Getting disconnected from OpenVPN server each hour

openvpn

I am having a rather strange issue with my OpenVPN configuration. I am connecting from Windows 7 with official latest OpenVPN client to my OpenVPN server (OpenVPN 2.1.4 i386-redhat-linux-gnu).

The problem is I am getting disconnected from my OpenVPN server exactly after 1 hour and I can't understand what directive/option is reponsible for this. Maybe it's a client issue? I have tried different Windows systems and Windows VPN clients. The Linux clients are working as expected with no disconnections.

Could you please help me to troublshoot this issue? I have tried reading books and googling and some people advise to play with keepalive and reneg-sec directives. But that does not seem to help.

OpenVPN server config

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 192.168.2.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
client-config-dir ccd
route 192.168.51.0 255.255.255.0
keepalive 60 600
reneg-sec 5000
hand-window 15
tls-auth ta.key 0
comp-lzo
max-clients 50
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
crl-verify crl.pem
management localhost 11111
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
push "dhcp-option DNS 192.168.2.1"
push "dhcp-option DOMAIN example.com"
push "dhcp-option SEARCH example.com"

Server log (isn't the problem in reinit_src=1?)

Oct  9 07:23:38 vpn openvpn[19495]: user/192.168.253.20:54568 TLS Error: TLS handshake failed
Oct  9 07:23:38 vpn openvpn[19495]: user/192.168.253.20:54568 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1
Oct  9 07:24:53 vpn openvpn[19495]: user/192.168.253.20:54568 TLS Error: TLS handshake failed
Oct  9 07:26:08 vpn openvpn[19495]: user/192.168.253.20:54568 TLS Error: TLS key negotiation failed to occur within 15 seconds (check your network connectivity)
Oct  9 07:26:08 vpn openvpn[19495]: user/192.168.253.20:54568 TLS Error: TLS handshake failed
Oct  9 07:26:39 vpn openvpn[19495]: user/192.168.253.20:54568 [UNDEF] Inactivity timeout (--ping-restart), restarting
Oct  9 07:26:39 vpn openvpn[19495]: user/192.168.253.20:54568 SIGUSR1[soft,ping-restart] received, client-instance restarting

Client log

RwrWRwRwRwRwTue Oct 09 07:26:39 2012 us=796000 TLS: soft reset sec=0 bytes=7405621/0 pkts=9459/0
Tue Oct 09 07:26:39 2012 us=600000 ERROR: could not read Auth username from stdin
Tue Oct 09 07:26:39 2012 us=600000 Exiting
Tue Oct 09 07:26:39 2012 us=600000 C:\WINDOWS\system32\route.exe DELETE 192.168.2.1 MASK 255.255.255.255 192.168.100.150
Tue Oct 09 07:26:39 2012 us=600000 Route deletion via IPAPI succeeded [adaptive]
Tue Oct 09 07:26:39 2012 us=600000 C:\WINDOWS\system32\route.exe DELETE 10.0.0.0 MASK 255.0.0.0 192.168.100.150
Tue Oct 09 07:26:39 2012 us=600000 Route deletion via IPAPI succeeded [adaptive]
Tue Oct 09 07:26:39 2012 us=600000 Closing TUN/TAP interface

Thank you very much.


The culprit seems to be your authentication configuration. You are using plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login which would require the client to supply a valid username/password combination to connect. Apparently, this is also required upon rekeying and your OpenVPN client seems unable to request the user name from stdin (ERROR: could not read Auth username from stdin).

As for the reason why raising reneg-sec in your server configuration does not help matters, this is because the parameter has to be specified in both - the server's and the client's config to be effectively raised above the default of 3600 seconds (which happens to cause the one hour - disconnect you are seeing).

So your options would be to

  • use an authentication method which does not require user input (certificates spring to mind)
  • troubleshoot why your client is unable to prompt for the user name / password combination after connection establishment
  • raise the rekeying period or disable rekeying entirely (which weakens your connection's security, so it surely is only an inferior workaround to your problem)

you can try to reneg-sec 0 in your server.conf:

https://duo.com/docs/openvpn

https://tldrify.com/m80

it's quite simple really. Since OpenVPN tries to renegociate a new TLS Session every 3600 secs by default, you'd have to re-authenticate each time, using a new OTP. To avoid this kind of behaviour, it's just a matter of telling openvpn to never renegociate a TLS session and keep the existing one alive, if you combine keepalive directive and reneg-sec 0, you're going to have a stable connection, with no renegociation whatsoever.

Related

Set DNS host name for managed service account?
How can I use https with AWS Cloudfront without paying $600 to upload my cert?
Should I avoid putting two SSDs in a RAID1 configuration due to performance degradation?
How to fix a crontab access issue with a pam configuration error message? [closed]
How to find out the number of time series stored in Prometheus LevelDB
how to export VARs from a subshell to a parent shell?
How do I get started with Chef?
Why on Windows 7 does "wrong password" take a long time to appear?
Can I disable interactive shell access while tunneling web traffic through SSH?
SSH X11 not working
Fastest way to copy folder that contains many files via SSH
What's a proper way of checking if a PID is running?