FreeBSD Manual Pages

home | help

OPENCONNECT(8) System Manager's Manual OPENCONNECT(8)

NAME
openconnect - Multi-protocol VPN client, for Cisco AnyConnect VPNs and
others

SYNOPSIS
openconnect [--config configfile] [-b,--background]
[--pid-file pidfile] [-c,--certificate cert]
[-e,--cert-expire-warning days] [-k,--sslkey key]
[-C,--cookie cookie] [--cookie-on-stdin]
[--compression MODE] [-d,--deflate] [-D,--no-deflate]
[--force-dpd interval] [--force-trojan interval]
[-F,--form-entry form:opt=value] [-g,--usergroup group]
[-h,--help] [--http-auth methods]
[--external-browser browser] [-i,--interface ifname]
[-l,--syslog] [--timestamp] [--passtos] [-U,--setuid user]
[--csd-user user] [-m,--mtu mtu] [--base-mtu mtu]
[-p,--key-password pass] [-P,--proxy proxyurl]
[--proxy-auth methods] [--no-proxy] [--libproxy]
[--key-password-from-fsid] [-q,--quiet]
[-Q,--queue-len len] [-s,--script vpnc-script]
[-S,--script-tun] [-u,--user name] [-V,--version]
[-v,--verbose] [-x,--xmlconfig config] [--authgroup group]
[--authenticate] [--cookieonly] [--printcookie]
[--cafile file] [--disable-ipv6] [--dtls-ciphers list]
[--dtls12-ciphers list] [--dtls-local-port port]
[--dump-http-traffic] [--no-system-trust] [--pfs]
[--no-dtls] [--no-http-keepalive] [--no-passwd]
[--no-xmlpost] [--non-inter] [--passwd-on-stdin]
[--protocol proto] [--token-mode mode]
[--token-secret {secret[,counter]|@file}]
[--reconnect-timeout seconds] [--resolve host:ip]
[--sni host] [--servercert sha1] [--useragent string]
[--version-string string] [--local-hostname string]
[--os string] [--server] [https://]host[:port][/group]

DESCRIPTION
The program openconnect connects to VPN servers which use standard
TLS/SSL, DTLS, and ESP protocols for data transport.

It was originally written to support Cisco "AnyConnect" VPN servers,
and has since been extended with experimental support for Juniper Net-
work Connect (--protocol=nc), Junos/Ivanti Pulse VPN servers (--proto-
col=pulse), PAN GlobalProtect VPN servers (--protocol=gp), F5 Big-IP
VPN servers (--protocol=f5), Fortinet Fortigate VPN servers (--proto-
col=fortinet), and Array Networks SSL VPN servers (--protocol=array).

The connection happens in two phases. First there is a simple HTTPS
connection over which the user authenticates somehow - by using a cer-
tificate, or password or SecurID, etc. Having authenticated, the user
is rewarded with an authentication cookie which can be used to make the
real VPN connection.

The second phase uses that cookie to connect to a tunnel via HTTPS, and
data packets can be passed over the resulting connection. When possi-
ble, a UDP tunnel is also configured: AnyConnect uses DTLS, while Ju-
niper and GlobalProtect use UDP-encapsulated ESP. The UDP tunnel may be
disabled with --no-dtls, but is preferred when correctly supported by
the server and network for performance reasons. (TCP performs poorly
and unreliably over TCP-based tunnels; see
http://sites.inka.de/~W1011/devel/tcp-tcp.html.)

OPTIONS
--config=CONFIGFILE
Read further options from CONFIGFILE before continuing to
process options from the command line. The file should contain
long-format options as would be accepted on the command line,
but without the two leading -- dashes. Empty lines, or lines
where the first non-space character is a # character, are ig-
nored.

Any option except the config option may be specified in the
file.

-b,--background
Continue in background after startup

--pid-file=PIDFILE
Save the pid to PIDFILE when backgrounding

-c,--certificate=CERT [,--mca-certificate=CERT]
Use SSL client certificate CERT which may be either a file name
or, if OpenConnect has been built with an appropriate version of
GnuTLS, a PKCS#11 URL.

