Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings

viragomann

@mcury
Works pretty well.

Doesn't your Windows client renegotiation anyway without this?
I didn't succeed with only setting a high reneg time on the server.

Is this setting compatible with 2.7.2 pfSense version ?

To be honest, I have set this on OPNsense with OpenVPN 2.6.13. So I guess, it might work in pfSense 2.7.2 as well.

philippe richard

Thank you all for your quick help. I'll try that right away and get back to you.

mcury

@viragomann said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:

Doesn't your Windows client renegotiation anyway without this?

I just configured openVPN, still in the implementation phase, so I wouldn't know about renegotiation, I'll be looking for that in the logs now.

Also, no information about that auth-gen-token option in Netgate documentation.

I configured auth-gen-token; only, with no parameters to test.

viragomann

@mcury said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:

Also, no information about that auth-gen-token option in Netgate documentation.

The option useful, when using 2FA with TOTP. Maybe it's not mentioned in the docs, because pfsense doesn't support OTP authentication natively.
Without this option the client use the password for the renegotiation. However, the TOTP is considered a part of the password and is not valid anymore then. Hence you would have to enter a now OTP.

mcury

@viragomann said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:

Without this option the client use the password for the renegotiation. However, the TOTP is considered a part of the password and is not valid anymore then. Hence you would have to enter a now OTP.

I removed reneg-sec and now using auth-gen-token to test.
Currently using freeradius OTP googleauth for openvpn clients using the tutorial mentioned above, I'll be watching closely for any complaints and will report back if I see something.

Really thanks viargomann
Learning something new everyday =)

philippe richard

@viragomann

I'm back, thank you very much. The 'auth-gen-token 57600' command works perfectly. My Windows OpenVPN client is still connected after 1 hour and 30 minutes of connection.

philippe richard

@viragomann
Hello,
I'd like to know if this command is compatible with 'Client Specific Overrides' if I need to configure custom disconnection settings for individual clients.

Thank you.

viragomann

@philippe-richard
I cannot think of any reason, why this should not be compatible with CSO. It just changes the authentication renegotiation process to use an auth token instead of OTP+password.

philippe richard

@viragomann
Thank you for your help.

phil80

@viragomann said in Windows OpenVPN Disconnects After 1 Hour Despite reneg-sec Settings:

@philippe-richard
I cannot think of any reason, why this should not be compatible with CSO. It just changes the authentication renegotiation process to use an auth token instead of OTP+password.

Thank you for the help
By the way, at least in Android, you cannot currently set this option in the client, it gets ignored with an out of context error in logs
Also, I cannot get OpenVPN Connect app to work properly with it. However, OpenVPN for Android app does work

This is discussed in this redmine issue:
https://redmine.pfsense.org/issues/12466#change-76474

And further dscussion about reneg-sec is here:
https://redmine.pfsense.org/issues/13293#change-76475