Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings

mcury

@viragomann said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:

auth-gen-token 57600

oh, we answered him almost at the same time.
I didn't know about that option, let me read about it.

Is this setting compatible with 2.7.2 pfSense version ?

viragomann

@mcury
Works pretty well.

Doesn't your Windows client renegotiation anyway without this?
I didn't succeed with only setting a high reneg time on the server.

Is this setting compatible with 2.7.2 pfSense version ?

To be honest, I have set this on OPNsense with OpenVPN 2.6.13. So I guess, it might work in pfSense 2.7.2 as well.

philippe richard

Thank you all for your quick help. I'll try that right away and get back to you.

mcury

@viragomann said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:

Doesn't your Windows client renegotiation anyway without this?

I just configured openVPN, still in the implementation phase, so I wouldn't know about renegotiation, I'll be looking for that in the logs now.

Also, no information about that auth-gen-token option in Netgate documentation.

I configured auth-gen-token; only, with no parameters to test.

viragomann

@mcury said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:

Also, no information about that auth-gen-token option in Netgate documentation.

The option useful, when using 2FA with TOTP. Maybe it's not mentioned in the docs, because pfsense doesn't support OTP authentication natively.
Without this option the client use the password for the renegotiation. However, the TOTP is considered a part of the password and is not valid anymore then. Hence you would have to enter a now OTP.

mcury

@viragomann said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:

Without this option the client use the password for the renegotiation. However, the TOTP is considered a part of the password and is not valid anymore then. Hence you would have to enter a now OTP.

I removed reneg-sec and now using auth-gen-token to test.
Currently using freeradius OTP googleauth for openvpn clients using the tutorial mentioned above, I'll be watching closely for any complaints and will report back if I see something.

Really thanks viargomann
Learning something new everyday =)

philippe richard

@viragomann

I'm back, thank you very much. The 'auth-gen-token 57600' command works perfectly. My Windows OpenVPN client is still connected after 1 hour and 30 minutes of connection.

philippe richard

@viragomann
Hello,
I'd like to know if this command is compatible with 'Client Specific Overrides' if I need to configure custom disconnection settings for individual clients.

Thank you.

viragomann

@philippe-richard
I cannot think of any reason, why this should not be compatible with CSO. It just changes the authentication renegotiation process to use an auth token instead of OTP+password.

philippe richard

@viragomann
Thank you for your help.

phil80

@viragomann said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:

@philippe-richard
I cannot think of any reason, why this should not be compatible with CSO. It just changes the authentication renegotiation process to use an auth token instead of OTP+password.

Thank you for the help
By the way, at least in Android, you cannot currently set this option in the client, it gets ignored with an out of context error in logs
Also, I cannot get OpenVPN Connect app to work properly with it. However, OpenVPN for Android app does work

This is discussed in this redmine issue:
https://redmine.pfsense.org/issues/12466#change-76474

And further dscussion about reneg-sec is here:
https://redmine.pfsense.org/issues/13293#change-76475

maverick_slo

@phil80

It works, syntax is wrong.
You have to specify time that token is valid for:
auth-gen-token 86400;
auth-gen-token 0; --->>Set to 0 never expires

For me it works on both Android clients and on windows also.

We use duo push mfa and when we change networks, we see in log that session token is used for reauth...

Also, if reneg-sec on server is 36000 and this option is not set on client it will still renegotiate after 3600 seconds because this is hard coded to 3600 if not set. And SMALLER number is used, so if server has 3600000 seconds set, and client has nothing specified, 3600 applies.

My settings:

reneg-sec 7200;
push "reneg-sec 7200";
auth-gen-token 86400;
status /var/log/openvpn-status.log;

Works like charm for 400 openvpn clients.