OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Wombat on March 29, 2019, 12:08:29 pm

Title: OpenVPN (road warrior) with 2FA will not sustain connection
Post by: Wombat on March 29, 2019, 12:08:29 pm
I managed to get a openVPN road warior connection with 2FA working but the connection only lasts a minute (i just get logged into a LAN webserver and loose it) or so and then I have to reconnect which means get a new OTP from google authenticator.  Makes the VPN useless. 
Suspect t the cause may be the poor ADSL 2 connection to the Router (6MB/350kB, it is a 3km rural connection) which I cannot do much about.

Problem affects several different clients (android with openVPN app, W10 with Velocity and OpenVPN apps)

Is there anything in settings I can do to
1. reduce it's sensitivity to dropping out
2. Not have to get a new TOTP each time
3. Not use a TOTP at all, use a different authentication method

Or should I go over and use IPSec or is there another road warior VPN solution better suited to my scenario.

Was running OPNSense 18.7 on a gen4 i5 processor with loads of RAM (it is barely working above 10%) and 10 NICs (LAN switch and router)
Title: Re: OpenVPN (road warrior) with 2FA will not sustain connection
Post by: Wombat on April 11, 2019, 09:05:40 am
Moved onto 19.1 and problem continues.
Removed 2FA  and used certificates, username and password and problem remains but easier to get information from it as it automatically reconnects.

Symptions are strange... and they may be two problems.

This is OpenVPN client on Android 8 tablet.
Can connect to Server and are able to connect to the Opnsense server ui with no problems in usage.  Can also connect through VPN to several simpler webservers (ie load quickly).
But looking at openvpn server log, it connects then immediately reports client disconnect over several log entries.  This then continues every 60 seconds ( happens to be keepalive timeout!)  The log entries are
Apr 11 16:31:27   openvpn[49773]: MANAGEMENT: Client disconnected
Apr 11 16:31:27   openvpn[49773]: MANAGEMENT: CMD 'quit'
Apr 11 16:31:26   openvpn[49773]: MANAGEMENT: CMD 'status 2'
Apr 11 16:31:26   openvpn[49773]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 11 16:30:25   openvpn[49773]: MANAGEMENT: Client disconnected
Apr 11 16:30:25   openvpn[49773]: MANAGEMENT: CMD 'quit'
Apr 11 16:30:25   openvpn[49773]: MANAGEMENT: CMD 'status 2'
Apr 11 16:30:24   openvpn[49773]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 11 16:29:56   openvpn[49773]: Ian-tablet/49.180.44.209:17857 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key


The OpenVPN  client show data continues to flow over tunnel as would be expected and reports nothing after the initial link establishment.

Then I attempt to access some more complex ui (a QNAP NAS  and a server running Node-Red) through the tunnel and and data flows for about 20 secs, somtimes part of a page is downloaded.  Then Data flow is ceased and 60 seconds later the VPN link is closed and restarted.
Title: Re: OpenVPN (road warrior) with 2FA will not sustain connection
Post by: anomaly0617 on June 13, 2019, 10:06:39 pm
I may be seeing the same behavior, but I'm giving it time to find out for sure. However, I'm wondering if this helps at all:

Under VPN >> OpenVPN >> Servers >> RoadWarrior VPN (Edit it) >> Renegotiate Time it says:

"Renegotiate data channel key after n seconds (default=3600).
When using a one time password, be advised that your connection will automatically drop because your password is not valid anymore.
Set to 0 to disable, remember to change your client as well."

Mine was set to 0, so I changed it to be 86400, which is the equivalent of one day. I'm now waiting to see if this "resolves" the problem, ie: how many users will remain connected to the VPN for more than 24 hours? And if they do, isn't it appropriate to ask them for another OTP?
Title: Re: OpenVPN (road warrior) with 2FA will not sustain connection
Post by: mimugmail on June 14, 2019, 06:45:49 am
reneg sec 0 should also help. I verified this on a 19.1.8 some days ago for a new customer and I was logged in for around 3 hours with no traffic (after his I powered off). Without seeting renegotiating I'm disconnected after 1 hour, asking for a password.
Title: Re: OpenVPN (road warrior) with 2FA will not sustain connection
Post by: mimugmail on June 14, 2019, 06:47:02 am
The log entries are
Apr 11 16:31:27   openvpn[49773]: MANAGEMENT: Client disconnected
Apr 11 16:31:27   openvpn[49773]: MANAGEMENT: CMD 'quit'
Apr 11 16:31:26   openvpn[49773]: MANAGEMENT: CMD 'status 2'
Apr 11 16:31:26   openvpn[49773]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 11 16:30:25   openvpn[49773]: MANAGEMENT: Client disconnected
Apr 11 16:30:25   openvpn[49773]: MANAGEMENT: CMD 'quit'
Apr 11 16:30:25   openvpn[49773]: MANAGEMENT: CMD 'status 2'
Apr 11 16:30:24   openvpn[49773]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Apr 11 16:29:56   openvpn[49773]: Ian-tablet/49.180.44.209:17857 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key



This is btw only the UI quering the management daemon about statistics.
You can set the log level higher and should get more detailed logs.