OpenVPN connection resetting every 2 minutes
This is often the sign that there are more that one client who are using this key/certificate pair:
- (1) authneticates
- (2) authenticates; server sees the same certificate, so it thinks it was just replaced connection, and (1) will not receive keepalive pings anymore
- (1) misses some pings, decides the connection died and reconnects, now (2) won't receive pings
- (2) misses some pings, decides the connection died and reconnects, now (1) won't receive pings
You see what's going and also it is clear how inactivity timeout set by ping-restart
is involved here.
For this to not happen, you have to carefully manage your VPN CA. In particular:
- Keep track where your keys are installed and who is in charge of the device where each key is installed. Have a way to contact anyone who has active VPN keys (e.g. record their phone number, email, etc., you may set up OpenSSL so it'll ask for that data during certificate issuance and record that data directly into certificates and CA index).
- Never use the same key/cert more than once; never put key/cert into templates; if you clone some system, clear keys there. Keys must be always generated and certificated issued anew each time when the system is deployed.
- If some user asks for (another) key/cert while they have an active one, they must explain why. They may have lost old data because OS was reinstalled and they forgot to save VPN configuration; or they simply may need to have VPN on additional computer. Or whatever. Evaluating their explanation, you either first revoke old key before issuing another one, or issue a key with another CN to avoid a clash.
- Educate your users to always notify you their key/cert is not used anymore (it's lost or the reason for its issuance is lost) so you can revoke it. And you then have to revoke it.
- Very important, educate users to ugently notify you if they suspect key/cert was stolen, in which case you must immediately revoke it.
These are parts of a process called "network security". VPN couldn't be secure without certain discipline, no matter how perfect its software and state-of-art cryptography it is using.