openconnect.8.in

.TH OPENCONNECT 8
.SH NAME
openconnect \- Multi-protocol VPN client, for Cisco AnyConnect VPNs and others
.SH SYNOPSIS
.SY openconnect
.OP \-\-config configfile
.OP \-b,\-\-background
.OP \-\-pid\-file pidfile
.OP \-c,\-\-certificate cert
.OP \-e,\-\-cert\-expire\-warning days
.OP \-k,\-\-sslkey key
.OP \-C,\-\-cookie cookie
.OP \-\-cookie\-on\-stdin
.OP \-\-compression MODE
.OP \-d,\-\-deflate
.OP \-D,\-\-no\-deflate
.OP \-\-force\-dpd interval
.OP \-\-force\-trojan interval
.OP \-F,\-\-form\-entry form:opt=value
.OP \-g,\-\-usergroup group
.OP \-h,\-\-help
.OP \-\-http\-auth methods
.OP \-i,\-\-interface ifname
.OP \-l,\-\-syslog
.OP \-\-timestamp
.OP \-\-passtos
.OP \-U,\-\-setuid user
.OP \-\-csd\-user user
.OP \-m,\-\-mtu mtu
.OP \-\-base\-mtu mtu
.OP \-p,\-\-key\-password pass
.OP \-P,\-\-proxy proxyurl
.OP \-\-proxy\-auth methods
.OP \-\-no\-proxy
.OP \-\-libproxy
.OP \-\-key\-password\-from\-fsid
.OP \-q,\-\-quiet
.OP \-Q,\-\-queue\-len len
.OP \-s,\-\-script vpnc\-script
.OP \-S,\-\-script\-tun
.OP \-u,\-\-user name
.OP \-V,\-\-version
.OP \-v,\-\-verbose
.OP \-x,\-\-xmlconfig config
.OP \-\-authgroup group
.OP \-\-authenticate
.OP \-\-cookieonly
.OP \-\-printcookie
.OP \-\-cafile file
.OP \-\-disable\-ipv6
.OP \-\-dtls\-ciphers list
.OP \-\-dtls12\-ciphers list
.OP \-\-dtls\-local\-port port
.OP \-\-dump\-http\-traffic
.OP \-\-no\-system\-trust
.OP \-\-pfs
.OP \-\-no\-dtls
.OP \-\-no\-http\-keepalive
.OP \-\-no\-passwd
.OP \-\-no\-xmlpost
.OP \-\-non\-inter
.OP \-\-passwd\-on\-stdin
.OP \-\-protocol proto
.OP \-\-token\-mode mode
.OP \-\-token\-secret {secret\fR[\fI,counter\fR]|@\fIfile\fR}
.OP \-\-reconnect\-timeout
.OP \-\-resolve host:ip
.OP \-\-servercert sha1
.OP \-\-useragent string
.OP \-\-version\-string string
.OP \-\-local-hostname string
.OP \-\-os string
.B [\-\-server] [https://]\fIhost\fB[:\fIport\fB][/\fIgroup\fB]
.YS

.SH DESCRIPTION
The program
.B openconnect
connects to VPN servers which use standard TLS/SSL, DTLS, and ESP
protocols for data transport.

It was originally written to support Cisco "AnyConnect" VPN servers,
and has since been extended with experimental support for Juniper
Network Connect
.RB ( \-\-protocol=nc )
Junos Pulse VPN servers,
.RB ( \-\-protocol=pulse )
PAN GlobalProtect VPN servers,
.RB ( \-\-protocol=gp )
F5 Big-IP VPN servers,
.RB ( \-\-protocol=f5 )
Fortinet Fortigate VPN servers,
.RB ( \-\-protocol=fortinet )
and Array Networks SSL VPN servers,
.RB ( \-\-protocol=array )
.

The connection happens in two phases. First there is a simple HTTPS
connection over which the user authenticates somehow \- by using a
certificate, or password or SecurID, etc.  Having authenticated, the
user is rewarded with an authentication cookie which can be used to make the
real VPN connection.

