Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    After one hour of use, OpenVPN request me again to sign in for unknow reason.

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 4 Posters 722 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Elrick75
      last edited by

      Hi to all,

      I use OpenVPN with the lastest release of pfSense.
      Client side is under Windows 10 with OpenVPN client (lastest version).

      After one hour of use, OpenVPN request me again to sign in for unknow reason.

      Server log :

      IAug 10 14:37:54 
      openvpn 
      70018 
      XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX [XXXXXXXXXXXX] Inactivity timeout (--ping-restart), restarting 
      Aug 10 14:47:30 
      openvpn 
      70018 
      XX.XX.XX.XX:XXXXXX peer info: IV_VER=2.4.7 
      Aug 10 14:47:30 
      openvpn 
      70018 
      XX.XX.XX.XX:XXXXXX peer info: IV_PLAT=win 
      Aug 10 14:47:30 
      openvpn 
      70018 
      XX.XX.XX.XX:XXXXXX peer info: IV_PROTO=2 
      Aug 10 14:47:30 
      openvpn 
      70018 
      XX.XX.XX.XX:XXXXXX peer info: IV_NCP=2 
      Aug 10 14:47:30 
      openvpn 
      70018 
      XX.XX.XX.XX:XXXXXX peer info: IV_LZ4=1 
      Aug 10 14:47:30 
      openvpn 
      70018 
      XX.XX.XX.XX:XXXXXX peer info: IV_LZ4v2=1 
      Aug 10 14:47:30 
      openvpn 
      70018 
      XX.XX.XX.XX:XXXXXX peer info: IV_LZO=1 
      Aug 10 14:47:30 
      openvpn 
      70018 
      XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUB=1 
      Aug 10 14:47:30 
      openvpn 
      70018 
      XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUBv2=1 
      Aug 10 14:47:30 
      openvpn 
      70018 
      XX.XX.XX.XX:XXXXXX peer info: IV_TCPNL=1 
      Aug 10 14:47:30 
      openvpn 
      70018 
      XX.XX.XX.XX:XXXXXX peer info: IV_GUI_VER=OpenVPN_GUI_11 
      Aug 10 14:47:30 
      openvpn 
      70018 
      XX.XX.XX.XX:XXXXXX [XXXXXXXXXXXX] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:XXXXXX 
      Aug 10 14:47:30 
      openvpn 
      
      user 'XXXXXXXXXXXXXXX' authenticated 
      Aug 10 14:47:31 
      openvpn 
      70018 
      XXXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX MULTI_sva: pool returned IPv4=XX.XX.XX.XX, IPv6=(Not enabled) 
      Aug 10 14:51:36 
      openvpn 
      70018 
      XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_VER=2.4.7 
      Aug 10 14:51:36 
      openvpn 
      70018 
      XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_PLAT=win 
      Aug 10 14:51:36 
      openvpn 
      70018 
      XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_PROTO=2 
      Aug 10 14:51:36 
      openvpn 
      70018 
      XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_NCP=2 
      Aug 10 14:51:36 
      openvpn 
      70018 
      XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_LZ4=1 
      Aug 10 14:51:36 
      openvpn 
      70018 
      XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_LZ4v2=1 
      Aug 10 14:51:36 
      openvpn 
      70018 
      XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_LZO=1 
      Aug 10 14:51:36 
      openvpn 
      70018 
      XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUB=1 
      Aug 10 14:51:36 
      openvpn 
      70018 
      XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_COMP_STUBv2=1 
      Aug 10 14:51:36 
      openvpn 
      70018 
      XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_TCPNL=1 
      Aug 10 14:51:36 
      openvpn 
      70018 
      XXXXXXXXXXXX/XX.XX.XX.XX:XXXXXX peer info: IV_GUI_VER=OpenVPN_GUI_11 
      Aug 10 14:51:36 
      openvpn 
      
      user 'XXXXXXXXXXXX' authenticated
      

      Client setup :

      dev tun
      persist-tun
      persist-key
      cipher AES-256-GCM
      ncp-ciphers AES-256-GCM
      auth SHA512
      tls-client
      client
      resolv-retry infinite
      remote XXXXXXXXX XXXX udp
      
      # added for security reason
      auth-nocache
      comp-lzo no
      push "comp-lzo no"
      
      verify-x509-name "XXXXXXXXXXXXXXXXX" name
      auth-user-pass
      pkcs12 XXXXXXXXXXXXXXXXXX.p12
      tls-auth XXXXXXXXXXXXXXXXXXXXXX.key 1
      remote-cert-tls server
      
      # Log add 
      mute-replay-warnings
      mute 20
      verb 3
      

      Does someone know how to fix it please ?
      Please advise about my openvpn config file, if there is a way to improve it.

      Many thanks in advance for your help.

      1 Reply Last reply Reply Quote 0
      • PippinP
        Pippin
        last edited by

        @Elrick75 said in After one hour of use, OpenVPN request me again to sign in for unknow reason.:

        auth-nocache

        Remove that from the client config.

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        provelsP 1 Reply Last reply Reply Quote 0
        • provelsP
          provels @Pippin
          last edited by provels

          @Pippin said in After one hour of use, OpenVPN request me again to sign in for unknow reason.:

          @Elrick75 said in After one hour of use, OpenVPN request me again to sign in for unknow reason.:

          auth-nocache

          Remove that from the client config.

          Which will also then show you this warning in red in the connection dialogue (which is probably why you added it...):

          Sat Aug 10 10:17:33 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
          

          Peder

          MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
          BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            OpenVPN renegotiates every hour by default.

            Caching authorization on the client means you generally do not notice.

            People tend to see problems when they employ multi-factor authentication.

            Adding this to the client disables negotiation from the client side:

            reneg-sec 0;

            That can be added in the client exporter or usually directly on the client.

            You can then control renegotiations on the server with something like:

            reneg-sec 43200;

            Every 12 hours.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • E
              Elrick75
              last edited by Elrick75

              Hi,

              Many thanks for your explanation.
              From what i understand, OpenVPN need to re-use my password every hour (default)
              auth-nocache instruction on client side avoid OpenVPN to re-use my password after one hour, that's why it request my password again (else i loose my connexion).

              I would be interested to use auth-nocache to avoid any hack from memory.
              On the other side, i can change the renegociate time.

              What do you think is the least worst solution for a good security level? what do you advise?

              1 Reply Last reply Reply Quote 0
              • PippinP
                Pippin
                last edited by

                Do not use --auth-nocache if you don't want to put password periodically and do not disable --reneg-sec.
                If eve has access to memory you have more important things to worry about.

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  As I understand it if you enable auth-nocache you will always be prompted for the password when you renegotiate. Else it will enter it for you.

                  Most people only hit this problem when they use multi-factor authentication because OpenVPN cannot renegotiate because it doesn't have access to the multi-factor.

                  I would leave it as the default (no auth-nocache) and leave the renegotiation at the default as well.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.