn/config.template
-
-- A configuration file looks like:
-# this is a comment
-host = vpn-gateway
-port = 443
-username = foo
-# Password in plain text.
-# For a secure alternative, use pinentry or let openfortivpn prompt for the password.
-# password = bar
-# The pinentry program to use. Allows supplying the password in a secure manner.
-# pinentry = pinentry-mac
-# realm = some-realm
-# useful for a gui that passes a configuration file to openfortivpn
-# otp = 123456
-# otp-delay = 0
-# otp-prompt = Please
-# This would disable FTM push notification support, and use OTP instead
-# no-ftm-push = 1
-user-cert = /volatile/local/openfortivpn/etc/openfortivpn/user-cert.pem
-# user-cert = pkcs1: # use smartcard as client certificate
-user-key = /volatile/local/openfortivpn/etc/openfortivpn/user-key.pem
-pem-passphrase = baz
-# the sha256 digest of the trusted host certs obtained by
-# openssl dgst -sha256 server-cert.crt:
-trusted-cert = certificatedigest4daa8c5fe6c...
-trusted-cert = othercertificatedigest6631bf...
-# This would specify a ca bundle instead of system-wide store
-# ca-file = /volatile/local/openfortivpn/etc/openfortivpn/ca-bundle.pem
-set-dns = 0
-use-resolvconf = 1
-set-routes = 1
-half-internet-routes = 0
-pppd-use-peerdns = 1
-# alternatively, use a specific pppd plugin instead
-# pppd-plugin = /usr/lib/pppd/default/some-plugin.so
-# for debugging pppd write logs here
-# pppd-log = /var/log/pppd.log
-# pass ppp interface name to pppd (if supported by a patched pppd)
-# pppd-ifname = ppp1
-# pass an ipparam string to pppd, e.g. the device name (a similar use case)
-# pppd-ipparam = 'device=$DEVICE'
-# instruct pppd to call a script instead of passing arguments (if pppd supports it)
-# pppd-call = script
-# use-syslog = 0
-insecure-ssl = 0
-cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
-persistent = 0
-seclevel-1 = 0
-
-
-SEE ALSO
-The openfortivpn home page (https://github.com/adrienverge/openfortivpn) provides a short introduction in the README file and additional information under the Wiki tab.
+.TH OPENFORTIVPN 1 "May 4, 2020" ""
+
+.SH NAME
+openfortivpn \- Client for PPP+TLS VPN tunnel services
+
+.SH SYNOPSIS
+.B openfortivpn
+[\fI\fR[:\fI\fR]]
+[\fB\-u\fR \fI\fR]
+[\fB\-p\fR \fI\fR]
+[\fB\-\-cookie=\fI\fR]
+[\fB\-\-cookie\-on\-stdin\fR]
+[\fB\-\-pinentry=\fI\fR]
+[\fB\-\-otp=\fI\fR]
+[\fB\-\-otp\-prompt=\fI\fR]
+[\fB\-\-otp\-delay=\fI\fR]
+[\fB\-\-no\-ftm\-push\fR]
+[\fB\-\-realm=\fI\fR]
+[\fB\-\-ifname=\fI\fR]
+[\fB\-\-set\-routes=\fI\fR]
+[\fB\-\-no\-routes\fR]
+[\fB\-\-set\-dns=\fI\fR]
+[\fB\-\-no\-dns\fR]
+[\fB\-\-half\-internet\-routes=\fI\fR]
+[\fB\-\-ca\-file=\fI\fR]
+[\fB\-\-user\-cert=\fI\fR]
+[\fB\-\-user-cert=\fIpkcs11:\fR]
+[\fB\-\-user\-key=\fI\fR]
+[\fB\-\-use\-syslog\fR]
+[\fB\-\-trusted\-cert=\fI\fR]
+[\fB\-\-insecure\-ssl\fR]
+[\fB\-\-cipher\-list=\fI\fR]
+[\fB\-\-min\-tls=\fI\fR]
+[\fB\-\-seclevel\-1\fR]
+[\fB\-\-pppd\-use\-peerdns=\fI\fR]
+[\fB\-\-pppd\-no\-peerdns\fR]
+[\fB\-\-pppd\-log=\fI\fR]
+[\fB\-\-pppd\-plugin=\fI\fR]
+[\fB\-\-pppd\-ipparam=\fI\fR]
+[\fB\-\-pppd\-ifname=\fI\fR]
+[\fB\-\-pppd\-call=\fI\fR]
+[\fB\-\-pppd\-accept\-remote=\fI\fR]
+[\fB\-\-ppp\-system=\fI\fR]
+[\fB\-\-use\-resolvconf=\fI\fR]
+[\fB\-\-persistent=\fI\fR]
+[\fB\-c\fR \fI\fR]
+[\fB\-v|\-q\fR]
+.br
+.B openfortivpn
+\-\-help
+.br
+.B openfortivpn
+\-\-version
+
+.SH DESCRIPTION
+.B openfortivpn
+connects to a VPN by setting up a tunnel to the gateway at
+\fI\fR:\fI\fR.
