2.6.14 "--auth-user-pass requiring --pull"???

[agowa]

IMPORTANT NOTE
Bugs about OpenVPN Access Server, OpenVPN Connect or any other product by OpenVPN Inc. should be directly reported to OpenVPN Inc. at https://support.openvpn.net

Describe the bug
Either a config file parsing bug or a documentation issue.

Edit: Looks like this is related to (at least) these lines of the code:

openvpn/src/openvpn/options.c

Lines 2813 to 2848 in 88f8edb

	if (pull)
	{
	const int sum =
	((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
	+ ((options->priv_key_file != NULL)
	|| (options->management_flags & MF_EXTERNAL_KEY));
	if (sum == 0)
	{
	if (!options->auth_user_pass_file)
	{
	msg(M_USAGE, "No client-side authentication method is "
	"specified. You must use either "
	"--cert/--key, --pkcs12, or "
	"--auth-user-pass");
	}
	}
	else if (sum != 2)
	{
	msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
	}
	}
	else
	{
	if (!(options->management_flags & MF_EXTERNAL_CERT))
	{
	notnull(options->cert_file,
	"certificate file (--cert) or PKCS#12 file (--pkcs12)");
	}
	if (!(options->management_flags & MF_EXTERNAL_KEY))
	{
	notnull(options->priv_key_file,
	"private key file (--key) or PKCS#12 file (--pkcs12)");
	}
	}
	}

To Reproduce

1. Setup a small example deployment with one server and client, fitting the below client config.
2. Try to connect to the server (should work without additional properties, except filling in ca and tls-auth).
3. Now replace client and with tls-client and pull. Docs say this is all that client does Link.
4. Now add pull-filter ignore "" (Config should still work and connect properly). Docs don't mention that anything is except from getting filtered neither at --pull nor --pull-filter args.
5. Next try to remove the pull entirely as the pull-filter ignore "" should render it entirely useless anyway. The docs for --pull even state:

so you should not use --pull or --client in situations where you don't trust the server to have control over the client's routing table

But once these two lines are removed parsing the configuration file fails for undocumented reasons with:

Options error: You must define certificate file (--cert) or PKCS#12 file (--pkcs12)
Use --help for more information.

Then one may think "just point it towards the CA file or /dev/null". When --cert /dev/null is added a similar message but with --key instead of --cert is shown. Trying to set that one to /dev/null as well results in another error message without any documentation (Setting --pkcs12 /dev/null instead behaves exactly like --cert /dev/null --key /dev/null in this regard):

Options error: --auth-user-pass requires --pull
Use --help for more information.

--auth-user-pass within the docs doesn't mention anything about this requirement.

Also even if this is intended for whatever reason the fact that it doesn't work when pull is missing but does when pull-filter ignore "" definitely needs further elaboration. Same for why cert/key or pkcs12 suddenly becomes required when a client doesn't pull options from the server (esp. when looking at what options get logged as having been sent by the server. See below)

6. Out of desperation try to add all of the options the server (supposedly according to the logs) sent directly into the config file => Same parsing error as above.

Working client config before above steps to start with:

client

dev tun
proto udp
remote example.invalid 1194
auth-user-pass 
link-mtu 1500
mtu-test
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
</ca>

remote-cert-tls server

<tls-auth>
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
(...)
-----END OpenVPN Static key V1-----
</tls-auth>

data-ciphers AES-256-CBC
data-ciphers-fallback AES-256-CBC
verb 5

Even though the mentioned error is while parsing the client configuration before any connection is attempted here are the options the server would be pushing (as logged by the pull-filter option):

# What the server would push:
#route 10.0.0.0 255.255.0.0
#route 192.168.0.0 255.255.255.0
#dhcp-option DNS 10.0.0.11
#dhcp-option DNS 10.0.0.12
#route-gateway 172.16.0.1
#topology subnet
#ping 10
#ping-restart 120
#ifconfig 172.16.0.20 255.255.255.0
#peer-id 4
#cipher AES-256-CBC

Expected behavior
Either documentation stating what side effects or hidden configuration options get set/unset when comparing:
a) pull being omitted with pull and pull-filter ignore "" (what is different, why, and where to find it in the logs?)
b) The configuration with all of the pulled (and logged) options being included in the config (instead of using pull) with one that only contains pull

The expected behaviour would be consistent behaviour. As both in a should behave exactly the same as should the two in b.

And/Or documentation needs to be expanded to state that what's different and why.

Also in case there is some technical reason for why pull is demanded here, a less intrusive option should be provided that only gets the minimal required properties (or add the pull-filter ignore ""-trick to the docs as the "official" solution for these situations together with an explanation what it modifies).

Version information (please complete the following information):

• OS: MacOS 15.6.1
• OpenVPN version: OpenVPN 2.6.14 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD]
• library versions: OpenSSL 3.0.16 11 Feb 2025, LZO 2.10

Additional context
I'm connecting to a openvpn server of a 3rd party company to access some specific systems only. I do not want them to fuck up my network configuration or being considered authoritative or trusted for pushing ANY configuration including e.g. DNS or full-tunnel (esp. because some of the routes they push overlay with other networks I need to access). I'll manually configure the routes I want to have and everything else is undesired here too.

[cron2]

Additional context I'm connecting to a openvpn server of a 3rd party company to access some specific systems only. I do not want them to fuck up my network configuration or being considered authoritative or trusted for pushing ANY configuration including e.g. DNS or full-tunnel (esp. because some of the routes they push overlay with other networks I need to access). I'll manually configure the routes I want to have and everything else is undesired here too.

So pull-filter ignore "" is exactly what you want to use.

If you remove pull, you are basically changing a client-to-server config into a point-to-point config (with TLS). In that scenario there is no user/password authentication (as this is only available in a pull to mode server config), so auth-user-pass is not available anymore.

Inside OpenVPN a "client" and a "tls-client" are really the same in a large number of respects, but the main difference is really "user/password", "options negotiations" and sending of PULL_REQUEST. It will actually do honour PULL_REPLY even if that is not documented and more an undocumented feature.

Suggestions for a manpage update are welcome.

[cron2]

... basically what the manpage needs, in case it does not have it yet, is a description of the differences between --client aka --pull + --tls-client and point-to-point mode.

[schwabe]

Technically auth-user-pass could work without --pull but realistically that is such a corner case that I don't want to to support and test that.

You might want to look into route-nopull that should address your concern.