User 'XXX' could not authenticate every 1 hour.

bchan

I have a number of users that recently need to work from home via OpenVPN to the office. However, they report that every one hour they have to authenticate again. I am using FreeRadius package with Google Authenticator.

When I look at the OpenVPN log, almost every hour, there were:
user 'XXXX' could not authenticate.
XXXX/119.247.xxx.xxx:1194 TLS Error: local/remote TLS keys are out of sync
XXXX/119.247.xxx.xxx:1194 [XXXX] Inactivity timeout (--ping-restart), restarting

Then users have to re-authenticate again.

I could not find any setting in OpenVPN that are related to this 3600 sec interval. In the user setting in FreeRadius, there was a SESSION TIMEOUT parameter that I have left blank.

Where in pfSense can I get rid of this disturbing timeout?

kiokoman

@bchan said in User 'XXX' could not authenticate every 1 hour.:

TLS Error: local/remote TLS keys are out of sync

advanced configuration / custom option
"reneg-sec 36000" in server
"reneg-sec 0" in client

bchan

@kiokoman said in User 'XXX' could not authenticate every 1 hour.:

"reneg-sec 36000"

Thank you for your response.

When I put "reneg-sec 36000" in the custom option for OpenVPN (server), the server cannot start with this error:

Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/server2.conf:40: reneg-sec 36000 (2.4.6) ?

Furthermore, I noticed that before the "XXXX could not authenticate", there was an entry in the system log saying:
googleauth.py freeRADIUS: Google Authenticator - Authentication failed. User: XXXXX, Reason: wrong tokencode

It seems that the problem laid in the freeRADIUS as it tried to call the googleauth.py with old OTP every 3600 sec.

kiokoman

without quotes

reference
https://forum.netgate.com/topic/113174/tls-error-local-remote-tls-keys-are-out-of-sync
https://forum.pfsense.org/index.php?topic=127601.0

bchan

@kiokoman Oh my bad!
I am trying this out....

bchan

@kiokoman It works. Thanks

callen

@kiokoman do you know if I need to export the client again and distribute it to my users after making this change?

kiokoman

yes, or you can manually edit every client config

callen

@kiokoman thanks. I assume my users on Windows can just run the installer again and OpenVPN will update?

kiokoman

yes, but there is no need actually as i said they just need to modify the configuration

pfsenseuser2020

@kiokoman
hi
i'm having the same problem. i didn't quite get it
i see where to config the reneg 0 unser the custom vpn settings, but where to set the 36000?

callen

@pfsenseuser2020 Edit your OpenVPN server and scroll down to the Advanced Configuration section. You add reneg-sec 36000 to the Custom Options field.