+
+.SH OPTIONS
+.TP
+\fB\-\-help\fR
+Show the help message and exit.
+.TP
+\fB\-\-version\fR
+Show version and exit.
+.TP
+\fB\-c \fI\fR, \fB\-\-config=\fI\fR
+Specify a custom configuration file (default: @SYSCONFDIR@/openfortivpn/config).
+.TP
+\fB\-u \fI\fR, \fB\-\-username=\fI\fR
+VPN account username.
+.TP
+\fB\-p \fI\fR, \fB\-\-password=\fI\fR
+VPN account password in plain text.
+For a secure alternative, use pinentry or let openfortivpn prompt for the password.
+.TP
+\fB\-\-cookie=\fI\fR
+A valid cookie (SVPNCOOKIE) to use in place of username and password.
+.TP
+\fB\-\-cookie\-on\-stdin\fR
+Read the cookie (SVPNCOOKIE) from standard input.
+.TP
+\fB\-\-pinentry=\fI\fR
+The pinentry program to use. Allows supplying the password in a secure manner.
+For example: pinentry-gnome3 on Linux, or pinentry-mac on macOS.
+.TP
+\fB\-o \fI\fR, \fB\-\-otp=\fI\fR
+One-Time-Password.
+.TP
+\fB\-\-otp\-prompt=\fI\fR
+Search for the OTP password prompt starting with the string \fI\fR.
+.TP
+\fB\-\-otp\-delay\=\fI\fR
+Set the amount of time to wait before sending the One-Time-Password.
+The delay time must be specified in seconds, where 0 means
+no wait (this is the default).
+.TP
+\fB\-\-no\-ftm\-push\fR
+Do not use FTM push if the server provides the option.
+The server may be configured to allow two factor authentication through a
+push notification to the mobile application. If this option is provided,
+authentication based on OTP will be used instead.
+.TP
+\fB\-\-realm=\fI\fR
+Connect to the specified authentication realm. Defaults to empty, which
+is usually what you want.
+.TP
+\fB\-\-ifname=\fI\fR
+Bind the connection to the specified network interface.
+.TP
+\fB\-\-set\-routes=\fI\fR, \fB\-\-no-routes\fR
+Set if openfortivpn should try to configure IP routes through the VPN when
+tunnel is up. If used multiple times, the last one takes priority.
+
+\fB\-\-no\-routes\fR is the same as \fB\-\-set-routes=\fI0\fR.
+.TP
+\fB\-\-half\-internet\-routes=\fI\fR
+Set if openfortivpn should add two 0.0.0.0/1 and 128.0.0.0/1 routes with
+higher priority instead of replacing the default route.
+.TP
+\fB\-\-set\-dns=\fI\fR, \fB\-\-no\-dns\fR
+Set if openfortivpn should add DNS name servers in /etc/resolv.conf when
+tunnel is up. Also a dns\-suffix may be received from the peer and added
+to /etc/resolv.conf in the turn of adding the name servers.
+resolvconf is instructed to do the update of the resolv.conf file
+if it is installed and \-\-use\-resolvconf is activated, otherwise openfortivpn
+prepends its changes to the existing content of the resolv.conf file.
+Note that there may be other mechanisms to update /etc/resolv.conf,
+e.g., \fB\-\-pppd\-use\-peerdns\fR in conjunction with an ip-up-script,
+which may require that openfortivpn is called with \fB\-\-no\-dns\fR.
+\fB\-\-no\-dns\fR is the same as \fB\-\-set\-dns=\fI0\fR.
+.TP
+\fB\-\-use\-resolvconf=\fI\fR
+Set if openfortivpn should use resolvconf to add DNS name servers
+in /etc/resolv.conf. If it is set to false, the builtin fallback
+mechanism is used even if resolvconf is available.
+.TP
+\fB\-\-ca\-file=\fI\fR
+Use specified PEM-encoded certificate bundle instead of system-wide store to
+verify the gateway certificate.
+.TP
+\fB\-\-user\-cert=\fI\fR
+Use specified PEM-encoded certificate if the server requires authentication
+with a certificate.
