Network Disconnection in Client Machine after 1 hour
-
Hi,
I'm using Pfsense 2.3.1 with OpenVPN and MOTP. Our client machine has to reauthenticate every one hour. But the problem we face is, laptop or desktop is totally disconnected from the local network once it is disconnected for authentication. If I exited OpenVPN clients it is started working. Any suggestions are appreciated.
Thanks & Regards
Muralidharan Sukumaran -
I am experiencing the same issue. I am using two-factor authentication on the back-end so it is forcing me to have to authenticate every hour. I have looked up on OpenVPN on how to resolve this and have tried adding " reneg-sec 0;" in the custom options of the web-UI but the setting does not seem to be getting honored even after restarting OpenVPN. I am running pfsense 2.4.2-R1 ( latest ). Hopefully someone can point me in the right direction here to either get it set to never or extend it. I have tried both and neither seem to be getting honored when trying to set them through the UI or even editing the config on the file system.
-
Hi,
I sorted out this issue. it may be helpful for you.
Reason.
The firewall had settings like it will be authenticated every 60 minutes. Also, client-side settings configured like traffic will be sent through the firewall. After 60 minutes firewall closes the connection from the client if we are not given dual factor authentication code. so internet is automatically disconnected.Solution.
I made changes (please check attachment) for that, only required clients will use the tunnel network. other traffic goes directly. so the issue has been resolved. if any user requires old settings it can be achieved through client config file.Thanks & Regards
Muralidharan Sukumaran
-
@muralidharanks
I cannot see your attachment. Would it be possible for you to relay your solution in text? Thanks you,
Sajan Sahu -
You must set
reneg-sec 0;in the clients to disable them from initiating a renegotiation. Then you can set somethingreneg-sec 43200in the server to set a 12-hour interval (or whatever works for you). Thereneg-secsetting cannot, unfortunately, be pushed from the server to the client.You can set
reneg-sec 0;as a permanent option in the client exporter. -
There have been updates to this strategy. Since this was posted, OpenVPN has introduced the
--auth-gen-tokenoption.All that is necessary is to add
auth-gen-token;to the server's custom options. No client reconfiguration is necessary.Here is the section from the OpenVPN documentation:
--auth-gen-token [lifetime]
After successful user/password authentication, the OpenVPN server will with this option generate a temporary authentication token and push that to client. On the following renegotiations, the OpenVPN client will pass this token instead of the users password. On the server side the server will do the token authentication internally and it will NOT do any additional authentications against configured external user/password authentication mechanisms.The lifetime argument defines how long the generated token is valid. The lifetime is defined in seconds. If lifetime is not set or it is set to 0, the token will never expire.
This feature is useful for environments which is configured to use One Time Passwords (OTP) as part of the user/password authentications and that authentication mechanism does not implement any auth-token support.