The --mca-certificate option sets the secondary certificate for
multi-certificate authentication (according to Cisco's terminol-
ogy, the SSL client certificate is called the "machine" certifi-
cate, and the second certificate is called the "user" certifi-
cate).

-e,--cert-expire-warning=DAYS
Give a warning when SSL client certificate has DAYS left before
expiry

-k,--sslkey=KEY [,--mca-key=KEY]
Use SSL private key KEY which may be either a file name or, if
OpenConnect has been built with an appropriate version of
GnuTLS, a PKCS#11 URL.

The --mca-key option sets the private key for the secondary cer-
tificate (see --mca-certificate).

-C,--cookie=COOKIE
Use authentication cookie COOKIE.

--cookie-on-stdin
Read cookie from standard input.

-d,--deflate
Enable all compression, including stateful modes. By default,
only stateless compression algorithms are enabled.

-D,--no-deflate
Disable all compression.

--compression=MODE
Set compression mode, where MODE is one of stateless, none, or
all.

By default, only stateless compression algorithms which do not
maintain state from one packet to the next (and which can be
used on UDP transports) are enabled. By setting the mode to all
stateful algorithms (currently only zlib deflate) can be en-
abled. Or all compression can be disabled by setting the mode to
none.

--force-dpd=INTERVAL
Use INTERVAL as Dead Peer Detection interval (in seconds). This
will cause the client to use DPD at the specified interval even
if the server hasn't requested it, or at a different interval
from the one requested by the server.

DPD mechanisms vary by protocol and by transport (TLS or
DTLS/ESP), but are all functionally similar: they enable either
the VPN client or the VPN server to transmit a signal to the
peer, requesting an immediate reply which can be used to confirm
that the link between the two peers is still working.

-g,--usergroup=GROUP
Set the URL path of the initial HTTPS connection to the server.

With some protocols, this path may function as a login group or
realm, hence the naming of this option. For example, the follow-
ing invocations of OpenConnect are equivalent:
openconnect --usergroup=loginPath vpn.server.com
openconnect https://vpn.server.com/loginPath

-F,--form-entry=FORM:OPTION[=VALUE]
Provide authentication form input, where FORM and OPTION are the
identifiers from the form and the specific input field, and
VALUE is the string to be filled in automatically. For example,
the standard username field (also handled by the --user option)
could also be provided with this option thus: --form-entry
main:username=joebloggs.

If VALUE is not specified, this option will cause a hidden form
field to be treated as a standard text-input field.

This option should not be used to enter passwords.
--passwd-on-stdin should be used for that purpose. Not only will
this option expose the password value via the OpenConnect
process's command line, but unlike --passwd-on-stdin this option
will not recognize the case of an incorrect password, and stop
trying to re-enter it repeatedly.

-h,--help
Display help text

--http-auth=METHODS
Use only the specified methods for HTTP authentication to a
server. By default, only Negotiate, NTLM and Digest authentica-
tion are enabled. Basic authentication is also supported but
because it is insecure it must be explicitly enabled. The argu-
ment is a comma-separated list of methods to be enabled. Note
that the order does not matter: OpenConnect will use Negotiate,
NTLM, Digest and Basic authentication in that order, if each is
enabled, regardless of the order specified in the METHODS
string.

--external-browser=BROWSER
Set BROWSER as the executable used by OpenConnect to handle the
authentication process with gateways that support the single-
sign-on-external-browser authentication method.

-i,--interface=IFNAME
Use IFNAME for tunnel interface

-l,--syslog
After tunnel is brought up, use syslog for further progress mes-
sages

--timestamp
Prepend a timestamp to each progress message

--passtos
Copy TOS / TCLASS of payload packet into DTLS and ESP packets.
This is not set by default because it may leak information about
the payload (for example, by differentiating voice/video traf-
fic).

-U,--setuid=USER
Drop privileges after connecting, to become user USER

--csd-user=USER
Drop privileges during execution of trojan binary or script
(CSD, TNCC, or HIP).

