After one hour of use, OpenVPN request me again to sign in for unknow reason.

Elrick75

Hi to all,

I use OpenVPN with the lastest release of pfSense.
Client side is under Windows 10 with OpenVPN client (lastest version).

Server log :

IAug 10 14:37:54 
openvpn 
70018 
XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX [XXXXXXXXXXXX] Inactivity timeout (--ping-restart), restarting 
Aug 10 14:47:30 
openvpn 
70018 
XX.XX.XX.XX:XXXXXX peer info: IV_VER=2.4.7 
Aug 10 14:47:30 
openvpn 
70018 
XX.XX.XX.XX:XXXXXX peer info: IV_PLAT=win 
Aug 10 14:47:30 
openvpn 
70018 
XX.XX.XX.XX:XXXXXX peer info: IV_PROTO=2 
Aug 10 14:47:30 
openvpn 
70018 
XX.XX.XX.XX:XXXXXX peer info: IV_NCP=2 
Aug 10 14:47:30 
openvpn 
70018 
XX.XX.XX.XX:XXXXXX peer info: IV_LZ4=1 
Aug 10 14:47:30 
openvpn 
70018 
XX.XX.XX.XX:XXXXXX peer info: IV_LZ4v2=1 
Aug 10 14:47:30 
openvpn 
70018 
XX.XX.XX.XX:XXXXXX peer info: IV_LZO=1 
Aug 10 14:47:30 
openvpn 
70018 
XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUB=1 
Aug 10 14:47:30 
openvpn 
70018 
XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUBv2=1 
Aug 10 14:47:30 
openvpn 
70018 
XX.XX.XX.XX:XXXXXX peer info: IV_TCPNL=1 
Aug 10 14:47:30 
openvpn 
70018 
XX.XX.XX.XX:XXXXXX peer info: IV_GUI_VER=OpenVPN_GUI_11 
Aug 10 14:47:30 
openvpn 
70018 
XX.XX.XX.XX:XXXXXX [XXXXXXXXXXXX] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:XXXXXX 
Aug 10 14:47:30 
openvpn 

user 'XXXXXXXXXXXXXXX' authenticated 
Aug 10 14:47:31 
openvpn 
70018 
XXXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX MULTI_sva: pool returned IPv4=XX.XX.XX.XX, IPv6=(Not enabled) 
Aug 10 14:51:36 
openvpn 
70018 
XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_VER=2.4.7 
Aug 10 14:51:36 
openvpn 
70018 
XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_PLAT=win 
Aug 10 14:51:36 
openvpn 
70018 
XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_PROTO=2 
Aug 10 14:51:36 
openvpn 
70018 
XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_NCP=2 
Aug 10 14:51:36 
openvpn 
70018 
XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_LZ4=1 
Aug 10 14:51:36 
openvpn 
70018 
XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_LZ4v2=1 
Aug 10 14:51:36 
openvpn 
70018 
XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_LZO=1 
Aug 10 14:51:36 
openvpn 
70018 
XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUB=1 
Aug 10 14:51:36 
openvpn 
70018 
XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUBv2=1 
Aug 10 14:51:36 
openvpn 
70018 
XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_TCPNL=1 
Aug 10 14:51:36 
openvpn 
70018 
XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_GUI_VER=OpenVPN_GUI_11 
Aug 10 14:51:36 
openvpn 

user 'XXXXXXXXXXXX' authenticated

Client setup :

dev tun
persist-tun
persist-key
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
auth SHA512
tls-client
client
resolv-retry infinite
remote XXXXXXXXX XXXX udp

# added for security reason
auth-nocache
comp-lzo no
push "comp-lzo no"

verify-x509-name "XXXXXXXXXXXXXXXXX" name
auth-user-pass
pkcs12 XXXXXXXXXXXXXXXXXX.p12
tls-auth XXXXXXXXXXXXXXXXXXXXXX.key 1
remote-cert-tls server

# Log add 
mute-replay-warnings
mute 20
verb 3

Does someone know how to fix it please ?
Please advise about my openvpn config file, if there is a way to improve it.

Many thanks in advance for your help.

Pippin

@Elrick75 said in After one hour of use, OpenVPN request me again to sign in for unknow reason.:

auth-nocache

Remove that from the client config.

provels

@Pippin said in After one hour of use, OpenVPN request me again to sign in for unknow reason.:

@Elrick75 said in After one hour of use, OpenVPN request me again to sign in for unknow reason.:

auth-nocache

Remove that from the client config.

Which will also then show you this warning in red in the connection dialogue (which is probably why you added it...):

Sat Aug 10 10:17:33 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Derelict

OpenVPN renegotiates every hour by default.

Caching authorization on the client means you generally do not notice.

People tend to see problems when they employ multi-factor authentication.

Adding this to the client disables negotiation from the client side:

reneg-sec 0;

That can be added in the client exporter or usually directly on the client.

You can then control renegotiations on the server with something like:

reneg-sec 43200;

Every 12 hours.

Elrick75

Hi,

Many thanks for your explanation.
From what i understand, OpenVPN need to re-use my password every hour (default)
auth-nocache instruction on client side avoid OpenVPN to re-use my password after one hour, that's why it request my password again (else i loose my connexion).

I would be interested to use auth-nocache to avoid any hack from memory.
On the other side, i can change the renegociate time.

What do you think is the least worst solution for a good security level? what do you advise?

Pippin

Do not use --auth-nocache if you don't want to put password periodically and do not disable --reneg-sec.
If eve has access to memory you have more important things to worry about.

Derelict

As I understand it if you enable auth-nocache you will always be prompted for the password when you renegotiate. Else it will enter it for you.

Most people only hit this problem when they use multi-factor authentication because OpenVPN cannot renegotiate because it doesn't have access to the multi-factor.

I would leave it as the default (no auth-nocache) and leave the renegotiation at the default as well.