Session disconnect occurs when encryption key is regenerated on OpenVPN.

Started by cajovpn, June 24, 2025, 11:59:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 24, 2025, 11:59:02 PM
OpnSense version:  25.1.7_4-amd64

I have an OpenVPN instance configured and working as needed. The only annoyance is that when the encryption key is regenerated every hour, my session is disconnected and I need to reconnect. On the OpenVPN forum I found that adding the server configuration parameter "auth-gen-token" to the instance configuration will correct this issue by using a generated token that is passed to the client. The token is verified when key regeneration occurs and the session is not disconnected.

Is this a valid solution?

How do I add the "auth-gen-token" parameter to the instance configuration?

Does it need to be added to the client configuration also?

I tried setting "Auth Token Lifetime" to 0 (zero), but that did not change anything.

Thank you in advance for your help.

TonyC
June 25, 2025, 12:18:15 AM #1
Quote from: cajovpn on June 24, 2025, 11:59:02 PMIs this a valid solution?
Yes

QuoteHow do I add the "auth-gen-token" parameter to the instance configuration?
Just enter a value in seconds at "Auth Token Lifetime". This is the duration of the validity of the session key.
Set it to e.g. 57600 for 16 hours.

QuoteDoes it need to be added to the client configuration also?
No.
If set, the server sends the session key to the client at negotiation and the client use it later for renegotiating.

QuoteI tried setting "Auth Token Lifetime" to 0 (zero), but that did not change anything.
A bad idea. This disables the session key.
June 25, 2025, 12:21:22 AM #2
viragomann,

Thank you.

TonyC
June 25, 2025, 03:59:29 AM #3
So I changed Auth Token Lifetime to 1.5 hours. When the one hour encryption key regen time expired, as expected, there was no session disconnect. However when the Auth Token Lifetime expired (30 minutes later) there was a session disconnect. So I changed the Auth Token Lifetime to 16 hours which is more than long enough for my requirement.

Everything I have read suggests that the encryption key regen timer should NOT be set too long to avoid the possibility of the encryption key being compromised. What about setting the Auth Token Lifetime to 16 hours? Is there a possibility that the Auth Token can be compromised? Is 16 hours too long? Are there other options?

TonyC


Print
Go Up Pages1
User actions