OpenVPN Connect Connection Issues
-
We are currently using OpenVPN on PF Sense. OpenVPN is using LDAP Authentication, but the LDAP is using DUO to verify authentication for 2FA.
The 2 issues we are having is :
- If you reach a timeout state “inactive 300 3000000”, basically need to pass 3MB every 5 minutes. You walk away from your computer for 10 minutes, it will disconnect you. But it will automatically reconnect you and it will try and reconnect many times and it will lock the Duo account. I have to sign on to the Duo MFA website 20 times a day to activate people.
All we wanted the Open VPN Connect to do, is not reconnect if they were disconnected. Make it a manual reconnection.
However, we found some client configuration commands that we used on the older OpenVPN Client that does what we want it to do, but if we use those same command on the Open VPN Connect client then it doesn’t work and forces a reconnect occur. This tells me there are some differences between OpenVPN and OpenVPN Access Server.
Client Configuration Commands that do what we want on OpenVPN Client but not on OpenVPN Connect
dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote 20.141.103.111 1194 udp4
nobind
auth-user-pass
ca pfSense-UDP4-1194-ca.crt
tls-auth pfSense-UDP4-1194-tls.key 1
remote-cert-tls server
explicit-exit-notify
reneg-sec 0
auth-retry none
auth-nocache
connect-retry-max 0
inactive 300 3000000Does anyone know how to get this functionality to work on OpenVPN Connect?
- The 2nd bug I am trying to fix, and in fact about to do a test on, is that every hour after connection it will drop the connection to reauthenticate or something like that. I am not exactly sure what Duo and pfSense (Netgate) are saying about what is happening, but I am assuming its re-authorizing. I found the following command : “reneg-sec 0”. Apparently this is suppose to help resolve that issue, and apparently I need to have that command on the server, I did test this on the older OpenVPN client, but yet to try it on OpenVPN Connect. Does this work on OpenVPN client as well?