+.TP
+\fB\-\-user-cert=\fIpkcs11:\fR
+Use at least the string pkcs11: for using a smartcard. It takes the full
+or a partial PKCS11-URI (p11tool --list-token-urls)
+
+ --user-cert = pkcs11:
+
+ --user-cert = pkcs11:token=someuser
+
+ --user-cert = pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser
+
+\fBThis feature requires the OpenSSL PKCS engine!
+.TP
+\fB\-\-user\-key=\fI\fR
+Use specified PEM-encoded key if the server requires authentication with
+a certificate.
+.TP
+\fB\-\-pem-passphrase=\fI\fR
+Pass phrase for the PEM-encoded key.
+.TP
+\fB\-\-use\-syslog\fR
+Log to syslog instead of terminal.
+.TP
+\fB\-\-trusted\-cert=\fI\fR
+Trust a given gateway. If classical TLS certificate validation fails, the
+gateway certificate will be matched against this value. \fI\fR is the
+X509 certificate's sha256 sum. The certificate has to be encoded in DER form.
+This option can be used multiple times to trust several certificates.
+.TP
+\fB\-\-insecure\-ssl\fR
+Do not disable insecure TLS protocols/ciphers.
+If your server requires a specific cipher, consider using \fB\-\-cipher\-list\fR
+instead.
+.TP
+\fB\-\-cipher\-list=\fI\fR
+OpenSSL ciphers to use. If default does not work, you can try alternatives
+such as HIGH:!MD5:!RC4 or as suggested by the Cipher: line in the output of
+\fBopenssl\fP(1) (e.g. AES256-GCM-SHA384):
+
+$ openssl s_client -connect \fI\fR
+
+(default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
+
+\fBApplies to TLS v1.2 or lower only, not to be used with TLS v1.3 ciphers.\fR
+.TP
+\fB\-\-min\-tls=\fI\fR
+Use minimum TLS version instead of system default. Valid values are 1.0,
+1.1, 1.2, 1.3.
+.TP
+\fB\-\-seclevel\-1\fR
+If \fB\-\-cipher-list\fR is not specified, add @SECLEVEL=1 to the list of
+ciphers. This lowers limits on dh key.
+
+\fBApplies to TLS v1.2 or lower only.\fR
+.TP
+\fB\-\-pppd\-use\-peerdns=\fI\fR, \fB\-\-pppd\-no\-peerdns\fR
+Whether to ask peer ppp server for DNS server addresses and let pppd
+rewrite /etc/resolv.conf. There is no mechanism to tell the dns\-suffix
+to pppd. If the DNS server addresses are requested,
+also \fB\-\-set\-dns=\fI1\fR may race with the mechanisms in pppd.
+
+\fB\-\-pppd\-no\-peerdns\fR is the same as \fB\-\-pppd\-use\-peerdns=\fI0\fR.
+.TP
+\fB\-\-pppd\-log=\fI\fR
+Set pppd in debug mode and save its logs into \fI\fR.
+.TP
+\fB\-\-pppd\-plugin=\fI\fR
+Use specified pppd plugin instead of configuring the resolver and routes
+directly.
+.TP
+\fB\-\-pppd\-ipparam=\fI\fR
+Provides an extra parameter to the ip\-up, ip\-pre\-up and ip\-down scripts. See man
+.BR pppd(8)
+for further details
+.TP
+\fB\-\-pppd\-ifname=\fI\fR
+Set the ppp interface name. Only if supported by pppd. Patched versions of pppd
+implement this option but may not be available on your platform.
+.TP
+\fB\-\-pppd\-call=\fI\fR
+Drop usual arguments from pppd command line and add `call ' instead.
+This can be useful on Debian and Ubuntu, where unprivileged users in
+group `dip' can invoke `pppd call ' to make pppd read and apply
+options from /etc/ppp/peers/ (including privileged ones).
+.TP
+\fB\-\-pppd\-accept\-remote=\fI\fR
+Whether to invoke pppd with `ipcp-accept-remote'. Enabling this option breaks
+pppd < 2.5.0 but is required by newer pppd versions.
+.TP
+\fB\-\-ppp\-system=\fI\fR
+Only available if compiled for ppp user space client (e.g. on FreeBSD).
+Connect to the specified system as defined in /etc/ppp/ppp.conf
+.TP
+\fB\-\-persistent\=\fI\fR
+Run the VPN persistently in an endless loop and try to reconnect forever.
+The reconnect interval may be specified in seconds, where 0 means
+no reconnect is done (this is the default).
+.TP
+\fB\-v\fR
+Increase verbosity. Can be used multiple times to be even more verbose.
+.TP
+\fB\-q\fR
+Decrease verbosity. Can be used multiple times to be even less verbose.
+
+.SH ENVIRONMENT and proxy support
+.B openfortivpn
+can be run behind an HTTP proxy that supports the HTTP connect command.
