Error using --push on the commandline

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Nik777
OpenVpn Newbie
Posts: 2
Joined: Fri Oct 12, 2018 12:28 pm

Error using --push on the commandline

Post by Nik777 » Fri Oct 12, 2018 3:58 pm

Hi All,

Despite the documentation saying it is supported; and having invested over 6 hours of trial-and-error on various combinations; I have been unable to get a --push directive on the commandline to work.

I am using OpenVPN 2.4.6 on CentOS 7.

The error I get is:

Code: Select all

openvpn --config /etc/cluster/cluster.conf --server 10.20.0.0 255.255.255.0 --lport 1194  --push "route 10.10.0.0 255.255.255.0 10.20.0.1" --daemon cluster-service
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: push (2.4.6)
I have tried almost innumerable variations, all of which result in the same error:

Code: Select all

--server 10.20.0.0 255.255.255.0 --lport 1194  --push ""route 10.10.0.0 255.255.255.0"" --daemon cluster-service
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: push (2.4.6)

--server 10.20.0.0 255.255.255.0 --lport 1194  --push \"route 10.10.0.0 255.255.255.0\" --daemon cluster-service
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: push (2.4.6)

--server 10.20.0.0 255.255.255.0 --lport 1194  --push "\"route 10.10.0.0 255.255.255.0\"" --daemon cluster-service
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: push (2.4.6)

--server 10.20.0.0 255.255.255.0 --lport 1194  --push \"--route 10.10.0.0 255.255.255.0\" --daemon cluster-service
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: push (2.4.6)

--server 10.20.0.0 255.255.255.0 --lport 1194  --push "--route 10.10.0.0 255.255.255.0" --daemon cluster-service
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: push (2.4.6)
The documentation says the it is supported:
OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file.
And the documentation does not call out --push as being an exception:
Push a config file option back to the client for remote execution. Note that option must be enclosed in double quotes (""). The client must specify --pull in its config file. The set of options which can be pushed is limited by both feasibility and security. Some options such as those which would execute scripts are banned, since they would effectively allow a compromised server to execute arbitrary code on the client. Other options such as TLS or MTU parameters cannot be pushed because the client needs to know them before the connection to the server can be initiated.

This is a partial list of options which can currently be pushed: --route, --route-gateway, --route-delay, --redirect-gateway, --ip-win32, --dhcp-option, --inactive, --ping, --ping-exit, --ping-restart, --setenv, --auth-token, --persist-key, --persist-tun, --echo, --comp-lzo, --socket-flags, --sndbuf, --rcvbuf
I suspect the OpenVpn code strips enclosing quotes from all commandline tokens, and the parser for --push requires the quotes to be there - catch-22.

My current workaround is to dynamically append 'push' directives to the config file in a startup script.

Code: Select all

for route in $SIBLING_SUBNETS; do
    # routes="$routes --push \"--route $( echo $route | tr '/' ' ' )\""
    echo "push \"route $( echo $route | tr '/' ' ' )\"" >> /etc/cluster/cluster-service.conf
done
But this is kind-of klunky, requires write-access to what should be a read-only directory, and may cause problems if the script ever gets re-run...
So I would much prefer to use the commandline, if possible.

Can someone please confirm whether --push can actually be used on the commandline, and if so how?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4880
Joined: Fri Jun 03, 2016 1:17 pm

Re: Error using --push on the commandline

Post by TinCanTech » Fri Oct 12, 2018 7:45 pm

It is interesting that the command line appears not to do what the config file does..

Possibly worth reporting this as a bug.

Post Reply