Client Auth Error on auto-reconnect following network interruption

Post Reply
omorgan
OpenVpn Newbie
Posts: 2
Joined: Tue Sep 25, 2018 1:50 am

Client Auth Error on auto-reconnect following network interruption

Post by omorgan » Tue Sep 25, 2018 2:20 am

Hi Everyone,

Sorry to bother, but I have an odd problem that I can't seem to find an answer to (If I've missed something obvious, I apologise in advance!)...

I've set up an OpenVPN Access Server on a VPS I use (I tried several times to do a full install of OpenVPN server from scratch, but just couldn't actually get it to work, even looking at several different sources.. so I used the Access Server .deb file and got it working straight away), and have two clients, which can happily connect, and communicate through the VPN etc..

Issue however comes through some testing I've been doing in preparation for deployment. One client is a Headless Pi Zero W, which I plan to locate in a remote location, and want to be able to connect to remotely through the VPN to give me access to some things behind it. I have set it up with an auto-login profile, and the VPN starts perfectly when it boots. However, if I simulate a network issue, or a server issue by either manually shutting down either the full VPS server instance, or from within the OpenVPN Access Server admin section itself, and then turn it back on, the Pi always fails to reconnect citing an Auth Error... If after the auth error I manually restart the openvpn service, it logs in straight away, no issues.

Nothing I appear to be doing is actually fixing this. Any thoughts?

For reference, here is the log output on the Pi when it fails (I've replaced the IP and port with <server_ip_and_port> for security):

Code: Select all

Sat Sep 22 05:28:23 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 22 05:28:23 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_ip_and_port>
Sat Sep 22 05:28:23 2018 Socket Buffers: R=[87380->200000] S=[16384->200000]
Sat Sep 22 05:28:23 2018 Attempting to establish TCP connection with [AF_INET]<server_ip_and_port> [nonblock]
Sat Sep 22 05:28:24 2018 TCP: connect to [AF_INET]<server_ip_and_port> failed: Connection refused
Sat Sep 22 05:28:24 2018 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Sat Sep 22 05:28:24 2018 Restart pause, 5 second(s)
Sat Sep 22 05:28:29 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 22 05:28:29 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 22 05:28:29 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_ip_and_port>
Sat Sep 22 05:28:29 2018 Socket Buffers: R=[163840->200000] S=[163840->200000]
Sat Sep 22 05:28:29 2018 UDP link local: (not bound)
Sat Sep 22 05:28:29 2018 UDP link remote: [AF_INET]<server_ip_and_port>
Sat Sep 22 05:28:29 2018 TLS: Initial packet from [AF_INET]<server_ip_and_port>, sid=b6a20603 c7873341
Sat Sep 22 05:28:29 2018 VERIFY OK: depth=1, CN=OpenVPN CA
Sat Sep 22 05:28:29 2018 VERIFY OK: nsCertType=SERVER
Sat Sep 22 05:28:29 2018 VERIFY OK: depth=0, CN=OpenVPN Server
Sat Sep 22 05:28:29 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1558'
Sat Sep 22 05:28:29 2018 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'
Sat Sep 22 05:28:29 2018 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Sat Sep 22 05:28:29 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Sep 22 05:28:29 2018 [OpenVPN Server] Peer Connection Initiated with [AF_INET]<server_ip_and_port>
Sat Sep 22 05:28:30 2018 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Sat Sep 22 05:28:30 2018 AUTH: Received control message: AUTH_FAILED
Sat Sep 22 05:28:30 2018 SIGTERM[soft,auth-failure] received, process exiting
The Client Config in Question (minus all secure info):

Code: Select all

# Automatically generated OpenVPN client config file
# Generated on Tue Sep 25 03:06:18 2018 by

# Default Cipher
cipher AES-256-CBC
# Note: this config file contains inline private keys
#       and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=<client_username>
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=<client_info>/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=<server_ip_and_port>
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN, Inc.
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote <server_ip_and_port> udp
remote <server_ip_and_port> udp
remote <server_ip_and_port> tcp
remote <server_ip_and_port> udp
remote <server_ip_and_port> udp
remote <server_ip_and_port> udp
remote <server_ip_and_port> udp
remote <server_ip_and_port> udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>


# Extra user-defined configuration
float
resolv-retry infinite
persist-tun
persist-key
ping-timer-rem
keepalive 30 120
connect-retry 120 120
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## -----END CERTIFICATE-----
And finally, additional parameters added into the server conf (and the client conf even though I know they are visible above) via the Access Server web interface:

Code: Select all

SERVER CONF:
float
resolv-retry infinite
persist-tun
persist-key
ping-timer-rem
keepalive 30 120

CLIENT CONF:
float
resolv-retry infinite
persist-tun
persist-key
ping-timer-rem
keepalive 30 120
connect-retry 120 120
The additionals were added from looking at a million posts (at least it seems like it!) and trying to see if anything would work.... I'm not sure what they all do to be fair!

