Options error option auth user pass is not expected to be inline

<auth-user-pass>
test-username-123
testpassword
</auth-user-pass>

Options error: option 'auth-user-pass' is not expected to be inline (monolitic-test.ovpn:12)
Use --help for more information.

--auth-user-pass [up] : Authenticate with server using username/password.
                  up is a file containing the username on the first line,
                  and a password on the second. If either the password or both
                  the username and the password are omitted OpenVPN will prompt
                  for them from console.

If you are using the GUI, the way to use auth-user-pass is by letting the GUI handle it. Credentials in a file is not required.

Do this: Use auth-user-pass with no arguments. That will cause the GUI to prompt for username and password. In the dialog, select the check-mark to save the password. The next time on, the saved password will be used without the need for further user input.

The password dialog will still show each time a connection is started, but it will be auto-submitted after a short delay giving the user an opportunity to change the username or password. Provides a better UX, and no need to expose the password in cleartext.

Hi, @selvanair , thanks for quick and prompt reply.
The main goal here was to unify the setup and simplify it as much as possible for users that run different OS.
However upon checking the enter of login/password once seems to be relatively easy and simple task, previously I just shared the auth.cfg with login and password inside, which is simpler but way less secure.

Checked the option with no arguments on Android OpenVPN app — worked in the very same manner as on Windows, it prompted me to enter username and password on setup, and did not query later. The proc in UX here is that on Android case credentials are hardcoded in <auth-user-pass> all user has to do it do import the file, and click connect.

Anyway, that auth-user-pass option with no arguments seems to be sufficient for me so far — may I ask if documentation provided via —help is editable via some PRs, or it should be filed as a separate ticket here?

If possible please submit a PR. If its something minor, filing an issue would suffice.

Hi,

On Mon, Aug 30, 2021 at 12:59:38AM -0700, kadabusha wrote:
«`
<auth-user-pass>
test-username-123
testpassword
</auth-user-pass>
«`

We once had a patch to add that functionality to OpenVPN 2.x (by andj)
but it went stale after too many other patches touched this code part
(the general «prompt for something» functions), and andj had no more
time to work on this, alas.

I’m not exactly sure why this is a good idea for the general case,
though — either the server wants a user+password for security reasons
(and then it should not be stored in a plain text file), or it does not
care — then it should just not ask for passwords, and rely on the cert/key
in the .ovpn file…

(OTOH, being able to specify just the username, and prompting for
the password, was one of the more interesting aspects :-))

gert

…

(OTOH, being able to specify just the username, and prompting for
the password, was one of the more interesting aspects :-))

Is this still required as we can and do save username in the GUI? Much easier on the user too instead of having to edit a file to use a different username.

We should probably document the behaviour and usage of auth-user-pass with the GUI better.

When running from command line, username in file, password from console/systemd is still supported.

@kadabusha , what is your use case ?

it is common to embed SSL certificate into ovpn. if you enroll both server and clients (like public vpn server), for example , you can easily provide embedded configs using ssl cert

Hi,

On Mon, Aug 30, 2021 at 11:03:02AM -0700, Selva Nair wrote:
> (OTOH, being able to specify just the username, and prompting for
the password, was one of the more interesting aspects :-))

Is this still required as we can and do save username in the GUI? Much easier on the user too instead of having to edit a file to use a different username.

Well, it would be an admin-generated config file, already having the
right username…

We should probably document the behaviour and usage of auth-user-pass with the GUI better.

Yeah

gert

…

That could be handled by some meta tags like

USERNAME = foo

If we can standardize such tags, it could work across UI’s. We could also get other UI-specific info like profile display-name embedded in configs. I know AS uses similar tags, probably OpenVPN for Android does too.

Unfortunately, configs with all info embedded doesn’t work for any of the setups I use as we need scripts for mapping drives.

On Mon, Aug 30, 2021 at 11:24:25AM -0700, Selva Nair wrote:
Unfortunately, configs with all info embedded doesn’t work for any of the setups I use as we need scripts for mapping drives.

<up>
#!cmd.exe
net use …
</up>

anyone?

(Not sure this is a good idea, though)

gert
—
«If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor.»
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering — Munich, Germany ***@***.***

@chipitsine the case for monolitic ovpn file with all configs is very simple — generate some set of config for the client, send it to them and do not support different clients and UI caveats on why the config does not work on iOS if .ca,.crt,*.key files are in the same folder as ovpn (works on Android and Windows though)
Case for hardcoding the username+password in the file — just for simplicity and less user efforts to setup the tunnel.
This way they do not care about any username/password, if something has to be changed, I’ll just send another *.ovpn file via reliable source, ofc packing into some encrypted archive just for the case.
Unification along different clients/OS is also required, it’s easier to have the *.ovpn file that works on popular systems rather then such that works on just some of those.

@selvanair actually, my question was — where the file with the doc could be found so I can file a PR? cloned this repo, did grep -r for the auth-user-pass and found nothing.

@kadabusha , what is your use case ?

it is common to embed SSL certificate into ovpn. if you enroll both server and clients (like public vpn server), for example , you can easily provide embedded configs using ssl cert

OpenVPN-GUI is only a UI for OpenVPN daemon. Config file is parsed by the daemon which then communicates with the GUI via the management interface. So you should be looking in OpenVPN repo and its man page.

Especially the use of —auth-user-pass with —management-query-passwords. The latter option is required for openpvn daemon to contact the GUI for passwords, and its added by default by the GUI. Adding it to the config can’t hurt though. However, it wont add —auth-user-pass by default as not every setup uses username/password. You have to include it in the config.

Also see https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI-New#gui-userpass

Thanks again for spending that much time for such minor question, guys.
Checked the repo of OpenVPN, if there is no separate doc for openVPN-GUI, then existing documentation is sufficient:

--auth-user-pass [up] : Authenticate with server using username/password.
                  up is a file containing the username on the first line,
                  and a password on the second. If either the password or both
                  the username and the password are omitted OpenVPN will prompt
                  for them from console.

the only minor thing is that can not be used with openVPN-GUI, but I could not find the place in doc where it was suggested, thus nothing to improve.

In my world specifying auth-user-pass with no arguments resulted in password request at first connect with passwordless connect after that, without setting in *.ovpn the management-query-passwords. Test on Android resulted in the same, so should be ok for the time being I think.

the only minor thing is that can not be used with openVPN-GUI, but I could not find the place in doc where it was suggested, thus nothing to improve.

As indicated in the man page, [up] is optional. Using the GUI does work with or without the [up] file, but when [up] is included, username and password are read from that file, not prompted by the GUI. Letting the GUI prompt for credentials provides better UX in most cases. Hence the suggestion not to use a file for credentials (i.e., leave out [up]).

In my world specifying auth-user-pass with no arguments resulted in password request at first connect with passwordless connect after that, without setting in *.ovpn the management-query-passwords.

management-query-passwords is always set by the GUI, no need for you to add it to the config.

Code: Select all

Wed Apr 04 15:56:35 2018 WARNING: cannot stat file 'C:Program FilesOpenVPNconfigpass.txt': No such file or directory (errno=2)
Options error: --auth-user-pass fails with 'C:Program FilesOpenVPNconfigpass.txt'
Options error: Please correct these errors.
Use --help for more information.
Press any key to continue...

Code: Select all

auth-user-pass "C:Program FilesOpenVPNconfigpass.txt"

Code: Select all

auth-user-pass "C:\Program Files\OpenVPN\config\pass.txt"

wrong ovpn