--csd-wrapper=SCRIPT
Run SCRIPT instead of the trojan binary or script.

--force-trojan=INTERVAL
Use INTERVAL as interval (in seconds) for repeat execution of
Trojan binary or script, overriding default and/or server-set
interval.

-m,--mtu=MTU
Request MTU from server as the MTU of the tunnel.

--base-mtu=MTU
Indicate MTU as the path MTU between client and server on the
unencrypted network. Newer servers will automatically calculate
the MTU to be used on the tunnel from this value.

-p,--key-password=PASS [,--mca-key-password=PASS]
Provide passphrase for certificate file, or SRK (System Root
Key) PIN for TPM

--mca-key-password provides the passphrase for the secondary
certificate (see --mca-certificate).

-P,--proxy=PROXYURL
Use HTTP or SOCKS proxy for connection. A username and password
can be provided in the given URL, and will be used for authenti-
cation. If authentication is required but no credentials are
given, GSSAPI and automatic NTLM authentication using Samba's
ntlm_auth helper tool may be attempted.

--proxy-auth=METHODS
Use only the specified methods for HTTP authentication to a
proxy. By default, only Negotiate, NTLM and Digest authentica-
tion are enabled. Basic authentication is also supported but be-
cause it is insecure it must be explicitly enabled. The argument
is a comma-separated list of methods to be enabled. Note that
the order does not matter: OpenConnect will use Negotiate, NTLM,
Digest and Basic authentication in that order, if each is en-
abled, regardless of the order specified in the METHODS string.

--no-proxy
Disable use of proxy

--libproxy
Use libproxy to configure proxy automatically (when built with
libproxy support)

--key-password-from-fsid
Passphrase for certificate file is automatically generated from
the fsid of the file system on which it is stored. The fsid is
obtained from the statvfs(2) or statfs(2) system call, depending
on the operating system. On a Linux or similar system with GNU
coreutils, the fsid used by this option should be equal to the
output of the command:
stat --file-system --printf=%i\\n $CERTIFICATE
It is not the same as the 128-bit UUID of the file system.

-q,--quiet
Less output

-Q,--queue-len=LEN
Set packet queue limit to LEN packets. The default is 32. A high
value may allow better overall bandwidth but at a cost of la-
tency. If you run Voice over IP or other interactive traffic
over the VPN, you don't want those packets to be queued behind
thousands of other large packets which are part of a bulk trans-
fer.

This option sets the maximum inbound and outbound packet queue
sizes in OpenConnect itself, which control how many packets will
be sent and received in a single batch, as well as affecting
other buffering such as the socket send buffer (SO_SNDBUF) for
network connections and the OS tunnel device.

Ultimately, the right size for a queue is "just enough packets
that it never quite gets empty before more are pushed to it".
Any higher than that is simply introducing bufferbloat and addi-
tional latency with no benefit. With the default of 32, we are
able to saturate a single Gigabit Ethernet from modest hardware,
which is more than enough for most VPN users.

If OpenConnect is built with vhost-net support, it will only be
used if the queue length is set to 16 or more. This is because
vhost-net introduces a small amount of additional latency, but
improves total bandwidth quite considerably for those operating
at high traffic rates. Thus it makes sense to use it when the
user has indicated a preference for bandwidth over latency, by
increasing the queue size.

-s,--script=SCRIPT
Invoke SCRIPT to configure the network after connection. Without
this, routing and name service are unlikely to work correctly.
The script is expected to be compatible with the vpnc-script
which is shipped with the "vpnc" VPN client. See https://www.in-
fradead.org/openconnect/vpnc-script.html for more information.
This version of OpenConnect is configured to use /usr/lo-
cal/sbin/vpnc-script by default.

On Windows, a relative directory for the default script will be
handled as starting from the directory that the openconnect exe-
cutable is running from, rather than the current directory. The
script will be invoked with the command-based script host
cscript.exe.

-S,--script-tun
Pass traffic to 'script' program over a UNIX socket, instead of
to a kernel tun/tap device. This allows the VPN IP traffic to be
handled entirely in userspace, for example by a program which
uses lwIP to provide SOCKS access into the VPN.