Its worth noting that the Pi Zero W is using the wlan0 interface (which I have a hunch may be the root of the problems). Also tun0 stays listed throughout all the time the server is down and the pi is auto-attempting to reconnect, but after the AUTH_FAILED issue the entry to tun0 is no longer listed. A simply work around would be to check for the presence of tun0 with a cron script, and start the openvpn client again if not, but that's a workaround, not a solution.

Any help would be hugely appreciated! and Thank you in advance!

Owen.

novaflash
I should be on the dev team.
Posts: 952
Joined: Fri Apr 13, 2012 8:43 pm

Re: Client Auth Error on auto-reconnect following network interruption

Post by novaflash » Tue Sep 25, 2018 10:57 am

Hi Owen,

Unfortunately this is a known bug in OpenVPN open source - either use an older version or wait for a release that fixes this. A patch for it has already been made, just need to wait until it gets approved and a build made. Alternatively you can run a watchdog program that pings across the VPN link and if it fails, kill and restart the openvpn process. Ugly but it'll work.

omorgan
OpenVpn Newbie
Posts: 2
Joined: Tue Sep 25, 2018 1:50 am

Re: Client Auth Error on auto-reconnect following network interruption

Post by omorgan » Tue Sep 25, 2018 7:37 pm

Novaflash,

Thanks!

I will also admit I made a noob error that seems to have increased reliability.... I have been making changes via the OpenAccess server config web page to the server and client conf, assuming that the push feature would ensure that every time the pi connects it gets the updated settings. However, it seems the actual underlying conf file never changes on the pi with these new settings, meaning each time it attempts to reconnect it uses a (potentially very old) conf file which is different..... Updating the conf to the most recent generated by the server (ensuring all the changes were present each time) has improved reliability!

I appreciate that is a totally noob mistake, but when you read about the idea of 'Pushing' the setting changes its easy to think that means the underlying conf files change likewise.

I will however, still setup a watchdog as I can foresee it may come in useful all the same!

Thanks!

Owen.

novaflash
I should be on the dev team.
Posts: 952
Joined: Fri Apr 13, 2012 8:43 pm

Re: Client Auth Error on auto-reconnect following network interruption

Post by novaflash » Wed Sep 26, 2018 2:48 pm

Some settings are fixed, like which server address the client should contact to make a connection, and which encryption method to use (although in newer versions that is less the case). Most other settings like routes and DNS settings and such are pushed from the server to the client when it connects. So some settings are fixed, some settings are dynamic.

hac-udelv
OpenVpn Newbie
Posts: 2
Joined: Wed Jun 26, 2019 3:02 am

Re: Client Auth Error on auto-reconnect following network interruption

Post by hac-udelv » Sun Jul 14, 2019 5:37 pm

Hi. Sorry to bring up an old thread but I'm running into the exact problem.

@omorgan: do you know which configs worked for you to increase reliability?

novaflash
I should be on the dev team.
Posts: 952
Joined: Fri Apr 13, 2012 8:43 pm

Re: Client Auth Error on auto-reconnect following network interruption

Post by novaflash » Mon Jul 15, 2019 7:40 am

Just get the latest version.

hac-udelv
OpenVpn Newbie
Posts: 2
Joined: Wed Jun 26, 2019 3:02 am

Re: Client Auth Error on auto-reconnect following network interruption

Post by hac-udelv » Mon Jul 15, 2019 6:28 pm

I did that already but I was wondering what settings to actually put on the server and/or client. In any case, adding persist-tun and persist-key to the client config via the Advanced VPN page on the OpenVPN Access Server has helped me.

Originally, the client was tearing down the tun interface whenever it lost internet connectivity. However, the server still thinks the client is connected since it hasn't timed out yet. But when the client regains internet connectivity a couple of seconds later, it creates a new tun interface. The server says that this client already exists and disconnects.

With persist-tun and persist-key, it uses the existing tun interface and according to the server, the client never lost connection. There were some times that the client and/or server insists on recreating the tun interface, probably due to auth issues, but this seems to resolve itself just fine by tearing down the interface and recreating it.

Post Reply