Client for PPP+SSL VPN tunnel services
C Shell M4 C++ Other
Clone or download
martinetd and DimitriPapadopoulos gcc 8: fix -Wstring-truncation warnings
New warnings introduced with recent of version of GCC need ignoring
or fixing.
This is an attempt to fix them.
Latest commit e6d1917 Jun 1, 2018


openfortivpn is a client for PPP+SSL VPN tunnel services.
It spawns a pppd process and operates the communication between the gateway and this process.

It is compatible with Fortinet VPNs.


  • Simply connect to a VPN:

    openfortivpn vpn-gateway:8443 --username=foo
  • Connect to a VPN using an authentication realm:

    openfortivpn vpn-gateway:8443 --username=foo --realm=bar
  • Don't set IP routes and don't add VPN nameservers to /etc/resolv.conf:

    openfortivpn vpn-gateway:8443 -u foo -p bar --no-routes --no-dns
  • Using a config file:

    openfortivpn -c /etc/openfortivpn/my-config

    With /etc/openfortivpn/my-config containing:

    host = vpn-gateway
    port = 8443
    username = foo
    password = bar
    set-routes = 0
    set-dns = 0
    # X509 certificate sha256 sum, trust only this one!
    trusted-cert = e46d4aff08ba6914e64daa85bc6112a422fa7ce16631bff0b592a28556f993db


Installing existing packages

Some Linux distibutions provide openfortivpn packages:

On macOS both Homebrew and MacPorts provide an openfortivpn package. Either install Homebrew then install openfortivpn:

# Install 'Homebrew'
/usr/bin/ruby -e "$(curl -fsSL"

# Install 'openfortivpn'
brew install openfortivpn

or install MacPorts then install openfortivpn:

# Install 'openfortivpn'
sudo port install openfortivpn

Building and installing from source

For other distros, you'll need to build and install from source:

  1. Install build dependencies.

    • RHEL/CentOS/Fedora: gcc automake autoconf openssl-devel pkg-config
    • Debian/Ubuntu: gcc automake autoconf libssl-dev pkg-config
    • Arch Linux: gcc automake autoconf openssl pkg-config
    • Gentoo Linux: net-dialup/ppp pkg-config
    • openSUSE: gcc automake autoconf libopenssl-devel pkg-config
    • macOS(Homebrew): automake autoconf openssl@1.0 pkg-config

    On Linux, if you manage your kernel yourself, ensure to compile those modules:


    On macOS, install 'Homebrew' to install the build dependencies:

    # Install 'Homebrew'
    /usr/bin/ruby -e "$(curl -fsSL"
    # Install Dependencies
    brew install automake autoconf openssl@1.0 pkg-config
    # You may need to make this openssl available to compilers
    export LDFLAGS="-L/usr/local/opt/openssl/lib $LDFLAGS"
    export CPPFLAGS="-I/usr/local/opt/openssl/include $CPPFLAGS"
  2. Build and install.

    ./configure --prefix=/usr/local --sysconfdir=/etc
    sudo make install

    If you need to specify the openssl location you can set the $PKG_CONFIG_PATH environment variable.

Running as root?

openfortivpn needs elevated privileges at three steps during tunnel set up:

  • when spawning a /usr/sbin/pppd process;
  • when setting IP routes through VPN (when the tunnel is up);
  • when adding nameservers to /etc/resolv.conf (when the tunnel is up).

For these reasons, you may need to use sudo openfortivpn.
If you need it to be usable by non-sudoer users, you might consider adding an entry in /etc/sudoers.

For example: visudo -f /etc/sudoers.d/openfortivpn

Cmnd_Alias  OPENFORTIVPN = /usr/bin/openfortivpn


Warning: Make sure only trusted users can run openfortivpn as root!
As described in #54, a malicious user could use --pppd-plugin and --pppd-log options to divert the program's behaviour.


Feel free to make pull requests!

C coding style should follow the Linux kernel Documentation/CodingStyle.