--server=[https://]HOST[:PORT][/PATH]
Define the VPN server as a simple HOST or as an URL containing
the HOST and optionally the PORT number and the PATH; with some
protocols, the path may function as a login group or realm, and
it may equivalently be specified with --usergroup.

As an alternative, define the VPN server as non-option command
line argument.

-u,--user=NAME
Set login username to NAME

-V,--version
Report version number

-v,--verbose
More output (may be specified multiple times for additional out-
put)

-x,--xmlconfig=CONFIG
XML config file

--authgroup=GROUP
Select GROUP from authentication dropdown or list entry.

Many VPNs require a selection from a dropdown or list during the
authentication process. This selection may be known as authgroup
(on Cisco VPNs), realm (Juniper, Pulse, Fortinet), domain (F5),
and gateway (GlobalProtect). This option attempts to automati-
cally fill the appropriate protocol-specific field with the de-
sired value.

--authenticate
Authenticate to the VPN, output the information needed to make
the connection in a form which can be used to set shell environ-
ment variables, and then exit.

When invoked with this option, OpenConnect will not actually
create the VPN connection or configure a tunnel interface, but
if successful will print something like the following to stdout:
COOKIE='3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...'
HOST='10.0.0.1'
CONNECT_URL='https://vpnserver.example.com'
FINGERPRINT='469bb424ec8835944d30bc77c77e8fc1d8e23a42'
RESOLVE='vpnserver.example.com:10.0.0.1'
Thus, you can invoke openconnect as a non-privileged user (with
access to the user's PKCS#11 tokens, etc.) for authentication,
and then invoke openconnect separately to make the actual con-
nection as root:
eval `openconnect --authenticate https://vpnserver.example.com`;
[ -n ["$COOKIE"] ] && echo ["$COOKIE"] |
sudo openconnect --cookie-on-stdin $CONNECT_URL --servercert $FINGERPRINT --resolve $RESOLVE

Earlier versions of OpenConnect produced only the HOST variable
(containing the numeric server address), and not the CONNECT_URL
or RESOLVE variables. Subsequently, we discovered that servers
behind proxies may not respond correctly unless the correct DNS
name is present in the connection phase, and we added support
for VPN protocols where the server URL's path component may be
significant in the connection phase, prompting the addition of
CONNECT_URL and RESOLVE, and the recommendation to use them as
described above. If you are not certain that you are invoking a
newer version of OpenConnect which outputs these variables, use
the following command-line (compatible with most Bourne shell
derivatives) which will work with either a newer or older ver-
sion:
sudo openconnect --cookie-on-stdin ${CONNECT_URL:-$HOST} --servercert $FINGERPRINT ${RESOLVE:+--resolve=$RESOLVE}

--cookieonly
Fetch and print cookie only; don't connect (this is essentially
a subset of --authenticate).

--printcookie
Print cookie to stdout before connecting (see --authenticate for
the meaning of this cookie)

--cafile=FILE
Additional CA file for server verification. By default, this
simply causes OpenConnect to trust additional root CA certifi-
cate(s) in addition to those trusted by the system. Use
--no-system-trust to prevent OpenConnect from trusting the sys-
tem default certificate authorities.

--no-system-trust
Do not trust the system default certificate authorities. If this
option is given, only certificate authorities given with the
--cafile option, if any, will be trusted automatically.

--disable-ipv6
Do not advertise IPv6 capability to server

--dtls-ciphers=LIST
Set OpenSSL ciphers to support for DTLS

--dtls12-ciphers=LIST
Set OpenSSL ciphers for Cisco's DTLS v1.2

--dtls-local-port=PORT
Use PORT as the local port for DTLS and UDP datagrams

--dump-http-traffic
Enable verbose output of all HTTP requests and the bodies of all
responses received from the server.

--pfs Enforces Perfect Forward Secrecy (PFS). That ensures that if the
server's long-term key is compromised, any session keys estab-
lished before the compromise will be unaffected. If this option
is provided and the server does not support PFS in the TLS chan-
nel the connection will fail.

