Hello.
I have an OpenVPN server and imported users from AD and AD authentication and OTP. But every an hour user session is broken. Log says
Quoteopenvpn[39817] user/8.22.8.11:59250 SIGUSR1[soft,ping-restart] received, client-instance restarting
openvpn[39817] user/8.22.8.11:59250 [UNDEF] Inactivity timeout (--ping-restart), restarting
openvpn[39817] user/8.22.8.11:59250 TLS Error: TLS handshake failed
openvpn[39817] user/8.22.8.11:59250 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
openvpn[39817] MANAGEMENT: Client disconnected
openvpn[39817] MANAGEMENT: CMD 'quit'
openvpn[39817] MANAGEMENT: CMD 'status 2'
openvpn[39817] MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
openvpn[39817] user/8.22.8.11:59250 TLS Error: TLS handshake failed
openvpn[39817] user/8.22.8.11:59250 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
I made next:
- set Renegotiate time to 0
- insert keepalive 10 120 into an Advanced field
But there aren't any results with an user session. Every an hour session is out any way.
User connect log
Quote
openvpn[39817]MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
openvpn[39817]user/8.22.8.11:59250 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[39817]user/8.22.8.11:59250 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[39817]user/8.22.8.11:59250 Data Channel: using negotiated cipher 'AES-256-GCM'
openvpn[39817]user/8.22.8.11:59250 SENT CONTROL [user]: 'PUSH_REPLY,route 172.16.0.0 255.255.252.0,dhcp-option DOMAIN sex.com,dhcp-option DNS 172.16.1.1,dhcp-option DNS 172.16.1.1,route 10.0.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.0.6 10.0.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
openvpn[39817]user/8.22.8.11:59250 PUSH: Received control message: 'PUSH_REQUEST'
openvpn[39817]user/8.22.8.11:59250 MULTI: primary virtual IP for user/8.22.8.11:59250: 10.0.0.6
openvpn[39817]user/8.22.8.11:59250 MULTI: Learn: 10.0.0.6 -> user/8.22.8.11:59250
openvpn[39817]user/8.22.8.11:59250 MULTI_sva: pool returned IPv4=10.0.0.6, IPv6=(Not enabled)
openvpn[39817]8.22.8.11:59250 [user] Peer Connection Initiated with [AF_INET]8.22.8.11:59250
openvpn[39817]8.22.8.11:59250 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
openvpn[39817]8.22.8.11:59250 TLS: Username/Password authentication succeeded for username 'user' [CN SET]
openvpn[72783]user 'user' authenticated using 'AD2FA'
openvpn[39817]8.22.8.11:59250 peer info: IV_GUI_VER=OpenVPN_GUI_11
openvpn[39817]8.22.8.11:59250 peer info: IV_TCPNL=1
openvpn[39817]8.22.8.11:59250 peer info: IV_COMP_STUBv2=1
openvpn[39817]8.22.8.11:59250 peer info: IV_COMP_STUB=1
openvpn[39817]8.22.8.11:59250 peer info: IV_LZO=1
openvpn[39817]8.22.8.11:59250 peer info: IV_LZ4v2=1
openvpn[39817]8.22.8.11:59250 peer info: IV_LZ4=1
openvpn[39817]8.22.8.11:59250 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-128-CBC
openvpn[39817]8.22.8.11:59250 peer info: IV_NCP=2
openvpn[39817]8.22.8.11:59250 peer info: IV_PROTO=6
openvpn[39817]8.22.8.11:59250 peer info: IV_PLAT=win
openvpn[39817]8.22.8.11:59250 peer info: IV_VER=2.5.2
openvpn[39817]8.22.8.11:59250 TLS: Initial packet from [AF_INET]8.22.8.11:59250, sid=8cd968f4 aa698363
I assume OPNSense is providing the OpenVPN server, and the logs you posted are from this server side. Did you take a look into the client's log?
Is there an option to increase the log level? That might provide additional information about what causes the handshake to fail.
Did you set the renegotiation time to 0 only on the server side? I assume you would need to configure this on both sides (client and server) and otherwise, if the client has a renegotiation time of 60 minutes configured, the client will trigger a renegotiation after 60 minutes, even if the server has this disabled.
Yeah, You was right. I added this line into .ovpn file and it fixed a problem
reneg-sec 0