Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings
-
Hello, maybe someone could help me.
We have an OpenVPN server with 2FA authentication, everything is configured correctly so that clients are not disconnected after one hour.
The server has the option reneg-sec 0; and the clients have reneg-sec 36000.
It works very well with Linux OpenVPN clients, however, Windows clients continue to disconnect after one hour of connection.Have you ever encountered this problem? Thank you in advance for your help.
-
@philippe-richard said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:
The server has the option reneg-sec 0
That's not recommended.
Remove this option and state
auth-gen-token 57600or a similar value.
With this the server generates a session token and sends it to the client during the authentication. This token is used for the renegotiation later.
The value specifies the validity time of the token.Also you should remove the reneg option from client config. Then the client renegotiates after one hour using the session token, which is still valid. This is more secure than disabling renegotiation totally.
-
@philippe-richard I'm using reneg-sec 28800 in the server side only, nothing in the client.
2FA google auth with freeradius using this tutorial:https://www.netgate.com/blog/freeradius-on-pfsense-for-2fa
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-custom.html#renegotiation-time
-
@viragomann said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:
auth-gen-token 57600
oh, we answered him almost at the same time.
I didn't know about that option, let me read about it.Is this setting compatible with 2.7.2 pfSense version ?
-
@mcury
Works pretty well.Doesn't your Windows client renegotiation anyway without this?
I didn't succeed with only setting a high reneg time on the server.Is this setting compatible with 2.7.2 pfSense version ?
To be honest, I have set this on OPNsense with OpenVPN 2.6.13. So I guess, it might work in pfSense 2.7.2 as well.
-
Thank you all for your quick help. I'll try that right away and get back to you.
-
@viragomann said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:
Doesn't your Windows client renegotiation anyway without this?
I just configured openVPN, still in the implementation phase, so I wouldn't know about renegotiation, I'll be looking for that in the logs now.
Also, no information about that auth-gen-token option in Netgate documentation.
I configured auth-gen-token; only, with no parameters to test.
-
@mcury said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:
Also, no information about that auth-gen-token option in Netgate documentation.
The option useful, when using 2FA with TOTP. Maybe it's not mentioned in the docs, because pfsense doesn't support OTP authentication natively.
Without this option the client use the password for the renegotiation. However, the TOTP is considered a part of the password and is not valid anymore then. Hence you would have to enter a now OTP. -
@viragomann said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:
Without this option the client use the password for the renegotiation. However, the TOTP is considered a part of the password and is not valid anymore then. Hence you would have to enter a now OTP.
I removed reneg-sec and now using auth-gen-token to test.
Currently using freeradius OTP googleauth for openvpn clients using the tutorial mentioned above, I'll be watching closely for any complaints and will report back if I see something.Really thanks viargomann
Learning something new everyday =) -
I'm back, thank you very much. The 'auth-gen-token 57600' command works perfectly. My Windows OpenVPN client is still connected after 1 hour and 30 minutes of connection.
-
@viragomann
Hello,
I'd like to know if this command is compatible with 'Client Specific Overrides' if I need to configure custom disconnection settings for individual clients.Thank you.
-
@philippe-richard
I cannot think of any reason, why this should not be compatible with CSO. It just changes the authentication renegotiation process to use an auth token instead of OTP+password. -
@viragomann
Thank you for your help. -
@viragomann said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:
@philippe-richard
I cannot think of any reason, why this should not be compatible with CSO. It just changes the authentication renegotiation process to use an auth token instead of OTP+password.Thank you for the help
By the way, at least in Android, you cannot currently set this option in the client, it gets ignored with an out of context error in logs
Also, I cannot get OpenVPN Connect app to work properly with it. However, OpenVPN for Android app does workThis is discussed in this redmine issue:
https://redmine.pfsense.org/issues/12466#change-76474And further dscussion about reneg-sec is here:
https://redmine.pfsense.org/issues/13293#change-76475 -
It works, syntax is wrong.
You have to specify time that token is valid for:
auth-gen-token 86400;
auth-gen-token 0; --->>Set to 0 never expiresFor me it works on both Android clients and on windows also.
We use duo push mfa and when we change networks, we see in log that session token is used for reauth...
Also, if reneg-sec on server is 36000 and this option is not set on client it will still renegotiate after 3600 seconds because this is hard coded to 3600 if not set. And SMALLER number is used, so if server has 3600000 seconds set, and client has nothing specified, 3600 applies.
My settings:
reneg-sec 7200;
push "reneg-sec 7200";
auth-gen-token 86400;
status /var/log/openvpn-status.log;Works like charm for 400 openvpn clients.