Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    User 'XXX' could not authenticate every 1 hour.

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 4 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bchan
      last edited by

      I have a number of users that recently need to work from home via OpenVPN to the office. However, they report that every one hour they have to authenticate again. I am using FreeRadius package with Google Authenticator.

      When I look at the OpenVPN log, almost every hour, there were:
      user 'XXXX' could not authenticate.
      XXXX/119.247.xxx.xxx:1194 TLS Error: local/remote TLS keys are out of sync
      XXXX/119.247.xxx.xxx:1194 [XXXX] Inactivity timeout (--ping-restart), restarting

      Then users have to re-authenticate again.

      I could not find any setting in OpenVPN that are related to this 3600 sec interval. In the user setting in FreeRadius, there was a SESSION TIMEOUT parameter that I have left blank.

      Where in pfSense can I get rid of this disturbing timeout?

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        @bchan said in User 'XXX' could not authenticate every 1 hour.:

        TLS Error: local/remote TLS keys are out of sync

        advanced configuration / custom option
        "reneg-sec 36000" in server
        "reneg-sec 0" in client

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        B P 2 Replies Last reply Reply Quote 2
        • B
          bchan
          last edited by

          @kiokoman said in User 'XXX' could not authenticate every 1 hour.:

          "reneg-sec 36000"

          Thank you for your response.

          When I put "reneg-sec 36000" in the custom option for OpenVPN (server), the server cannot start with this error:

          Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/server2.conf:40: reneg-sec 36000 (2.4.6) ?

          Furthermore, I noticed that before the "XXXX could not authenticate", there was an entry in the system log saying:
          googleauth.py freeRADIUS: Google Authenticator - Authentication failed. User: XXXXX, Reason: wrong tokencode

          It seems that the problem laid in the freeRADIUS as it tried to call the googleauth.py with old OTP every 3600 sec.

          1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by kiokoman

            without quotes
            Immagine.jpg

            reference
            https://forum.netgate.com/topic/113174/tls-error-local-remote-tls-keys-are-out-of-sync
            https://forum.pfsense.org/index.php?topic=127601.0

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            B 1 Reply Last reply Reply Quote 0
            • B
              bchan @kiokoman
              last edited by

              @kiokoman Oh my bad!
              I am trying this out....

              1 Reply Last reply Reply Quote 0
              • B
                bchan @kiokoman
                last edited by

                @kiokoman It works. Thanks

                1 Reply Last reply Reply Quote 0
                • C
                  callen
                  last edited by

                  @kiokoman do you know if I need to export the client again and distribute it to my users after making this change?

                  1 Reply Last reply Reply Quote 0
                  • kiokomanK
                    kiokoman LAYER 8
                    last edited by

                    yes, or you can manually edit every client config

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    1 Reply Last reply Reply Quote 0
                    • C
                      callen
                      last edited by

                      @kiokoman thanks. I assume my users on Windows can just run the installer again and OpenVPN will update?

                      1 Reply Last reply Reply Quote 0
                      • kiokomanK
                        kiokoman LAYER 8
                        last edited by

                        yes, but there is no need actually as i said they just need to modify the configuration

                        Immagine.jpg

                        Immagine2.jpg

                        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                        Please do not use chat/PM to ask for help
                        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                        1 Reply Last reply Reply Quote 0
                        • P
                          pfsenseuser2020 @kiokoman
                          last edited by

                          @kiokoman
                          hi
                          i'm having the same problem. i didn't quite get it
                          i see where to config the reneg 0 unser the custom vpn settings, but where to set the 36000?

                          C 1 Reply Last reply Reply Quote 0
                          • C
                            callen @pfsenseuser2020
                            last edited by

                            @pfsenseuser2020 Edit your OpenVPN server and scroll down to the Advanced Configuration section. You add reneg-sec 36000 to the Custom Options field.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.