After one hour of use, OpenVPN request me again to sign in for unknow reason.
-
Hi to all,
I use OpenVPN with the lastest release of pfSense.
Client side is under Windows 10 with OpenVPN client (lastest version).After one hour of use, OpenVPN request me again to sign in for unknow reason.
Server log :
IAug 10 14:37:54 openvpn 70018 XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX [XXXXXXXXXXXX] Inactivity timeout (--ping-restart), restarting Aug 10 14:47:30 openvpn 70018 XX.XX.XX.XX:XXXXXX peer info: IV_VER=2.4.7 Aug 10 14:47:30 openvpn 70018 XX.XX.XX.XX:XXXXXX peer info: IV_PLAT=win Aug 10 14:47:30 openvpn 70018 XX.XX.XX.XX:XXXXXX peer info: IV_PROTO=2 Aug 10 14:47:30 openvpn 70018 XX.XX.XX.XX:XXXXXX peer info: IV_NCP=2 Aug 10 14:47:30 openvpn 70018 XX.XX.XX.XX:XXXXXX peer info: IV_LZ4=1 Aug 10 14:47:30 openvpn 70018 XX.XX.XX.XX:XXXXXX peer info: IV_LZ4v2=1 Aug 10 14:47:30 openvpn 70018 XX.XX.XX.XX:XXXXXX peer info: IV_LZO=1 Aug 10 14:47:30 openvpn 70018 XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUB=1 Aug 10 14:47:30 openvpn 70018 XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUBv2=1 Aug 10 14:47:30 openvpn 70018 XX.XX.XX.XX:XXXXXX peer info: IV_TCPNL=1 Aug 10 14:47:30 openvpn 70018 XX.XX.XX.XX:XXXXXX peer info: IV_GUI_VER=OpenVPN_GUI_11 Aug 10 14:47:30 openvpn 70018 XX.XX.XX.XX:XXXXXX [XXXXXXXXXXXX] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:XXXXXX Aug 10 14:47:30 openvpn user 'XXXXXXXXXXXXXXX' authenticated Aug 10 14:47:31 openvpn 70018 XXXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX MULTI_sva: pool returned IPv4=XX.XX.XX.XX, IPv6=(Not enabled) Aug 10 14:51:36 openvpn 70018 XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_VER=2.4.7 Aug 10 14:51:36 openvpn 70018 XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_PLAT=win Aug 10 14:51:36 openvpn 70018 XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_PROTO=2 Aug 10 14:51:36 openvpn 70018 XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_NCP=2 Aug 10 14:51:36 openvpn 70018 XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_LZ4=1 Aug 10 14:51:36 openvpn 70018 XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_LZ4v2=1 Aug 10 14:51:36 openvpn 70018 XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_LZO=1 Aug 10 14:51:36 openvpn 70018 XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUB=1 Aug 10 14:51:36 openvpn 70018 XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUBv2=1 Aug 10 14:51:36 openvpn 70018 XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_TCPNL=1 Aug 10 14:51:36 openvpn 70018 XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_GUI_VER=OpenVPN_GUI_11 Aug 10 14:51:36 openvpn user 'XXXXXXXXXXXX' authenticated
Client setup :
dev tun persist-tun persist-key cipher AES-256-GCM ncp-ciphers AES-256-GCM auth SHA512 tls-client client resolv-retry infinite remote XXXXXXXXX XXXX udp # added for security reason auth-nocache comp-lzo no push "comp-lzo no" verify-x509-name "XXXXXXXXXXXXXXXXX" name auth-user-pass pkcs12 XXXXXXXXXXXXXXXXXX.p12 tls-auth XXXXXXXXXXXXXXXXXXXXXX.key 1 remote-cert-tls server # Log add mute-replay-warnings mute 20 verb 3
Does someone know how to fix it please ?
Please advise about my openvpn config file, if there is a way to improve it.Many thanks in advance for your help.
-
@Elrick75 said in After one hour of use, OpenVPN request me again to sign in for unknow reason.:
auth-nocache
Remove that from the client config.
-
@Pippin said in After one hour of use, OpenVPN request me again to sign in for unknow reason.:
@Elrick75 said in After one hour of use, OpenVPN request me again to sign in for unknow reason.:
auth-nocache
Remove that from the client config.
Which will also then show you this warning in red in the connection dialogue (which is probably why you added it...):
Sat Aug 10 10:17:33 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
-
OpenVPN renegotiates every hour by default.
Caching authorization on the client means you generally do not notice.
People tend to see problems when they employ multi-factor authentication.
Adding this to the client disables negotiation from the client side:
reneg-sec 0;
That can be added in the client exporter or usually directly on the client.
You can then control renegotiations on the server with something like:
reneg-sec 43200;
Every 12 hours.
-
Hi,
Many thanks for your explanation.
From what i understand, OpenVPN need to re-use my password every hour (default)
auth-nocache instruction on client side avoid OpenVPN to re-use my password after one hour, that's why it request my password again (else i loose my connexion).I would be interested to use auth-nocache to avoid any hack from memory.
On the other side, i can change the renegociate time.What do you think is the least worst solution for a good security level? what do you advise?
-
Do not use --auth-nocache if you don't want to put password periodically and do not disable --reneg-sec.
If eve has access to memory you have more important things to worry about. -
As I understand it if you enable auth-nocache you will always be prompted for the password when you renegotiate. Else it will enter it for you.
Most people only hit this problem when they use multi-factor authentication because OpenVPN cannot renegotiate because it doesn't have access to the multi-factor.
I would leave it as the default (no auth-nocache) and leave the renegotiation at the default as well.