Auth failure after sleep with auth-gen-token

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
taliskahn
OpenVpn Newbie
Posts: 1
Joined: Sat Feb 13, 2021 5:51 am

Auth failure after sleep with auth-gen-token

Post by taliskahn » Sat Feb 13, 2021 6:10 am

Hi All,

Im facing an issue where the IOS connect app is attempting to use the session token it receives from the server after is has come back from being asleep.

I have some users that use an OTP to authenticate, so the auth-gen-token option is used on the server so that they can renegotiate their connections each hour (default reneg-sec). Otherwise, the re-auth during the reneg would fail as the password would no longer be valid. It works fine in this respect.

The issue on the IOS devices (haven't tried Android) is that when the phone goes to sleep, the server recognizes that the client has disconnected. When the phone wakes, it attempts to use the auth token to authenticate, which fails because the server saw that session end when the phone slept and you can see the server attempting to parse the token as a password.

I could set up the client to ignore the pushed auth-token, but that would break reneg for OTP users.

This looks like a behavior bug in the client. It should (IMO):
- not notify the server that it is disconnecting when sleeping - creating the potential for the session to live across short sleeps.
- try the session code on wake (assuming the above is in place)
- fall back to any saved password if there is one (obviously this wont help OTP users)

Id be keen to know if I've missed something that would achieve that behavior. Or if this a known issue etc.

Many thanks!

User avatar
TinCanTech
Forum Team
Posts: 9970
Joined: Fri Jun 03, 2016 1:17 pm

Re: Auth failure after sleep with auth-gen-token

Post by TinCanTech » Sat Feb 13, 2021 4:12 pm

This probably is a bug. Auth-token is not really ready for the big world yet and openvpn has a history of not handling device sleep very well.

yaheath
OpenVpn Newbie
Posts: 1
Joined: Thu Aug 05, 2021 4:52 pm

Re: Auth failure after sleep with auth-gen-token

Post by yaheath » Thu Aug 05, 2021 5:06 pm

We had this problem, too. The solution was to upgrade (the server-side) OpenVPN to 2.5.3

With 2.4.x, the token is only good for the current session. As you noted, the iOS client ends the connection when the phone sleeps; and later attempts to reconnect with the token (which fails because the session had been ended).

But with 2.5 they changed it so the token can be used to start a new session (assuming the token hasn't expired). That fixes this problem with the iOS client. Also, since the server can now recognize (and validate) tokens generated for other sessions, I believe (but haven't yet verified) that it will never attempt to interpret the token as the user's password the way 2.4 does.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 375
Joined: Tue Feb 16, 2021 10:41 am

Re: Auth failure after sleep with auth-gen-token

Post by openvpn_inc » Thu Aug 12, 2021 9:52 am

Hello,

There was indeed a bug in the handling of the auth-token. A solution to the problem has been committed to the OpenVPN3 core project, and OpenVPN Connect v3.3.0 for iOS will contain this fix. We are currently working hard on testing and releasing for iOS. Once it's out this problem should be gone with that release.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

erres8
OpenVpn Newbie
Posts: 2
Joined: Thu Jul 29, 2021 7:47 am

Re: Auth failure after sleep with auth-gen-token

Post by erres8 » Wed Oct 27, 2021 1:49 pm

Is there any update on when v3.3.0 is coming to iOS and Android?

Post Reply