The second phase uses that cookie to connect to a tunnel via HTTPS,
and data packets can be passed over the resulting connection. When
possible, a UDP tunnel is also configured: AnyConnect uses DTLS, while
Juniper and GlobalProtect use UDP-encapsulated ESP. The UDP tunnel
may be disabled with
.BR \-\-no\-dtls ,
but is preferred when correctly supported by the server and network
for performance reasons. (TCP performs poorly and unreliably over
TCP-based tunnels; see
.IR http://sites.inka.de/~W1011/devel/tcp-tcp.html .)

.SH OPTIONS
.TP
.B \-\-config=CONFIGFILE
Read further options from
.I CONFIGFILE
before continuing to process options from the command line. The file
should contain long-format options as would be accepted on the command line,
but without the two leading \-\- dashes. Empty lines, or lines where the
first non-space character is a # character, are ignored.

Any option except the
.B config
option may be specified in the file.
.TP
.B \-b,\-\-background
Continue in background after startup
.TP
.B \-\-pid\-file=PIDFILE
Save the pid to
.I PIDFILE
when backgrounding
.TP
.B \-c,\-\-certificate=CERT
Use SSL client certificate
.I CERT
which may be either a file name or, if OpenConnect has been built with an appropriate
version of GnuTLS, a PKCS#11 URL.
.TP
.B \-e,\-\-cert\-expire\-warning=DAYS
Give a warning when SSL client certificate has
.I DAYS
left before expiry
.TP
.B \-k,\-\-sslkey=KEY
Use SSL private key
.I KEY
which may be either a file name or, if OpenConnect has been built with an appropriate
version of GnuTLS, a PKCS#11 URL.
.TP
.B \-C,\-\-cookie=COOKIE
Use authentication cookie
.IR COOKIE .
.TP
.B \-\-cookie\-on\-stdin
Read cookie from standard input.
.TP
.B \-d,\-\-deflate
Enable all compression, including stateful modes. By default, only stateless
compression algorithms are enabled.
.TP
.B \-D,\-\-no\-deflate
Disable all compression.
.TP
.B \-\-compression=MODE
Set compression mode, where
.I MODE
is one of
.IR "stateless" ,
.IR "none" ,
or
.IR "all" .

By default, only stateless compression algorithms which do not maintain state
from one packet to the next (and which can be used on UDP transports) are
enabled. By setting the mode to
.I "all"
stateful algorithms (currently only zlib deflate) can be enabled. Or all
compression can be disabled by setting the mode to
.IR "none" .
.TP
.B \-\-force\-dpd=INTERVAL
Use
.I INTERVAL
as minimum Dead Peer Detection interval (in seconds) for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.
.TP
.B \-g,\-\-usergroup=GROUP
Use
.I GROUP
as login UserGroup
.TP
.B \-F,\-\-form\-entry=FORM:OPTION=VALUE
Provide authentication form input, where
.I FORM
and
.I OPTION
are the identifiers from the form and the specific input field, and
.I VALUE
is the string to be filled in automatically. For example, the standard username field
.I (also handled by the \-\-user option)
could also be provided with this option thus:
.I \-\-form\-entry
.IR main:username=joebloggs .

