pfSense 2.4.5 with OpenVPN and an external Radius Server with 2FA TOTP
-
Hi,
Using pfSense 2.4.5 with OpenVPN and an external Radius Server with 2FA TOTP authentication. Everything runs fine for one hour, then the connection drops due to idle timeout. However, the timeouts configured are much longer than one hour (reneg-sec 0, inactive 120000). I am also wondering why the log refers to 1194 though this is my second OpenVPN server that is configured to run on port 1195 per server config.I am thankful for any suggestions.
Kind regards
Martin Maiersystem log
Apr 6 20:10:19 openvpn 49061 user/ip:1194 [user] Inactivity timeout (--ping-exit), exiting
Apr 6 20:10:19 openvpn 49061 user/ip:1194 TLS Error: local/remote TLS keys are out of sync: [AF_INET]ip:1194 [1]client config
dev tun
persist-tun
persist-key
cipher AES-256-GCM
ncp-disable
auth SHA1
tls-client
client
resolv-retry infinite
remote IP-ADDRESS udp4
auth-user-pass
ca pfSense-UDP4-1195-ca.crt
remote-cert-tls server
<ca>
CA
</ca>server config
dev ovpns2
verb 6
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
ping 10
push "ping 10"
ping-restart 60
push "ping-restart 60"
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-GCM
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local IP-ADDRESS
tls-server
server 10.9.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server2
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user asdf== false server2 1195
lport 1195
management /var/etc/openvpn/server2.sock unix
push "route 10.1.0.0 255.255.0.0"
push "dhcp-option DNS 10.1.1.2"
push "dhcp-option DNS 10.1.1.25"
push "register-dns"
client-to-client
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.2048
ncp-disable
compress
push "compress "
persist-remote-ip
float
topology subnet
sndbuf 1048576
rcvbuf 1048576
reneg-sec 0mute-replay-warnings
ping 3
ping-exit 7
inactive 120000
verb 1
push "explicit-exit-notify"
push "ping 3"
push "ping-exit 7"
push "inactive 120000"
-
Your problem looks like the one "reneg-sec 0" solves. Is this option in the client's config too?