[SOLVED] OpenVPN tunnel to roadwarrior crashes after exactly one hour. Always.

[klausagnoletti]

Hi

I installed opnsense on NUC pc with VLAN and stuff a month ago or something like that. I 'upgraded' from pfsense.

I have two openvpn daemons configured. One does site-to-site VPN using certificates to my VPS. That tunnel is stable as a rock. The other is for my laptop and is used as a roadwarrior. I have configured it to authenticate via TLS+OTP.

It connects fine, but after an hour - almost on the second - it crashes so that I can't send any traffic through it. My VPN client tries to reconnect, but it can't.

The log on opnsense says this:
Nov 24 14:24:59   openvpn[50931]: klaus/xxx.xxx.xxx.xxx:16962 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:16962 [1]

I tried googling that, but it didn't really help me. Apparently noone on pfsense or opnsense have had this problem before :-p

Can anyone help?

/klaus

[fabian]

This comes from OTP:

OpenVPN has a default of one hour, where the authentication is valid and needs to re-authenticate after this time. Because your one time password is not valid anymore at this time, the authentication fails and OpenVPN stops the connection. You need to change the amount of time between re-authentication and it will work longer. Because of this, you cannot use it in a way it is useful for a site-to-site vpn. Use a certificate instead of OTP for this use cases and OTP for road warrior connections.

[franco]

At the bottom of the server config page in a recent OPNsense you find "Renegotiate time" where you can disable renegotiation. See the help description for details.

The whole OpenVPN stance on renegotiation is a bit silly as it essentially voids your credentials with OTP and the credentials are static when it's not OTP, but that is for OpenVPN to ride out.

[klausagnoletti]

This comes from OTP:

OpenVPN has a default of one hour, where the authentication is valid and needs to re-authenticate after this time. Because your one time password is not valid anymore at this time, the authentication fails and OpenVPN stops the connection. You need to change the amount of time between re-authentication and it will work longer. Because of this, you cannot use it in a way it is useful for a site-to-site vpn. Use a certificate instead of OTP for this use cases and OTP for road warrior connections.

Thanks for the hint. I only use OTP on my roadwarrior currently. Site-to-site is just TLS.
I'll take a look at the renegotiation settings to fix it. Many thanks!

/klaus

[klausagnoletti]

At the bottom of the server config page in a recent OPNsense you find "Renegotiate time" where you can disable renegotiation. See the help description for details.

The whole OpenVPN stance on renegotiation is a bit silly as it essentially voids your credentials with OTP and the credentials are static when it's not OTP, but that is for OpenVPN to ride out.

Thanks. I set it to 0. I guess that'll work.

/klaus

[klausagnoletti]

I tried to set the regetioation time to 0 as describe in help. That changes absolutely nothing. Tunnel still goes down after exactly one hour.

Does anyone have a suggestion to what else to try?

Thanks

/klaus

[franco]

Did you set this for client and server?

[s4rs]

I was testing this and had the same issue. After a few internet searches I found the right client parameter reneg-sec 0 .  Based on Opnsense client recommendation for Windows I used Viscosity VPN client. In the Viscosity client right click on the OpenVPN profile you create for Opnsense/OpenVPN and select edit. On the advanced tab in the lower window add the setting. I tested this and have been up for hours without a drop. See the screenshot attached.

[franco]

Oh, right, it's in the server, but not in the client exporter... https://github.com/opnsense/core/issues/1147

EDIT: Ad fixed this in the exporter, will be in 16.7.11. Thanks!