+It checks if one of the environment variables
+.B https_proxy HTTPS_PROXY all_proxy ALL_PROXY
+is set which are supposed to contain a string of the format
+.br
+.B http://[host]:[port]
+.br
+where
+.B [host]
+is the ip or the fully qualified host name of the proxy server
+.B [port]
+is the TCP port number where the proxy is listening for
+incoming connections. If one of these variables is defined,
+.B openfortivpn
+tries to first establish a TCP connection to this proxy (plain HTTP, not encrypted),
+and then makes a request to connect to the VPN host as given on the command line
+or in the configuration file. The proxy is supposed to forward any subsequent packets
+transparently to the VPN host, so that the TLS layer of the connection effectively
+is established between the client and the VPN host, and the proxy just acts as a
+forwarding instance on the lower level of the TCP connection.
+
+The following environment variables are set by
+.B openfortivpn
+and
+.BR pppd(8)
+or its scripts can obtain information this way:
+.br
+VPN_GATEWAY the ip of the gateway host
+.br
+and for each route three variables are set up, where an integer number
+is appended to the variable names, denoting the number of the current route:
+.br
+VPN_ROUTE_DEST_... the destination network of the route
+.br
+VPN_ROUTE_MASK_... the network mask for this route
+.br
+VPN_ROUTE_GATEWAY_... the gateway for the current route entry
+
+If not compiled for pppd the pppd options and features that rely on them are not
+available. On FreeBSD \fB\-\-ppp\-system\fR is available instead.
+
+.SH CONFIGURATION
+Options can be taken from a configuration file. Options passed in the command
+line will override those from the configuration file, though. The default
+configuration file is @SYSCONFDIR@/openfortivpn/config, but this can be set
+using the \fB\-c\fR option.
+An empty template for the configuration file is installed to
+@DATADIR@/config.template
+
+.TP
+A configuration file looks like:
+# this is a comment
+.br
+host = vpn\-gateway
+.br
+port = 443
+.br
+username = foo
+.br
+# Password in plain text.
+.br
+# For a secure alternative, use pinentry or let openfortivpn prompt for the password.
+.br
+# password = bar
+.br
+# The pinentry program to use. Allows supplying the password in a secure manner.
+.br
+# pinentry = pinentry-mac
+.br
+# realm = some-realm
+.br
+# useful for a gui that passes a configuration file to openfortivpn
+.br
+# otp = 123456
+.br
+# otp\-delay = 0
+.br
+# otp\-prompt = Please
+.br
+# This would disable FTM push notification support, and use OTP instead
+.br
+# no\-ftm\-push = 1
+.br
+user\-cert = @SYSCONFDIR@/openfortivpn/user\-cert.pem
+.br
+# user\-cert = pkcs1: # use smartcard as client certificate
+.br
+user\-key = @SYSCONFDIR@/openfortivpn/user\-key.pem
+.br
+pem\-passphrase = baz
+.br
+# the sha256 digest of the trusted host certs obtained by
+.br
+# openssl dgst -sha256 server\-cert.crt:
+.br
+trusted\-cert = certificatedigest4daa8c5fe6c...
+.br
+trusted\-cert = othercertificatedigest6631bf...
+.br
+# This would specify a ca bundle instead of system-wide store
+.br
+# ca\-file = @SYSCONFDIR@/openfortivpn/ca\-bundle.pem
+.br
+set\-dns = 0
+.br
+use\-resolvconf = 1
+.br
+set\-routes = 1
+.br
+half\-internet\-routes = 0
+.br
+pppd\-use\-peerdns = 1
+.br
+# alternatively, use a specific pppd plugin instead
+.br
+# pppd\-plugin = /usr/lib/pppd/default/some\-plugin.so
+.br
+# for debugging pppd write logs here
+.br
+# pppd\-log = /var/log/pppd.log
+.br
+# pass ppp interface name to pppd (if supported by a patched pppd)
+.br
+# pppd\-ifname = ppp1
+.br
+# pass an ipparam string to pppd, e.g. the device name (a similar use case)
+.br
+# pppd\-ipparam = 'device=$DEVICE'
+.br
+# instruct pppd to call a script instead of passing arguments (if pppd supports it)
+.br
+# pppd\-call = script
+.br
+# use\-syslog = 0
+.br
+insecure\-ssl = 0
+.br
+cipher\-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
+.br
+persistent = 0
+.br
+seclevel-1 = 0
+
+.SH SEE ALSO
+
+The \fBopenfortivpn\fR home page
+(\fIhttps://github.com/adrienverge/openfortivpn\fR)
+provides a short introduction in the \fBREADME\fR file and additional
+information under the \fBWiki\fR tab.