PFS is available in Cisco ASA releases 9.1(2) and higher; a
suitable cipher suite may need to be manually enabled by the ad-
ministrator using the ssl encryption setting.

--no-dtls
Disable DTLS and ESP

--no-http-keepalive
Version 8.2.2.5 of the Cisco ASA software has a bug where it
will forget the client's SSL certificate when HTTP connections
are being re-used for multiple requests. So far, this has only
been seen on the initial connection, where the server gives an
HTTP/1.0 redirect response with an explicit Connection:
Keep-Alive directive. OpenConnect as of v2.22 has an uncondi-
tional workaround for this, which is never to obey that direc-
tive after an HTTP/1.0 response.

However, Cisco's support team has failed to give any competent
response to the bug report and we don't know under what other
circumstances their bug might manifest itself. So this option
exists to disable ALL re-use of HTTP sessions and cause a new
connection to be made for each request. If your server seems not
to be recognizing your certificate, try this option. If it makes
a difference, please report this information to the opencon-
nect-devel@lists.infradead.org mailing list.

--no-passwd
Never attempt password (or SecurID) authentication.

--no-external-auth
Prevent OpenConnect from advertising to the server that it sup-
ports any kind of authentication mode that requires an external
browser.

Some servers will force the client to use such an authentication
mode if the client advertises it, but fallback to a more
"scriptable" authentication mode if the client doesn't appear to
support it.

--no-xmlpost
Do not attempt to post an XML authentication/configuration re-
quest to the server; use the old style GET method which was used
by older clients and servers instead.

This option is a temporary safety net, to work around potential
compatibility issues with the code which falls back to the old
method automatically. It causes OpenConnect to behave more like
older versions (4.08 and below) did. If you find that you need
to use this option, then you have found a bug in OpenConnect.
Please see https://www.infradead.org/openconnect/mail.html and
report this to the developers.

--allow-insecure-crypto
The ancient, broken 3DES and RC4 ciphers are insecure; we ex-
plicitly disable them by default. However, some still-in-use VPN
servers can't do any better.

This option enables use of these insecure ciphers, as well as
the use of SHA1 for server certificate validation.

--non-inter
Do not expect user input; exit if it is required.

--passwd-on-stdin
Read password from standard input

--protocol=PROTO
Select VPN protocol PROTO to be used for the connection. Sup-
ported protocols are anyconnect for Cisco AnyConnect (the de-
fault), nc for experimental support for Juniper Network Connect
(also supported by most Junos/Ivanti Pulse servers), pulse for
experimental support for Junos/Ivanti Pulse, gp for experimental
support for PAN GlobalProtect, f5 for experimental support for
F5 Big-IP, fortinet for experimental support for Fortinet Forti-
gate, and array for experimental support for Array Networks SSL
VPN.

See https://www.infradead.org/openconnect/protocols.html for de-
tails on features and deficiencies of the individual protocols.

OpenConnect does not yet support all of the authentication op-
tions used by Pulse, nor does it support Host Checker/TNCC with
Pulse. If your Junos/Ivanti Pulse VPN is not yet supported with
--protocol=pulse, then --protocol=nc may be a useful fallback
option.

--token-mode=MODE
Enable one-time password generation using the MODE algorithm.
--token-mode=rsa will call libstoken to generate an RSA SecurID
tokencode, --token-mode=totp will generate an RFC 6238 time-
based password, and --token-mode=hotp will generate an RFC 4226
HMAC-based password. Yubikey tokens which generate OATH codes in
hardware are supported with --token-mode=yubioath. --to-
ken-mode=oidc will use the provided OpenIDConnect token as an
RFC 6750 bearer token.

--token-secret={ SECRET[,COUNTER] | @FILENAME }
The secret to use when generating one-time passwords/verifica-
tion codes. Base 32-encoded TOTP/HOTP secrets can be used by
specifying "base32:" at the beginning of the secret, and for
HOTP secrets the token counter can be specified following a
comma.

