User 'XXX' could not authenticate every 1 hour.
-
I have a number of users that recently need to work from home via OpenVPN to the office. However, they report that every one hour they have to authenticate again. I am using FreeRadius package with Google Authenticator.
When I look at the OpenVPN log, almost every hour, there were:
user 'XXXX' could not authenticate.
XXXX/119.247.xxx.xxx:1194 TLS Error: local/remote TLS keys are out of sync
XXXX/119.247.xxx.xxx:1194 [XXXX] Inactivity timeout (--ping-restart), restartingThen users have to re-authenticate again.
I could not find any setting in OpenVPN that are related to this 3600 sec interval. In the user setting in FreeRadius, there was a SESSION TIMEOUT parameter that I have left blank.
Where in pfSense can I get rid of this disturbing timeout?
-
@bchan said in User 'XXX' could not authenticate every 1 hour.:
TLS Error: local/remote TLS keys are out of sync
advanced configuration / custom option
"reneg-sec 36000" in server
"reneg-sec 0" in client -
@kiokoman said in User 'XXX' could not authenticate every 1 hour.:
"reneg-sec 36000"
Thank you for your response.
When I put "reneg-sec 36000" in the custom option for OpenVPN (server), the server cannot start with this error:
Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/server2.conf:40: reneg-sec 36000 (2.4.6) ?
Furthermore, I noticed that before the "XXXX could not authenticate", there was an entry in the system log saying:
googleauth.py freeRADIUS: Google Authenticator - Authentication failed. User: XXXXX, Reason: wrong tokencodeIt seems that the problem laid in the freeRADIUS as it tried to call the googleauth.py with old OTP every 3600 sec.
-
without quotes
reference
https://forum.netgate.com/topic/113174/tls-error-local-remote-tls-keys-are-out-of-sync
https://forum.pfsense.org/index.php?topic=127601.0 -
@kiokoman Oh my bad!
I am trying this out.... -
@kiokoman It works. Thanks
-
@kiokoman do you know if I need to export the client again and distribute it to my users after making this change?
-
yes, or you can manually edit every client config
-
@kiokoman thanks. I assume my users on Windows can just run the installer again and OpenVPN will update?
-
yes, but there is no need actually as i said they just need to modify the configuration
-
@kiokoman
hi
i'm having the same problem. i didn't quite get it
i see where to config the reneg 0 unser the custom vpn settings, but where to set the 36000? -
@pfsenseuser2020 Edit your OpenVPN server and scroll down to the Advanced Configuration section. You add reneg-sec 36000 to the Custom Options field.