This option should
.I not
be used to enter passwords.
.I \-\-passwd\-on\-stdin
should be used for that purpose. Not only will this option expose the password value
via the OpenConnect process's command line, but unlike
.I \-\-passwd\-on\-stdin
this option will not recognize the case of an incorrect password, and stop trying
to re-enter it repeatedly.
.TP
.B \-h,\-\-help
Display help text
.TP
.B \-\-http\-auth=METHODS
Use only the specified methods for HTTP authentication to a server.  By default,
only Negotiate, NTLM and Digest authentication are enabled. Basic authentication
is also supported but because it is insecure it must be explicitly enabled. The
argument is a comma-separated list of methods to be enabled. Note that the order
does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic
authentication in that order, if each is enabled, regardless of the order
specified in the METHODS string.
.TP
.B \-i,\-\-interface=IFNAME
Use
.I IFNAME
for tunnel interface
.TP
.B \-l,\-\-syslog
After tunnel is brought up, use syslog for further progress messages
.TP
.B \-\-timestamp
Prepend a timestamp to each progress message
.TP
.B \-\-passtos
Copy TOS / TCLASS of payload packet into DTLS and ESP packets. This is
not set by default because it may leak information about the payload
(for example, by differentiating voice/video traffic).
.TP
.B \-U,\-\-setuid=USER
Drop privileges after connecting, to become user
.I USER
.TP
.B \-\-csd\-user=USER
Drop privileges during execution of trojan binary or script (CSD, TNCC, or HIP).
.TP
.B \-\-csd\-wrapper=SCRIPT
Run
.I SCRIPT
instead of the trojan binary or script.
.TP
.B \-\-force-trojan=INTERVAL
Use
.I INTERVAL
as interval (in seconds) for repeat execution of Trojan binary or script, overriding default and/or
server-set interval.
.TP
.B \-m,\-\-mtu=MTU
Request
.I MTU
from server as the MTU of the tunnel.
.TP
.B \-\-base\-mtu=MTU
Indicate
.I MTU
as the path MTU between client and server on the unencrypted network. Newer
servers will automatically calculate the MTU to be used on the tunnel from
this value.
.TP
.B \-p,\-\-key\-password=PASS
Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
.TP
.B \-P,\-\-proxy=PROXYURL
Use HTTP or SOCKS proxy for connection. A username and password can be provided
in the given URL, and will be used for authentication. If authentication is
required but no credentials are given, GSSAPI and automatic NTLM authentication
using Samba's ntlm_auth helper tool may be attempted.
.TP
.B \-\-proxy\-auth=METHODS
Use only the specified methods for HTTP authentication to a proxy.  By default,
only Negotiate, NTLM and Digest authentication are enabled. Basic authentication
is also supported but because it is insecure it must be explicitly enabled. The
argument is a comma-separated list of methods to be enabled. Note that the order
does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic
authentication in that order, if each is enabled, regardless of the order
specified in the METHODS string.
.TP
.B \-\-no\-proxy
Disable use of proxy
.TP
.B \-\-libproxy
Use libproxy to configure proxy automatically (when built with libproxy support)
.TP
.B \-\-key\-password\-from\-fsid
Passphrase for certificate file is automatically generated from the
.I fsid
of the file system on which it is stored. The
.I fsid
is obtained from the
.BR statvfs (2)
or
.BR statfs (2)
system call, depending on the operating system. On a Linux or similar system
with GNU coreutils, the
.I fsid
used by this option should be equal to the output of the command:
.EX
stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE
.EE
It is not the same as the 128\-bit UUID of the file system.
.TP
.B \-q,\-\-quiet
Less output
.TP
.B \-Q,\-\-queue\-len=LEN
Set packet queue limit to
.I LEN
packets. The default is 10. A high value may allow better overall bandwidth
but at a cost of latency. If you run Voice over IP or other interactive
traffic over the VPN, you don't want those packets to be queued behind
thousands of other large packets which are part of a bulk transfer.

This option sets the maximum inbound and outbound packet queue sizes
in OpenConnect itself, which control how many packets will be sent and
received in a single batch, as well as affecting other buffering such
as the socket send buffer (SO_SNDBUF) for network connections and the
OS tunnel device.

Ultimately, the right size for a queue is "just enough packets that it
never quite gets empty before more are pushed to it". Any higher than
that is simply introducing bufferbloat and additional latency with no
benefit. With the default of 10, we are able to saturate a single
Gigabit Ethernet from modest hardware, which is more than enough for
most VPN users.

If OpenConnect is built with vhost-net support, it will only be used
if the queue length is set to 16 or more. This is because vhost-net
introduces a small amount of additional latency, but improves total
bandwidth quite considerably for those operating at high traffic
rates. Thus it makes sense to use it when the user has indicated a
preference for bandwidth over latency, by increasing the queue size.

.TP
.B \-s,\-\-script=SCRIPT
Invoke
.I SCRIPT
to configure the network after connection. Without this, routing and name
service are unlikely to work correctly. The script is expected to be
compatible with the
.B vpnc\-script
which is shipped with the "vpnc" VPN client. See
.I https://www.infradead.org/openconnect/vpnc-script.html
for more information. This version of OpenConnect is configured to
use \fB@DEFAULT_VPNCSCRIPT@\fR by default.

