.OP \-b,\-\-background

.OP \-\-pid\-file pidfile

.OP \-c,\-\-certificate cert

.OP \-e,\-\-cert\-expire\-warning days

.OP \-k,\-\-sslkey key

.OP \-C,\-\-cookie cookie

.OP \-\-cookie\-on\-stdin

.OP \-d,\-\-deflate

.OP \-D,\-\-no\-deflate

.OP \-\-force\-dpd interval

.OP \-g,\-\-usergroup group

.OP \-h,\-\-help

.OP \-i,\-\-interface ifname

.OP \-l,\-\-syslog

.OP \-U,\-\-setuid user

.OP \-\-csd\-user user

.OP \-m,\-\-mtu mtu

.OP \-p,\-\-key\-password pass

.OP \-P,\-\-proxy proxyurl

.OP \-\-no\-proxy

.OP \-\-libproxy

.OP \-\-key\-password\-from\-fsid

.OP \-q,\-\-quiet

.OP \-Q,\-\-queue\-len len

.OP \-s,\-\-script vpnc\-script

.OP \-S,\-\-script\-tun

.OP \-u,\-\-user name

.OP \-V,\-\-version

.OP \-v,\-\-verbose

.OP \-x,\-\-xmlconfig config

.OP \-\-authgroup group

.OP \-\-cookieonly

.OP \-\-printcookie

.OP \-\-cafile file

.OP \-\-disable\-ipv6

.OP \-\-dtls\-ciphers list

.OP \-\-no\-dtls

.OP \-\-no\-http\-keepalive

.OP \-\-no\-passwd

.OP \-\-non\-inter

.OP \-\-passwd\-on\-stdin

.OP \-\-token\-mode mode

.OP \-\-token\-secret {secret\fR[\fI,counter\fR]|@\fIfile\fR}

.OP \-\-servercert sha1

.OP \-\-useragent string

.B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]

.YS

.SH DESCRIPTION

The program

.B openconnect

connects to VPN servers which use standard TLS/SSL, DTLS, and ESP

protocols for data transport.

It was originally written to support Cisco "AnyConnect" VPN servers,

and has since been extended with experimental support for Juniper

Network Connect and Junos Pulse VPN servers

.RB ( \-\-protocol=nc )

and PAN GlobalProtect VPN servers

.RB ( \-\-protocol=gp ).

The connection happens in two phases. First there is a simple HTTPS

connection over which the user authenticates somehow \- by using a

certificate, or password or SecurID, etc. Having authenticated, the

real VPN connection.

The second phase uses that cookie to connect to a tunnel via HTTPS,

and data packets can be passed over the resulting connection. When

possible, a UDP tunnel is also configured: AnyConnect uses DTLS, while

Juniper and GlobalProtect use UDP-encapsulated ESP. The UDP tunnel

may be disabled with

.BR \-\-no\-dtls ,

but is preferred when correctly supported by the server and network

for performance reasons. (TCP performs poorly and unreliably over

TCP-based tunnels; see

.IR http://sites.inka.de/~W1011/devel/tcp-tcp.html .)

.SH OPTIONS

.TP

.B \-\-config=CONFIGFILE

Read further options from

.I CONFIGFILE

before continuing to process options from the command line. The file

should contain long-format options as would be accepted on the command line,

but without the two leading \-\- dashes. Empty lines, or lines where the

first non-space character is a # character, are ignored.

Any option except the

.B config

option may be specified in the file.

.TP

Continue in background after startup

.TP

Save the pid to

.I PIDFILE

when backgrounding

.TP

Use SSL client certificate

.I CERT

which may be either a file name or, if OpenConnect has been built with an appropriate

version of GnuTLS, a PKCS#11 URL.

Give a warning when SSL client certificate has

.I DAYS

left before expiry

.TP

which may be either a file name or, if OpenConnect has been built with an appropriate

version of GnuTLS, a PKCS#11 URL.

Use authentication cookie

.IR COOKIE .

Enable all compression, including stateful modes. By default, only stateless

compression algorithms are enabled.

.B \-\-compression=MODE

Set compression mode, where

.I MODE

is one of

.IR "stateless" ,

.IR "none" ,

or

.IR "all" .

By default, only stateless compression algorithms which do not maintain state

from one packet to the next (and which can be used on UDP transports) are

enabled. By setting the mode to

.I "all"

stateful algorithms (currently only zlib deflate) can be enabled. Or all

compression can be disabled by setting the mode to

Use

.I INTERVAL

as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.

.TP

Use

.I GROUP

as login UserGroup

.TP

.B \-F,\-\-form\-entry=FORM:OPTION=VALUE

Provide authentication form input, where

.I FORM

and

.I OPTION

are the identifiers from the form and the specific input field, and

.I VALUE

is the string to be filled in automatically. For example, the standard username field

.I (also handled by the \-\-user option)

could also be provided with this option thus:

.I \-\-form\-entry

.IR main:username=joebloggs .

