Hi,
Following the "Setup SSL VPN Road Warrior" tutorial, I created a VPN server and user, which authenticates using SSL/TLS+User Auth and TOTP. However, every time after an hour, the connection would drop with a log message:
"Inactivity timeout (--ping-restart), restarting"
The VPN client tries to reconnect, but is unsuccessful due to the password (password+googlauth code) no longer matching with what was entered before when the connection was initially created. I've tried setting the renegotiation time to 0, but that did not make a diference. Using password only authentication makes it reconnect just fine.
Then I found in the official OpenVPN documentation the option "auth-gen-token <time in seconds>" which creates an authentication/session token, and keeps this token alive for the time specified. Once the connection reaches that one hour mark, the token is used to re-authenticate instead of the password. Add this option to the "Advanced" field. In addition to this you need to set the Renegotiation time (cannot be set to 0). I set it to the same time as auth-gen-token.
Now, this "Advanced" field has a disclaimer which says "This option will be removed in the future due to being insecure by nature". Maybe it's an idea for the OPNsense team to add the auth-gen-token option to the UI page as a configurable option to compliment the TOTP authentication method.
Please, create a ticket on github. https://github.com/opnsense/core/issues
Cheers
Even this topic is older I want here adding the warning that this suggested solution - setting renegotiation time to same long interval as auth-gen-token - is not very secure.
Best is to use and push the advanced authorized time with default renegotation values to client by using "Advanced" textbox:
auth-gen-token 43200
reneg-sec 3600
push "reneg-sec 3600"Important on pfSense to get an automatic renegotiation without need for a new OTP token was to activate:
Dynamic [x] IPAllow connected clients to retain their connections if their IP address changes.which is similar on OPNsense:
Dynamic IP
Allow connected clients to retain their connections if their IP address changes.
which creates options:
persist-remote-ip
float
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
Quote--float
Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used). --float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client.Essentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option.
which uses a session token here every hour for regeneration the session keys till the token needs to be re-authorized.
and
Quote--persist-remote-ip
Preserve most recently authenticated remote IP address and port number across SIGUSR1 or --ping-restart restarts.
helps more restarting OpenVPN server without loosing client connections.