After one hour of use, OpenVPN request me again to sign in for unknow reason.



  • Hi to all,

    I use OpenVPN with the lastest release of pfSense.
    Client side is under Windows 10 with OpenVPN client (lastest version).

    After one hour of use, OpenVPN request me again to sign in for unknow reason.

    Server log :

    IAug 10 14:37:54 
    openvpn 
    70018 
    XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX [XXXXXXXXXXXX] Inactivity timeout (--ping-restart), restarting 
    Aug 10 14:47:30 
    openvpn 
    70018 
    XX.XX.XX.XX:XXXXXX peer info: IV_VER=2.4.7 
    Aug 10 14:47:30 
    openvpn 
    70018 
    XX.XX.XX.XX:XXXXXX peer info: IV_PLAT=win 
    Aug 10 14:47:30 
    openvpn 
    70018 
    XX.XX.XX.XX:XXXXXX peer info: IV_PROTO=2 
    Aug 10 14:47:30 
    openvpn 
    70018 
    XX.XX.XX.XX:XXXXXX peer info: IV_NCP=2 
    Aug 10 14:47:30 
    openvpn 
    70018 
    XX.XX.XX.XX:XXXXXX peer info: IV_LZ4=1 
    Aug 10 14:47:30 
    openvpn 
    70018 
    XX.XX.XX.XX:XXXXXX peer info: IV_LZ4v2=1 
    Aug 10 14:47:30 
    openvpn 
    70018 
    XX.XX.XX.XX:XXXXXX peer info: IV_LZO=1 
    Aug 10 14:47:30 
    openvpn 
    70018 
    XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUB=1 
    Aug 10 14:47:30 
    openvpn 
    70018 
    XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUBv2=1 
    Aug 10 14:47:30 
    openvpn 
    70018 
    XX.XX.XX.XX:XXXXXX peer info: IV_TCPNL=1 
    Aug 10 14:47:30 
    openvpn 
    70018 
    XX.XX.XX.XX:XXXXXX peer info: IV_GUI_VER=OpenVPN_GUI_11 
    Aug 10 14:47:30 
    openvpn 
    70018 
    XX.XX.XX.XX:XXXXXX [XXXXXXXXXXXX] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:XXXXXX 
    Aug 10 14:47:30 
    openvpn 
    
    user 'XXXXXXXXXXXXXXX' authenticated 
    Aug 10 14:47:31 
    openvpn 
    70018 
    XXXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX MULTI_sva: pool returned IPv4=XX.XX.XX.XX, IPv6=(Not enabled) 
    Aug 10 14:51:36 
    openvpn 
    70018 
    XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_VER=2.4.7 
    Aug 10 14:51:36 
    openvpn 
    70018 
    XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_PLAT=win 
    Aug 10 14:51:36 
    openvpn 
    70018 
    XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_PROTO=2 
    Aug 10 14:51:36 
    openvpn 
    70018 
    XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_NCP=2 
    Aug 10 14:51:36 
    openvpn 
    70018 
    XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_LZ4=1 
    Aug 10 14:51:36 
    openvpn 
    70018 
    XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_LZ4v2=1 
    Aug 10 14:51:36 
    openvpn 
    70018 
    XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_LZO=1 
    Aug 10 14:51:36 
    openvpn 
    70018 
    XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUB=1 
    Aug 10 14:51:36 
    openvpn 
    70018 
    XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUBv2=1 
    Aug 10 14:51:36 
    openvpn 
    70018 
    XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_TCPNL=1 
    Aug 10 14:51:36 
    openvpn 
    70018 
    XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_GUI_VER=OpenVPN_GUI_11 
    Aug 10 14:51:36 
    openvpn 
    
    user 'XXXXXXXXXXXX' authenticated
    

    Client setup :

    dev tun
    persist-tun
    persist-key
    cipher AES-256-GCM
    ncp-ciphers AES-256-GCM
    auth SHA512
    tls-client
    client
    resolv-retry infinite
    remote XXXXXXXXX XXXX udp
    
    # added for security reason
    auth-nocache
    comp-lzo no
    push "comp-lzo no"
    
    verify-x509-name "XXXXXXXXXXXXXXXXX" name
    auth-user-pass
    pkcs12 XXXXXXXXXXXXXXXXXX.p12
    tls-auth XXXXXXXXXXXXXXXXXXXXXX.key 1
    remote-cert-tls server
    
    # Log add 
    mute-replay-warnings
    mute 20
    verb 3
    

    Does someone know how to fix it please ?
    Please advise about my openvpn config file, if there is a way to improve it.

    Many thanks in advance for your help.



  • @Elrick75 said in After one hour of use, OpenVPN request me again to sign in for unknow reason.:

    auth-nocache

    Remove that from the client config.



  • @Pippin said in After one hour of use, OpenVPN request me again to sign in for unknow reason.:

    @Elrick75 said in After one hour of use, OpenVPN request me again to sign in for unknow reason.:

    auth-nocache

    Remove that from the client config.

    Which will also then show you this warning in red in the connection dialogue (which is probably why you added it...):

    Sat Aug 10 10:17:33 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    

  • LAYER 8 Netgate

    OpenVPN renegotiates every hour by default.

    Caching authorization on the client means you generally do not notice.

    People tend to see problems when they employ multi-factor authentication.

    Adding this to the client disables negotiation from the client side:

    reneg-sec 0;

    That can be added in the client exporter or usually directly on the client.

    You can then control renegotiations on the server with something like:

    reneg-sec 43200;

    Every 12 hours.



  • Hi,

    Many thanks for your explanation.
    From what i understand, OpenVPN need to re-use my password every hour (default)
    auth-nocache instruction on client side avoid OpenVPN to re-use my password after one hour, that's why it request my password again (else i loose my connexion).

    I would be interested to use auth-nocache to avoid any hack from memory.
    On the other side, i can change the renegociate time.

    What do you think is the least worst solution for a good security level? what do you advise?



  • Do not use --auth-nocache if you don't want to put password periodically and do not disable --reneg-sec.
    If eve has access to memory you have more important things to worry about.


  • LAYER 8 Netgate

    As I understand it if you enable auth-nocache you will always be prompted for the password when you renegotiate. Else it will enter it for you.

    Most people only hit this problem when they use multi-factor authentication because OpenVPN cannot renegotiate because it doesn't have access to the multi-factor.

    I would leave it as the default (no auth-nocache) and leave the renegotiation at the default as well.


Log in to reply