Pfsense 2.4
Radius Server to windows NAP.
I can login and things are great. However, every 1 hour, the login pops up for OPEN VPN (windows 10 client) and logs me back in.
Someone mentioned that i need to modify my server.conf with a reneg-0 (something like that), which I did. However, when I restart the OPENVPN service, it drops that change.
Any ideas on how to get this to stop. I want the VPN to stay on for at least 12 hours.
LAN = 172.25.0.0 /16
Tunnel = 192.168.25.0/24
Thanks.
That is not a problem I have encountered before, might want to try the pfsense forums.
I don’t have this issue but perhaps you can add a keepalive parameter under the advanced options for the client.
I read that it has something to do with the TLS. Of course, I am working remotely and changed a setting that results in me not getting in…so off to the office i go.
I will post my server config soon. It is totally weird so I may just blow it away and start again.
Will let you all know how I make out.
Back at the office and got the config.
I am reading the help on OPEN VPN and it states that
–reneg-sec n
Renegotiate data channel key after n seconds (default=3600).When using dual-factor authentication, note that this default value may cause the end user to be challenged to reauthorize once per hour.
I don’t have that option in my server conf file. So, if I add it, just wondering, does it matter where in the conf file I put it? Do I just put it at the end of the current file…???
Thanks again.
Hi spyder,
so first of im far from expert here, but i can remember i had that problem once.
you need to create a auth.txt file beside your config file. the file containing your 1 line:username and 2 line:password and in your config file you type “auth-user-pass auth.txt”
write back if you need more more information… or google “auth-user-pass”
Fixed it…well so far so good (1.5 hours with no disconnect).
For those that want to know. In your client export, you are able to add overrides. Well, I had one there in reference to auth-nocache.
I did this because when you view the client logs, it states a warning and use to use that option.
Surprise, that option causes the system to renegotiate the TLS keys every hour. So, not sure on the true fix for this…but it appears that if you take it out, you don’t get disconnected. If you put that in, you get disconnected while it negotiates the TLS again.
Going to keep it going for the day and see if I get kicked…but looking good so far.
Thanks all for the replies!!!
auth-nocache just removes the user and password from being stored in RAM/memory.
as a standard does openvpn perform a rekeying of the encryption key every 3600sec (1 hour). If the clients are set with a username and password then it has to use the those parameters when it connects with the new key.
When you use the user/pass key for the first time will it be stored in the memory the auth-nocache will avoid that from happening. The auth-user-pass option should do the same thing the data i just stored on the HDD instead of the memory.