.TP

Display help text

.TP

.B \-\-http\-auth=METHODS

Use only the specified methods for HTTP authentication to a server. By default,

only Negotiate, NTLM and Digest authentication are enabled. Basic authentication

is also supported but because it is insecure it must be explicitly enabled. The

argument is a comma-separated list of methods to be enabled. Note that the order

does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic

authentication in that order, if each is enabled, regardless of the order

specified in the METHODS string.

.TP

Use

.I IFNAME

for tunnel interface

.TP

Use syslog for progress messages

.TP

.B \-\-timestamp

Prepend a timestamp to each progress message

.TP

.B \-\-passtos

Copy TOS / TCLASS of payload packet into DTLS packets.

.TP

Drop privileges after connecting, to become user

.I USER

.TP

Run

.I SCRIPT

Request

.I MTU

from server as the MTU of the tunnel.

.TP

Indicate

.I MTU

as the path MTU between client and server on the unencrypted network. Newer

servers will automatically calculate the MTU to be used on the tunnel from

this value.

Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM

.TP

Use HTTP or SOCKS proxy for connection. A username and password can be provided

in the given URL, and will be used for authentication. If authentication is

required but no credentials are given, GSSAPI and automatic NTLM authentication

using Samba's ntlm_auth helper tool may be attempted.

Use only the specified methods for HTTP authentication to a proxy. By default,

only Negotiate, NTLM and Digest authentication are enabled. Basic authentication

is also supported but because it is insecure it must be explicitly enabled. The

argument is a comma-separated list of methods to be enabled. Note that the order

does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic

authentication in that order, if each is enabled, regardless of the order

specified in the METHODS string.

Use libproxy to configure proxy automatically (when built with libproxy support)

.TP

Passphrase for certificate file is automatically generated from the

.I fsid

of the file system on which it is stored. The

.I fsid

.BR statvfs (2)

or

.BR statfs (2)

system call, depending on the operating system. On a Linux or similar system

with GNU coreutils, the

.I fsid

used by this option should be equal to the output of the command:

.EX

stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE

.EE

It is not the same as the 128\-bit UUID of the file system.

Less output

.TP

.I LEN

pkts

.TP

.B \-s,\-\-script=SCRIPT

Invoke

.I SCRIPT

to configure the network after connection. Without this, routing and name

service are unlikely to work correctly. The script is expected to be

compatible with the

.B vpnc\-script

which is shipped with the "vpnc" VPN client. See

.I http://www.infradead.org/openconnect/vpnc-script.html

for more information. This version of OpenConnect is configured to

use \fB@DEFAULT_VPNCSCRIPT@\fR by default.

On Windows, a relative directory for the default script will be handled as

starting from the directory that the openconnect executable is running from,

rather than the current directory. The script will be invoked with the

command-based script host \fBcscript.exe\fR.

.TP

.B \-S,\-\-script\-tun

Pass traffic to 'script' program over a UNIX socket, instead of to a kernel

tun/tap device. This allows the VPN IP traffic to be handled entirely in

userspace, for example by a program which uses lwIP to provide SOCKS access

into the VPN.

Set login username to

.I NAME

.TP

Report version number

.TP

XML config file

.TP

Choose authentication login selection

.TP

Authenticate only, and output the information needed to make the connection

a form which can be used to set shell environment variables. When invoked with

this option, openconnect will not make the connection, but if successful will

output something like the following to stdout:

.nf

.B COOKIE=3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...

.B HOST=10.0.0.1

.B FINGERPRINT=469bb424ec8835944d30bc77c77e8fc1d8e23a42

.fi

Thus, you can invoke openconnect as a non-privileged user

.I (with access to the user's PKCS#11 tokens, etc.)

for authentication, and then invoke openconnect separately to make the actual

connection as root:

.nf

.B eval `openconnect --authenticate https://vpnserver.example.com`;

.B [ -n "$COOKIE" ] && echo "$COOKIE" |

.B \ \ sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT

.fi

.TP

Cert file for server verification

.TP

Do not advertise IPv6 capability to server

.TP

.B \-\-dtls12\-ciphers=LIST

Set OpenSSL ciphers for Cisco's DTLS v1.2

.TP

.B \-\-dtls\-local\-port=PORT

Use

.I PORT

.TP

.B \-\-dump\-http\-traffic

Enable verbose output of all HTTP requests and the bodies of all responses

received from the server.

.TP

.B \-\-no\-system\-trust

Do not trust the system default certificate authorities. If this option is

given, only certificate authorities given with the

.B \-\-cafile

option, if any, will be trusted automatically.

.TP

.B \-\-pfs

Enforces Perfect Forward Secrecy (PFS). That ensures that if the server's

long-term key is compromised, any session keys established before the compromise

will be unaffected. If this option is provided and the server does not support PFS

in the TLS channel the connection will fail.