On Windows, a relative directory for the default script will be handled as
starting from the directory that the openconnect executable is running from,
rather than the current directory. The script will be invoked with the
command-based script host \fBcscript.exe\fR.
.TP
.B \-S,\-\-script\-tun
Pass traffic to 'script' program over a UNIX socket, instead of to a kernel
tun/tap device. This allows the VPN IP traffic to be handled entirely in
userspace, for example by a program which uses lwIP to provide SOCKS access
into the VPN.
.TP
.B \-\-server=[https://]\fIHOST\fB[:\fIPORT\fB][/\fIGROUP\fB]
Define the VPN server as a simple
.I HOST
or as an URL containing the
. I HOST
and optionally the
.I PORT
number and the login 
.I GROUP
or realm.

As an alternative, define the VPN server as non-option command line argument.
.TP
.B \-u,\-\-user=NAME
Set login username to
.I NAME
.TP
.B \-V,\-\-version
Report version number
.TP
.B \-v,\-\-verbose
More output (may be specified multiple times for additional output)
.TP
.B \-x,\-\-xmlconfig=CONFIG
XML config file
.TP
.B \-\-authgroup=GROUP
Choose authentication login selection
.TP
.B \-\-authenticate
Authenticate to the VPN, output the information needed to make the connection in
a form which can be used to set shell environment variables, and then exit.

When invoked with this option, OpenConnect will not actually create the VPN connection
or configure a tunnel interface, but if successful will print something like the
following to stdout:
.nf
.B COOKIE='3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...'
.B HOST='10.0.0.1'
.B CONNECT_URL='https://vpnserver.example.com'
.B FINGERPRINT='469bb424ec8835944d30bc77c77e8fc1d8e23a42'
.B RESOLVE='vpnserver.example.com:10.0.0.1'
.fi
Thus, you can invoke openconnect as a non-privileged user
.I (with access to the user's PKCS#11 tokens, etc.)
for authentication, and then invoke openconnect separately to make the actual
connection as root:
.nf
.B eval `openconnect --authenticate https://vpnserver.example.com`;
.B [ -n "$COOKIE" ] && echo "$COOKIE" |
.B \ \ sudo openconnect --cookie-on-stdin $CONNECT_URL --servercert $FINGERPRINT --resolve $RESOLVE
.fi

Earlier versions of OpenConnect produced only the
.B HOST
variable (containing the numeric server address), and not the
.B CONNECT_URL
or
.B RESOLVE
variables. Subsequently, we discovered that servers behind proxies may not respond
correctly unless the correct DNS name is present in the connection phase, and we
added support for VPN protocols where the server URL's
.I path
component may be significant in the connection phase, prompting the addition of
.B CONNECT_URL
and
.BR RESOLVE ,
and the recommendation to use them as described above.
If you are not certain that you are invoking a newer version of OpenConnect which outputs
these variables, use the following command-line (compatible with most Bourne shell derivatives)
which will work with either a newer or older version:
.nf
.B sudo openconnect --cookie-on-stdin ${CONNECT_URL:-$HOST} --servercert $FINGERPRINT ${RESOLVE:+--resolve=$RESOLVE}
.fi
.TP
.B \-\-cookieonly
Fetch and print cookie only; don't connect (this is essentially a subset of
.BR \-\-authenticate ).
.TP
.B \-\-printcookie
Print cookie to stdout before connecting (see
.B \-\-authenticate
for the meaning of this cookie)
.TP
.B \-\-cafile=FILE
Additional CA file for server verification. By default, this simply
causes OpenConnect to trust additional root CA certificate(s) in
addition to those trusted by the system. Use
.B \-\-no\-system\-trust
to prevent OpenConnect from trusting the system default certificate
authorities.
.TP
.B \-\-no\-system\-trust
Do not trust the system default certificate authorities. If this option is
given, only certificate authorities given with the
.B \-\-cafile
option, if any, will be trusted automatically.
.TP
.B \-\-disable\-ipv6
Do not advertise IPv6 capability to server
.TP
.B \-\-dtls\-ciphers=LIST
Set OpenSSL ciphers to support for DTLS
.TP
.B \-\-dtls12\-ciphers=LIST
Set OpenSSL ciphers for Cisco's DTLS v1.2
.TP
.B \-\-dtls\-local\-port=PORT
Use
.I PORT
as the local port for DTLS and UDP datagrams
.TP
.B \-\-dump\-http\-traffic
Enable verbose output of all HTTP requests and the bodies of all responses
received from the server.

