openfortivpn is used to establish VPN tunnels on linux and compatible with Fortinet VPNs.


openfortivpn is included in notable linux distributions and can be installed via packet manager:


root@fedora:~# dnf install openfortivpn


root@ubuntu:~# apt install openfortivpn


root@debian:~# apt install openfortivpn


When starting openfortivpn the following config file is used and should look something like this for the standard vpn tunnel:

#### config file for openfortivpn, see man openfortivpn(1) 
# host = destination adress VPN-Gateway
# port = destination port 
# realm = realm / name of the vpn tunnel
# username = username (CIT-Account)
# password = password 
# ca-file = certificate chain 
host = 
port = 443 
realm = pub-all 
username = <CIT-Account> 
password = <PASSWORD> 
ca-file = /etc/openfortivpn/chain.txt

Note: realm = pub-all is used for the standard vpn tunnel and is used in most cases but it may differ when using a different tunnel.

The ca-file includes the certificate chain of DFN-Verein Global Issuing CA (pem file) and can be downloaded via:


Config files for additional tunnels may be created with freely selected names in the same place.  (warning) NOTE: Depending on the Linux distribution the config files may differ from /etc/openfortivpn or may be created manually.

Establish the connection

start the tunnel via

[root@pc ]# openfortivpn

Root privileges (respectively sudo) are needed because a (ppp)-interface is created  (see here section Running as root?). When using different tunnels via configuration files the following parameter is used:

[root@pc ]# openfortivpn -c /etc/openfortivpn/<my_tunnel_configfile>

Additional parameters and explanatary notes may be found via the MAN-pages.


Openfortivpn can also be used via NetworkManager. The following packets are required and need to be installed:


root@fedora:~# dnf install networkmanager-fortisslvpn plasma-nm-fortisslvpn [KDE] network-manager-fortisslvpn-gnome [Gnome]


root@ubuntu:~# apt install network-manager-fortisslvpn network-manager-fortisslvpn-gnome


root@debian:~# apt install network-manager-fortisslvpn network-manager-fortisslvpn-gnome

Afterwards a new NetworkManager-profile (type fortisslvpn) can be created.

The configuration should look something like this:

OptionValueDescription address.
User name
Your CIT-Account
Your Cit-Account Password
CA Certificate

path to the CA Certificate you already downloaded earlier in this guide.

see CA Certificate

click on "Advanced" to enter the "Realm":

In most cases the realm is pub-all but it may differ when using a different tunnel. Note: Option "Use only for resources on this connection" from IPv4 → Routes must be disabled.

Afterwards the connection can be established when you click on the corresponding entry in the NetworkManager menu.