Auth failure after sleep with auth-gen-token

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
taliskahn
OpenVpn Newbie
Posts: 1
Joined: Sat Feb 13, 2021 5:51 am

Auth failure after sleep with auth-gen-token

Post by taliskahn » Sat Feb 13, 2021 6:10 am

Hi All,

Im facing an issue where the IOS connect app is attempting to use the session token it receives from the server after is has come back from being asleep.

I have some users that use an OTP to authenticate, so the auth-gen-token option is used on the server so that they can renegotiate their connections each hour (default reneg-sec). Otherwise, the re-auth during the reneg would fail as the password would no longer be valid. It works fine in this respect.

The issue on the IOS devices (haven't tried Android) is that when the phone goes to sleep, the server recognizes that the client has disconnected. When the phone wakes, it attempts to use the auth token to authenticate, which fails because the server saw that session end when the phone slept and you can see the server attempting to parse the token as a password.

I could set up the client to ignore the pushed auth-token, but that would break reneg for OTP users.

This looks like a behavior bug in the client. It should (IMO):
- not notify the server that it is disconnecting when sleeping - creating the potential for the session to live across short sleeps.
- try the session code on wake (assuming the above is in place)
- fall back to any saved password if there is one (obviously this wont help OTP users)

Id be keen to know if I've missed something that would achieve that behavior. Or if this a known issue etc.

Many thanks!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8665
Joined: Fri Jun 03, 2016 1:17 pm

Re: Auth failure after sleep with auth-gen-token

Post by TinCanTech » Sat Feb 13, 2021 4:12 pm

This probably is a bug. Auth-token is not really ready for the big world yet and openvpn has a history of not handling device sleep very well.

Post Reply