Add new tun option to man page

adrienverge · Mar 4, 2024 · f40efac · f40efac
1 parent dd0dfe8
commit f40efac
Showing 1 changed file with 76 additions and 8 deletions.
diff --git a/doc/openfortivpn.1.in b/doc/openfortivpn.1.in
@@ -1,7 +1,7 @@
 <h1>NAME</h1>
 <p>openfortivpn - Client for PPP+TLS VPN tunnel services</p>
 <h1>SYNOPSIS</h1>
-<p><strong>openfortivpn</strong> [<em>&lt;host&gt;</em>[:<em>&lt;port&gt;</em>]] [<strong>-u</strong> <em>&lt;user&gt;</em>] [<strong>-p</strong> <em>&lt;pass&gt;</em>] [<strong>--cookie=</strong><em>&lt;cookie&gt;</em>] [<strong>--cookie-on-stdin</strong>] [<strong>--pinentry=</strong><em>&lt;name&gt;</em>] [<strong>--otp=</strong><em>&lt;otp&gt;</em>] [<strong>--otp-prompt=</strong><em>&lt;prompt&gt;</em>] [<strong>--otp-delay=</strong><em>&lt;delay&gt;</em>] [<strong>--no-ftm-push</strong>] [<strong>--realm=</strong><em>&lt;realm&gt;</em>] [<strong>--ifname=</strong><em>&lt;interface&gt;</em>] [<strong>--set-routes=</strong><em>&lt;bool&gt;</em>] [<strong>--no-routes</strong>] [<strong>--set-dns=</strong><em>&lt;bool&gt;</em>] [<strong>--no-dns</strong>] [<strong>--half-internet-routes=</strong><em>&lt;bool&gt;</em>] [<strong>--ca-file=</strong><em>&lt;file&gt;</em>] [<strong>--user-cert=</strong><em>&lt;file&gt;</em>] [<strong>--user-cert=</strong><em>pkcs11:</em>] [<strong>--user-key=</strong><em>&lt;file&gt;</em>] [<strong>--use-syslog</strong>] [<strong>--trusted-cert=</strong><em>&lt;digest&gt;</em>] [<strong>--insecure-ssl</strong>] [<strong>--cipher-list=</strong><em>&lt;ciphers&gt;</em>] [<strong>--min-tls=</strong><em>&lt;version&gt;</em>] [<strong>--seclevel-1</strong>] [<strong>--pppd-use-peerdns=</strong><em>&lt;bool&gt;</em>] [<strong>--pppd-no-peerdns</strong>] [<strong>--pppd-log=</strong><em>&lt;file&gt;</em>] [<strong>--pppd-plugin=</strong><em>&lt;file&gt;</em>] [<strong>--pppd-ipparam=</strong><em>&lt;string&gt;</em>] [<strong>--pppd-ifname=</strong><em>&lt;string&gt;</em>] [<strong>--pppd-call=</strong><em>&lt;name&gt;</em>] [<strong>--pppd-accept-remote=</strong><em>&lt;bool&gt;</em>] [<strong>--ppp-system=</strong><em>&lt;string&gt;</em>] [<strong>--use-resolvconf=</strong><em>&lt;bool&gt;</em>] [<strong>--persistent=</strong><em>&lt;interval&gt;</em>] [<strong>-c</strong> <em>&lt;file&gt;</em>] [<strong>-v|-q</strong>]<br />
+<p><strong>openfortivpn</strong> [<em>&lt;host&gt;</em>[:<em>&lt;port&gt;</em>]] [<strong>-u</strong> <em>&lt;user&gt;</em>] [<strong>-p</strong> <em>&lt;pass&gt;</em>] [<strong>--cookie=</strong><em>&lt;cookie&gt;</em>] [<strong>--cookie-on-stdin</strong>] [<strong>--pinentry=</strong><em>&lt;name&gt;</em>] [<strong>--otp=</strong><em>&lt;otp&gt;</em>] [<strong>--otp-prompt=</strong><em>&lt;prompt&gt;</em>] [<strong>--otp-delay=</strong><em>&lt;delay&gt;</em>] [<strong>--no-ftm-push</strong>] [<strong>--realm=</strong><em>&lt;realm&gt;</em>] [<strong>--tun=</strong><em>&lt;bool&gt;</em>] [<strong>--ifname=</strong><em>&lt;interface&gt;</em>] [<strong>--set-routes=</strong><em>&lt;bool&gt;</em>] [<strong>--no-routes</strong>] [<strong>--set-dns=</strong><em>&lt;bool&gt;</em>] [<strong>--no-dns</strong>] [<strong>--half-internet-routes=</strong><em>&lt;bool&gt;</em>] [<strong>--ca-file=</strong><em>&lt;file&gt;</em>] [<strong>--user-cert=</strong><em>&lt;file&gt;</em>] [<strong>--user-cert=</strong><em>pkcs11:</em>] [<strong>--user-key=</strong><em>&lt;file&gt;</em>] [<strong>--use-syslog</strong>] [<strong>--trusted-cert=</strong><em>&lt;digest&gt;</em>] [<strong>--insecure-ssl</strong>] [<strong>--cipher-list=</strong><em>&lt;ciphers&gt;</em>] [<strong>--min-tls=</strong><em>&lt;version&gt;</em>] [<strong>--seclevel-1</strong>] [<strong>--pppd-use-peerdns=</strong><em>&lt;bool&gt;</em>] [<strong>--pppd-no-peerdns</strong>] [<strong>--pppd-log=</strong><em>&lt;file&gt;</em>] [<strong>--pppd-plugin=</strong><em>&lt;file&gt;</em>] [<strong>--pppd-ipparam=</strong><em>&lt;string&gt;</em>] [<strong>--pppd-ifname=</strong><em>&lt;string&gt;</em>] [<strong>--pppd-call=</strong><em>&lt;name&gt;</em>] [<strong>--pppd-accept-remote=</strong><em>&lt;bool&gt;</em>] [<strong>--ppp-system=</strong><em>&lt;string&gt;</em>] [<strong>--use-resolvconf=</strong><em>&lt;bool&gt;</em>] [<strong>--persistent=</strong><em>&lt;interval&gt;</em>] [<strong>-c</strong> <em>&lt;file&gt;</em>] [<strong>-v|-q</strong>]<br />
 <strong>openfortivpn</strong> --help<br />
 <strong>openfortivpn</strong> --version</p>
 <h1>DESCRIPTION</h1>
@@ -11,144 +11,212 @@
 <dt><strong>--help</strong></dt>
 <dd><p>Show the help message and exit.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--version</strong></dt>
 <dd><p>Show version and exit.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>-c </strong><em>&lt;file&gt;</em>, <strong>--config=</strong><em>&lt;file&gt;</em></dt>
 <dd><p>Specify a custom configuration file (default: /volatile/local/openfortivpn/etc/openfortivpn/config).</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>-u </strong><em>&lt;user&gt;</em>, <strong>--username=</strong><em>&lt;user&gt;</em></dt>
 <dd><p>VPN account username.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>-p </strong><em>&lt;pass&gt;</em>, <strong>--password=</strong><em>&lt;pass&gt;</em></dt>
 <dd><p>VPN account password in plain text. For a secure alternative, use pinentry or let openfortivpn prompt for the password.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--cookie=</strong><em>&lt;cookie&gt;</em></dt>
 <dd><p>A valid cookie (SVPNCOOKIE) to use in place of username and password.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--cookie-on-stdin</strong></dt>
 <dd><p>Read the cookie (SVPNCOOKIE) from standard input.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--pinentry=</strong><em>&lt;name&gt;</em></dt>
 <dd><p>The pinentry program to use. Allows supplying the password in a secure manner. For example: pinentry-gnome3 on Linux, or pinentry-mac on macOS.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>-o </strong><em>&lt;otp&gt;</em>, <strong>--otp=</strong><em>&lt;otp&gt;</em></dt>
 <dd><p>One-Time-Password.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--otp-prompt=</strong><em>&lt;prompt&gt;</em></dt>
 <dd><p>Search for the OTP password prompt starting with the string <em>&lt;prompt&gt;</em>.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--otp-delay=</strong><em>&lt;delay&gt;</em></dt>
 <dd><p>Set the amount of time to wait before sending the One-Time-Password. The delay time must be specified in seconds, where 0 means no wait (this is the default).</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--no-ftm-push</strong></dt>
 <dd><p>Do not use FTM push if the server provides the option. The server may be configured to allow two factor authentication through a push notification to the mobile application. If this option is provided, authentication based on OTP will be used instead.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--realm=</strong><em>&lt;realm&gt;</em></dt>
 <dd><p>Connect to the specified authentication realm. Defaults to empty, which is usually what you want.</p>
 </dd>
+</dl>
+<dl>
+<dt><strong>--tun=</strong><em>&lt;bool&gt;</em></dt>
+<dd><p>Set to create a TUN device and use internal PPP code (experimental).</p>
+</dd>
+</dl>
+<dl>
 <dt><strong>--ifname=</strong><em>&lt;interface&gt;</em></dt>
 <dd><p>Bind the connection to the specified network interface.</p>
 </dd>
 <dt><strong>--set-routes=</strong><em>&lt;bool&gt;</em>, <strong>--no-routes</strong></dt>
 <dd><p>Set if openfortivpn should try to configure IP routes through the VPN when tunnel is up. If used multiple times, the last one takes priority.</p>
+<p><strong>--no-routes</strong> is the same as <strong>--set-routes=</strong><em>0</em>.</p>
 </dd>
 </dl>
-<p><strong>--no-routes</strong> is the same as <strong>--set-routes=</strong><em>0</em>.</p>
 <dl>
 <dt><strong>--half-internet-routes=</strong><em>&lt;bool&gt;</em></dt>
 <dd><p>Set if openfortivpn should add two 0.0.0.0/1 and 128.0.0.0/1 routes with higher priority instead of replacing the default route.</p>
-</dd>
+</dl>
+<dl>
 <dt><strong>--set-dns=</strong><em>&lt;bool&gt;</em>, <strong>--no-dns</strong></dt>
 <dd><p>Set if openfortivpn should add DNS name servers in /etc/resolv.conf when tunnel is up. Also a dns-suffix may be received from the peer and added to /etc/resolv.conf in the turn of adding the name servers. resolvconf is instructed to do the update of the resolv.conf file if it is installed and --use-resolvconf is activated, otherwise openfortivpn prepends its changes to the existing content of the resolv.conf file. Note that there may be other mechanisms to update /etc/resolv.conf, e.g., <strong>--pppd-use-peerdns</strong> in conjunction with an ip-up-script, which may require that openfortivpn is called with <strong>--no-dns</strong>. <strong>--no-dns</strong> is the same as <strong>--set-dns=</strong><em>0</em>.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--use-resolvconf=</strong><em>&lt;bool&gt;</em></dt>
 <dd><p>Set if openfortivpn should use resolvconf to add DNS name servers in /etc/resolv.conf. If it is set to false, the builtin fallback mechanism is used even if resolvconf is available.</p>
 </dd>
 <dt><strong>--ca-file=</strong><em>&lt;file&gt;</em></dt>
 <dd><p>Use specified PEM-encoded certificate bundle instead of system-wide store to verify the gateway certificate.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--user-cert=</strong><em>&lt;file&gt;</em></dt>
 <dd><p>Use specified PEM-encoded certificate if the server requires authentication with a certificate.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--user-cert=</strong><em>pkcs11:</em></dt>
 <dd><p>Use at least the string pkcs11: for using a smartcard. It takes the full or a partial PKCS11-URI (p11tool --list-token-urls)</p>
-</dd>
-</dl>
 <p>--user-cert = pkcs11:</p>
 <p>--user-cert = pkcs11:token=someuser</p>
 <p>--user-cert = pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser</p>
 <p><strong>This feature requires the OpenSSL PKCS engine!</strong></p>
+</dd>
+</dl>
 <dl>
 <dt><strong>--user-key=</strong><em>&lt;file&gt;</em></dt>
 <dd><p>Use specified PEM-encoded key if the server requires authentication with a certificate.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--pem-passphrase=</strong><em>&lt;pass&gt;</em></dt>
 <dd><p>Pass phrase for the PEM-encoded key.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--use-syslog</strong></dt>
 <dd><p>Log to syslog instead of terminal.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--trusted-cert=</strong><em>&lt;digest&gt;</em></dt>
 <dd><p>Trust a given gateway. If classical TLS certificate validation fails, the gateway certificate will be matched against this value. <em>&lt;digest&gt;</em> is the X509 certificate's sha256 sum. The certificate has to be encoded in DER form. This option can be used multiple times to trust several certificates.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--insecure-ssl</strong></dt>
 <dd><p>Do not disable insecure TLS protocols/ciphers. If your server requires a specific cipher, consider using <strong>--cipher-list</strong> instead.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--cipher-list=</strong><em>&lt;ciphers&gt;</em></dt>
 <dd><p>OpenSSL ciphers to use. If default does not work, you can try alternatives such as HIGH:!MD5:!RC4 or as suggested by the Cipher: line in the output of <strong>openssl</strong>(1) (e.g. AES256-GCM-SHA384):</p>
-</dd>
-</dl>
 <p>$ openssl s_client -connect <em>&lt;host:port&gt;</em></p>