.TP
.B \-\-pfs
Enforces Perfect Forward Secrecy (PFS). That ensures that if the server's
long-term key is compromised, any session keys established before the compromise
will be unaffected. If this option is provided and the server does not support PFS
in the TLS channel the connection will fail.

PFS is available in Cisco ASA releases 9.1(2) and higher; a suitable cipher
suite may need to be manually enabled by the administrator using the
.B ssl encryption
setting.

.TP
.B \-\-no\-dtls
Disable DTLS and ESP
.TP
.B \-\-no\-http\-keepalive
Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
the client's SSL certificate when HTTP connections are being re\-used for
multiple requests. So far, this has only been seen on the initial connection,
where the server gives an HTTP/1.0 redirect response with an explicit
.B Connection: Keep\-Alive
directive. OpenConnect as of v2.22 has an unconditional workaround for this,
which is never to obey that directive after an HTTP/1.0 response.

However, Cisco's support team has failed to give any competent
response to the bug report and we don't know under what other
circumstances their bug might manifest itself. So this option exists
to disable ALL re\-use of HTTP sessions and cause a new connection to be
made for each request. If your server seems not to be recognizing your
certificate, try this option. If it makes a difference, please report
this information to the
.B openconnect\-devel@lists.infradead.org
mailing list.
.TP
.B \-\-no\-passwd
Never attempt password (or SecurID) authentication.
.TP
.B \-\-no\-xmlpost
Do not attempt to post an XML authentication/configuration request to the
server; use the old style GET method which was used by older clients and
servers instead.

This option is a temporary safety net, to work around potential
compatibility issues with the code which falls back to the old method
automatically. It causes OpenConnect to behave more like older
versions (4.08 and below) did. If you find that you need to use this
option, then you have found a bug in OpenConnect. Please see
https://www.infradead.org/openconnect/mail.html and report this to the
developers.
.TP
.B \-\-allow\-insecure\-crypto
The ancient, broken 3DES and RC4 ciphers are insecure; we explicitly
disable them by default. However, some still-in-use VPN servers can't do
any better.

This option enables use of these insecure ciphers, as well as the use
of SHA1 for server certificate validation.
.TP
.B \-\-non\-inter
Do not expect user input; exit if it is required.
.TP
.B \-\-passwd\-on\-stdin
Read password from standard input
.TP
.B \-\-protocol=PROTO
Select VPN protocol
.I PROTO
to be used for the connection. Supported protocols are
.I anyconnect
for Cisco AnyConnect (the default),
.I nc
for experimental support for Juniper Network Connect (also supported
by most Junos Pulse servers),
.I pulse
for experimental support for Junos Pulse,
.I gp
for experimental support for PAN GlobalProtect,
.I f5
for experimental support for F5 Big-IP,
.I fortinet
for experimental support for Fortinet Fortigate, and
.I array
for experimental support for Array Networks SSL VPN.

See
.I https://www.infradead.org/openconnect/protocols.html
for details on features and deficiencies of the individual
protocols.

OpenConnect does not yet support all of the authentication options used
by Pulse, nor does it support Host Checker/TNCC with Pulse. If your
Junos Pulse VPN is not yet supported with
.BR \-\-protocol=pulse ,
then
.B \-\-protocol=nc
may be a useful fallback option.
.TP
.B \-\-token\-mode=MODE
Enable one-time password generation using the
.I MODE
algorithm.
.B \-\-token\-mode=rsa
will call libstoken to generate an RSA SecurID tokencode,
.B \-\-token\-mode=totp
will call liboath to generate an RFC 6238 time-based password, and
.B \-\-token\-mode=hotp
will call liboath to generate an RFC 4226 HMAC-based password. Yubikey
tokens which generate OATH codes in hardware are supported with
.B \-\-token\-mode=yubioath. \-\-token\-mode=oidc will use the provided
OpenIDConnect token as an RFC 6750 bearer token.
.TP
.B \-\-token\-secret={ SECRET[,COUNTER] | @FILENAME }
The secret to use when generating one-time passwords/verification codes.
Base 32-encoded TOTP/HOTP secrets can be used by specifying "base32:" at the
beginning of the secret, and for HOTP secrets the token counter can be
specified following a comma.