PFS is available in Cisco ASA releases 9.1(2) and higher; a suitable cipher

suite may need to be manually enabled by the administrator using the

.B ssl encryption

setting.

multiple requests. So far, this has only been seen on the initial connection,

where the server gives an HTTP/1.0 redirect response with an explicit

directive. OpenConnect as of v2.22 has an unconditional workaround for this,

which is never to obey that directive after an HTTP/1.0 response.

However, Cisco's support team has failed to give any competent

response to the bug report and we don't know under what other

circumstances their bug might manifest itself. So this option exists

made for each request. If your server seems not to be recognising your

certificate, try this option. If it makes a difference, please report

this information to the

mailing list.

.TP

Never attempt password (or SecurID) authentication.

.TP

.B \-\-no\-xmlpost

Do not attempt to post an XML authentication/configuration request to the

server; use the old style GET method which was used by older clients and

servers instead.

This option is a temporary safety net, to work around potential

compatibility issues with the code which falls back to the old method

automatically. It causes OpenConnect to behave more like older

versions (4.08 and below) did. If you find that you need to use this

option, then you have found a bug in OpenConnect. Please see

http://www.infradead.org/openconnect/mail.html and report this to the

developers.

.TP

.TP

.B \-\-protocol=PROTO

Select VPN protocol

.I PROTO

to be used for the connection. Supported protocols are

.I anyconnect

.I nc

for experimental support for Juniper Network Connect (also supported

by Junos Pulse servers), and

.I gp

for experimental support for PAN GlobalProtect.

.B \-\-token\-mode=MODE

Enable one-time password generation using the

.I MODE

algorithm.

.B \-\-token\-mode=rsa

will call liboath to generate an RFC 6238 time-based password, and

.B \-\-token\-mode=hotp

will call liboath to generate an RFC 4226 HMAC-based password. Yubikey

tokens which generate OATH codes in hardware are supported with

.B \-\-token\-mode=yubioath

Base 32-encoded TOTP/HOTP secrets can be used by specifying "base32:" at the

beginning of the secret, and for HOTP secrets the token counter can be

specified following a comma.

RSA SecurID secrets can be specified as an Android/iPhone URI or a raw numeric

CTF string (with or without dashes).

For Yubikey OATH the token secret specifies the name of the credential to be

used. If not provided, the first OATH credential found on the device will be

used.

.IR FILENAME ,

if specified, can contain any of the above strings. Or, it can contain a

SecurID XML (SDTID) seed.

"rsa", libstoken will try to use the software token seed saved in

.B ~/.stokenrc

by the "stoken import" command.

Keep reconnect attempts until so much seconds are elapsed. The default

timeout is 300 seconds, which means that openconnect can recover

VPN connection after a temporary network down time of 300 seconds.

.B \-\-resolve=HOST:IP

Automatically resolve the hostname

.IR HOST

to

.IR IP

instead of using the normal resolver to look it up.

.TP

.B \-\-servercert=HASH

Accept server's SSL certificate only if the provided fingerprint matches.

The allowed fingerprint types are

.IR SHA1 ,

.IR PIN-SHA256 .

They are distinguished by the 'sha1:', 'sha256:' and 'pin-sha256:' prefixes to the

encoded hash. The first two are custom identifiers providing hex

encoding of the peer's public key, while 'pin-sha256:' is the RFC7469 key

PIN, which utilizes base64 encoding. To ease certain

testing use-cases, a partial match of the hash will also

be accepted, if it is at least 4 characters past the prefix.

.B \-\-useragent=STRING

Use

.I STRING

as 'User\-Agent:' field value in HTTP header.

(e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')

.B \-\-version\-string=STRING

Use

.I STRING

as the software version reported to the head end.

(e.g. \-\-version\-string '2.2.0133')

.TP

.B \-\-local-hostname=STRING

Use

.I STRING

as 'X\-CSTP\-Hostname:' field value in HTTP header. For example \-\-local\-hostname 'mypc',

will advertise the value 'mypc' as the suggested hostname to point to the provided IP address.

.TP

OS type to report to gateway. Recognized values are:

.BR linux ,

.BR linux\-64 ,

.BR win ,

.BR mac\-intel ,

.BR android ,

.BR apple\-ios .

Reporting a different OS type may affect the dynamic access policy (DAP)

applied to the VPN session. If the gateway requires CSD, it will also cause

the corresponding CSD trojan binary to be downloaded, so you may need to use

.B \-\-csd\-wrapper

if this code is not executable on the local machine.

.SH SIGNALS

In the data phase of the connection, the following signals are handled:

.TP

performs a clean shutdown by logging the session off, disconnecting from the

gateway, and running the vpnc\-script to restore the network configuration.

.TP

.B SIGHUP

disconnects from the gateway and runs the vpnc\-script, but does not log the

session off; this allows for reconnection later using

.BR \-\-cookie .

.TP

.B SIGUSR2

forces an immediate disconnection and reconnection; this can be used to

quickly recover from LAN IP address changes.

.TP