 <p>(default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)</p>
 <p><strong>Applies to TLS v1.2 or lower only, not to be used with TLS v1.3 ciphers.</strong></p>
+</dd>
+</dl>
 <dl>
 <dt><strong>--min-tls=</strong><em>&lt;version&gt;</em></dt>
 <dd><p>Use minimum TLS version instead of system default. Valid values are 1.0, 1.1, 1.2, 1.3.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--seclevel-1</strong></dt>
 <dd><p>If <strong>--cipher-list</strong> is not specified, add @SECLEVEL=1 to the list of ciphers. This lowers limits on dh key.</p>
+<p><strong>Applies to TLS v1.2 or lower only.</strong></p>
 </dd>
 </dl>
-<p><strong>Applies to TLS v1.2 or lower only.</strong></p>
 <dl>
 <dt><strong>--pppd-use-peerdns=</strong><em>&lt;bool&gt;</em>, <strong>--pppd-no-peerdns</strong></dt>
 <dd><p>Whether to ask peer ppp server for DNS server addresses and let pppd rewrite /etc/resolv.conf. There is no mechanism to tell the dns-suffix to pppd. If the DNS server addresses are requested, also <strong>--set-dns=</strong><em>1</em> may race with the mechanisms in pppd.</p>
 </dd>
 </dl>
 <p><strong>--pppd-no-peerdns</strong> is the same as <strong>--pppd-use-peerdns=</strong><em>0</em>.</p>
+</dl>
 <dl>
 <dt><strong>--pppd-log=</strong><em>&lt;file&gt;</em></dt>
 <dd><p>Set pppd in debug mode and save its logs into <em>&lt;file&gt;</em>.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--pppd-plugin=</strong><em>&lt;file&gt;</em></dt>
 <dd><p>Use specified pppd plugin instead of configuring the resolver and routes directly.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--pppd-ipparam=</strong><em>&lt;string&gt;</em></dt>
 <dd><p>Provides an extra parameter to the ip-up, ip-pre-up and ip-down scripts. See man <strong>pppd(8)</strong> for further details</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--pppd-ifname=</strong><em>&lt;string&gt;</em></dt>
 <dd><p>Set the ppp interface name. Only if supported by pppd. Patched versions of pppd implement this option but may not be available on your platform.</p>
 </dd>
 <dt><strong>--pppd-call=</strong><em>&lt;name&gt;</em></dt>
 <dd><p>Drop usual arguments from pppd command line and add `call &lt;name&gt;' instead. This can be useful on Debian and Ubuntu, where unprivileged users in group `dip' can invoke `pppd call &lt;name&gt;' to make pppd read and apply options from /etc/ppp/peers/&lt;name&gt; (including privileged ones).</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--pppd-accept-remote=</strong><em>&lt;bool&gt;</em></dt>
 <dd><p>Whether to invoke pppd with `ipcp-accept-remote'. Enabling this option breaks pppd &lt; 2.5.0 but is required by newer pppd versions.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--ppp-system=</strong><em>&lt;string&gt;</em></dt>
 <dd><p>Only available if compiled for ppp user space client (e.g. on FreeBSD). Connect to the specified system as defined in /etc/ppp/ppp.conf</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>--persistent=</strong><em>&lt;interval&gt;</em></dt>
 <dd><p>Run the VPN persistently in an endless loop and try to reconnect forever. The reconnect interval may be specified in seconds, where 0 means no reconnect is done (this is the default).</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>-v</strong></dt>
 <dd><p>Increase verbosity. Can be used multiple times to be even more verbose.</p>
 </dd>
+</dl>
+<dl>
 <dt><strong>-q</strong></dt>
 <dd><p>Decrease verbosity. Can be used multiple times to be even less verbose.</p>
 </dd>
 </dl>
+<dl>
 <h1>ENVIRONMENT and proxy support</h1>
 <p><strong>openfortivpn</strong> can be run behind an HTTP proxy that supports the HTTP connect command. It checks if one of the environment variables <strong>https_proxy HTTPS_PROXY all_proxy ALL_PROXY</strong> is set which are supposed to contain a string of the format<br />
 <strong>http://[host]:[port]</strong><br />