RSA SecurID secrets can be specified as an Android/iPhone URI or
a raw numeric CTF string (with or without dashes).

For Yubikey OATH the token secret specifies the name of the cre-
dential to be used. If not provided, the first OATH credential
found on the device will be used.

For OIDC the secret is the bearer token to be used.

FILENAME, if specified, can contain any of the above strings.
Or, it can contain a SecurID XML (SDTID) seed.

If this option is omitted, and --token-mode is "rsa", libstoken
will try to use the software token seed saved in ~/.stokenrc by
the "stoken import" command.

--reconnect-timeout=SECONDS
After disconnection or Dead Peer Detection, keep trying to re-
connect for SECONDS. The default is 300 seconds, which means
that openconnect can recover a VPN connection after a temporary
network outage lasting up to 300 seconds.

--resolve=HOST:IP
Automatically resolve the hostname HOST to IP instead of using
the normal resolver to look it up.

--sni=HOST
When creating new TLS connections, always present the hostname
HOST as the SNI (Server Name Indication) in place of the correct
hostname, which will still be sent in the HTTP 'Host:' header,
and expect the peer's certificate to match the SNI rather than
the correct hostname. This may be useful for Domain Fronting,
by which some filtered or censored Internet connections can be
bypassed.

Note that sending different values for the SNI and 'Host:'
header violates HTTP standards and is prevented by many cloud
hosting providers.

--servercert=HASH
Accept server's SSL certificate only if it matches the provided
fingerprint. This option implies --no-system-trust, and may be
specified multiple times in order to accept multiple possible
fingerprints.

The allowed fingerprint types are SHA1, SHA256, and PIN-SHA256.
They are distinguished by the 'sha1:', 'sha256:' and 'pin-
sha256:' prefixes to the encoded hash. The first two are custom
identifiers providing hex encoding of the peer's public key,
while 'pin-sha256:' is the RFC7469 key PIN, which utilizes
base64 encoding. To ease certain testing use-cases, a partial
match of the hash will also be accepted, if it is at least 4
characters past the prefix.

--useragent=STRING
Use STRING as 'User-Agent:' field value in HTTP header.

Some VPN servers may require specific values matching those sent
by proprietary VPN clients in order to successfully authenticate
or connect. For example, when connecting to a Cisco VPN server,
--useragent 'AnyConnect Windows 4.10.06079' or --useragent
'Cisco AnyConnect VPN Agent for Windows 2.2.0133', or when con-
necting to a Pulse server, --useragent 'Pulse-Se-
cure/9.1.11.6725'.

--version-string=STRING
Use STRING as the software version reported to the head end.
(e.g. --version-string '2.2.0133')

--local-hostname=STRING
Use STRING as 'X-CSTP-Hostname:' field value in HTTP header. For
example --local-hostname 'mypc', will advertise the value 'mypc'
as the suggested hostname to point to the provided IP address.

--os=STRING
OS type to report to gateway. Recognized values are: linux,
linux-64, win, mac-intel, android, apple-ios. Reporting a dif-
ferent OS type may affect the dynamic access policy (DAP) ap-
plied to the VPN session. If the gateway requires CSD, it will
also cause the corresponding CSD trojan binary to be downloaded,
so you may need to use --csd-wrapper if this code is not exe-
cutable on the local machine.

SIGNALS
In the data phase of the connection, the following signals are handled:

SIGINT / SIGTERM
performs a clean shutdown by logging the session off, discon-
necting from the gateway, and running the vpnc-script to restore
the network configuration.

SIGHUP disconnects from the gateway and runs the vpnc-script, but does
not log the session off; this allows for reconnection later us-
ing --cookie.

SIGUSR1
writes progress message with detailed connection information and
statistics.

SIGUSR2
forces an immediate disconnection and reconnection; this can be
used to quickly recover from LAN IP address changes.

LIMITATIONS
See https://www.infradead.org/openconnect/contribute.html for various
features that we wish OpenConnect had, and https://www.in-
fradead.org/openconnect/protocols.html for information on the quirks
and limitations of the individual VPN protocols.

Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages