Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Connect Client with MFA - reconnect options?

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 821 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dlogan
      last edited by

      We're having some issues where a user on a hotspot or other unreliable connection is connected to the VPN. I also suspect these users are connecting and walking away from their computer, but that's more of a management issue. When the client detects it has lost connection, it automatically tries to reconnect. It doesn't ask the user, it doesn't ask for the user's password again, it just sends MFA (Duo push) - multiple times.
      We're getting users locked out of their Duo accounts because it happens more than 10 times.
      Is there a setting somewhere to prevent this behavior?

      I 2 Replies Last reply Reply Quote 1
      • I Offline
        itinfo @dlogan
        last edited by

        @dlogan

        What is your Authentication with DUO configuration?

        I use AD with DUO and so far am not having any issues.

        Here is my configuration document: https://d-b-s.com/documents

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          dlogan @itinfo
          last edited by

          @itinfo
          AD LDAP auth using the Duo Auth Proxy on a couple of servers

          1 Reply Last reply Reply Quote 0
          • I Offline
            itinfo @dlogan
            last edited by

            @dlogan
            I had a similar problem. I set the force logoff after x amount of time of no activity.

            Here is a pretty good post on the matter.

            https://serverfault.com/questions/748890/openvpn-force-maximum-session-length

            Another option is to set a variable in the Config files on each workstation - sorry there is no Server setting for this one.

            I set my users as follows.

            reneg-sec 21600

            This equates to every 6 hours

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.