RSA SecurID secrets can be specified as an Android/iPhone URI or a raw numeric
CTF string (with or without dashes).

For Yubikey OATH the token secret specifies the name of the credential to be
used. If not provided, the first OATH credential found on the device will be
used.

For OIDC the secret is the bearer token to be used.

.IR FILENAME ,
if specified, can contain any of the above strings.  Or, it can contain a
SecurID XML (SDTID) seed.

If this option is omitted, and \-\-token\-mode is
"rsa", libstoken will try to use the software token seed saved in
.B ~/.stokenrc
by the "stoken import" command.
.TP
.B \-\-reconnect\-timeout
Keep reconnect attempts until so much seconds are elapsed. The default
timeout is 300 seconds, which means that openconnect can recover
VPN connection after a temporary network down time of 300 seconds.
.TP
.B \-\-resolve=HOST:IP
Automatically resolve the hostname
.IR HOST
to
.IR IP
instead of using the normal resolver to look it up.
.TP
.B \-\-servercert=HASH
Accept server's SSL certificate only if it matches the provided fingerprint.
This option implies \-\-no\-system\-trust, and may be specified multiple
times in order to accept multiple possible fingerprints.

The allowed fingerprint types are
.IR SHA1 ,
.IR SHA256 ,
and
.IR PIN-SHA256 .
They are distinguished by the 'sha1:', 'sha256:' and 'pin-sha256:' prefixes to the
encoded hash. The first two are custom identifiers providing hex
encoding of the peer's public key, while 'pin-sha256:' is the RFC7469 key
PIN, which utilizes base64 encoding. To ease certain
testing use-cases, a partial match of the hash will also
be accepted, if it is at least 4 characters past the prefix.
.TP
.B \-\-useragent=STRING
Use
.I STRING
as 'User\-Agent:' field value in HTTP header.
(e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
.TP
.B \-\-version\-string=STRING
Use
.I STRING
as the software version reported to the head end.
(e.g. \-\-version\-string '2.2.0133')
.TP
.B \-\-local-hostname=STRING
Use
.I STRING
as 'X\-CSTP\-Hostname:' field value in HTTP header. For example \-\-local\-hostname 'mypc',
will advertise the value 'mypc' as the suggested hostname to point to the provided IP address.
.TP
.B \-\-os=STRING
OS type to report to gateway.  Recognized values are:
.BR linux ,
.BR linux\-64 ,
.BR win ,
.BR mac\-intel ,
.BR android ,
.BR apple\-ios .
Reporting a different OS type may affect the dynamic access policy (DAP)
applied to the VPN session.  If the gateway requires CSD, it will also cause
the corresponding CSD trojan binary to be downloaded, so you may need to use
.B \-\-csd\-wrapper
if this code is not executable on the local machine.
.SH SIGNALS
In the data phase of the connection, the following signals are handled:
.TP
.B SIGINT / SIGTERM
performs a clean shutdown by logging the session off, disconnecting from the
gateway, and running the vpnc\-script to restore the network configuration.
.TP
.B SIGHUP
disconnects from the gateway and runs the vpnc\-script, but does not log the
session off; this allows for reconnection later using
.BR \-\-cookie .
.TP
.B SIGUSR1
writes progress message with detailed connection information and statistics.
.TP
.B SIGUSR2
forces an immediate disconnection and reconnection; this can be used to
quickly recover from LAN IP address changes.
.TP
.SH LIMITATIONS
Note that although IPv6 has been tested on all platforms on which
.B openconnect
is known to run, it depends on a suitable
.B vpnc\-script
to configure the network. The standard
.B vpnc\-script
shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
.B https://gitlab.com/openconnect/vpnc\-scripts
will be required.
.SH SEE ALSO
.BR ocserv (8)

.SH AUTHORS
David Woodhouse <dwmw2@infradead.org>