OpenVPN connection resetting every 2 minutes

openvpn tunnelblick

This is often the sign that there are more that one client who are using this key/certificate pair:

  • (1) authneticates
  • (2) authenticates; server sees the same certificate, so it thinks it was just replaced connection, and (1) will not receive keepalive pings anymore
  • (1) misses some pings, decides the connection died and reconnects, now (2) won't receive pings
  • (2) misses some pings, decides the connection died and reconnects, now (1) won't receive pings

You see what's going and also it is clear how inactivity timeout set by ping-restart is involved here.

For this to not happen, you have to carefully manage your VPN CA. In particular:

  • Keep track where your keys are installed and who is in charge of the device where each key is installed. Have a way to contact anyone who has active VPN keys (e.g. record their phone number, email, etc., you may set up OpenSSL so it'll ask for that data during certificate issuance and record that data directly into certificates and CA index).
  • Never use the same key/cert more than once; never put key/cert into templates; if you clone some system, clear keys there. Keys must be always generated and certificated issued anew each time when the system is deployed.
  • If some user asks for (another) key/cert while they have an active one, they must explain why. They may have lost old data because OS was reinstalled and they forgot to save VPN configuration; or they simply may need to have VPN on additional computer. Or whatever. Evaluating their explanation, you either first revoke old key before issuing another one, or issue a key with another CN to avoid a clash.
  • Educate your users to always notify you their key/cert is not used anymore (it's lost or the reason for its issuance is lost) so you can revoke it. And you then have to revoke it.
  • Very important, educate users to ugently notify you if they suspect key/cert was stolen, in which case you must immediately revoke it.

These are parts of a process called "network security". VPN couldn't be secure without certain discipline, no matter how perfect its software and state-of-art cryptography it is using.

Related

Outlook 2013 rules do not work after migrating mailbox to Exchange 2013
Restrict relay with postfix to certain domain from single IP
How to check IP range in nginx location?
scp failing with vast.ai
Trying to install postgis on Centos 6.9 and missing dependency libgeotiff.so.2 [closed]
Best and safe way to move a big folder
What is the permission for a IAM user to create a ECR repository?
What is reducing the MSS by 42?
Compress directory for backup
Xubuntu runs well in recovery mode but freezes in normal mode
How to solve 'ERROR: An NVIDIA kernel module 'nvidia-uvm' appears to already be loaded in your kernel'?
Ubuntu 19.04 Freeze at loading DELL E6430 i5 - nomodeset didn't work well