Hi All,
Im facing an issue where the IOS connect app is attempting to use the session token it receives from the server after is has come back from being asleep.
I have some users that use an OTP to authenticate, so the auth-gen-token option is used on the server so that they can renegotiate their connections each hour (default reneg-sec). Otherwise, the re-auth during the reneg would fail as the password would no longer be valid. It works fine in this respect.
The issue on the IOS devices (haven't tried Android) is that when the phone goes to sleep, the server recognizes that the client has disconnected. When the phone wakes, it attempts to use the auth token to authenticate, which fails because the server saw that session end when the phone slept and you can see the server attempting to parse the token as a password.
I could set up the client to ignore the pushed auth-token, but that would break reneg for OTP users.
This looks like a behavior bug in the client. It should (IMO):
- not notify the server that it is disconnecting when sleeping - creating the potential for the session to live across short sleeps.
- try the session code on wake (assuming the above is in place)
- fall back to any saved password if there is one (obviously this wont help OTP users)
Id be keen to know if I've missed something that would achieve that behavior. Or if this a known issue etc.
Many thanks!
Auth failure after sleep with auth-gen-token
-
- OpenVpn Newbie
- Posts: 1
- Joined: Sat Feb 13, 2021 5:51 am
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Auth failure after sleep with auth-gen-token
This probably is a bug. Auth-token is not really ready for the big world yet and openvpn has a history of not handling device sleep very well.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Aug 05, 2021 4:52 pm
Re: Auth failure after sleep with auth-gen-token
We had this problem, too. The solution was to upgrade (the server-side) OpenVPN to 2.5.3
With 2.4.x, the token is only good for the current session. As you noted, the iOS client ends the connection when the phone sleeps; and later attempts to reconnect with the token (which fails because the session had been ended).
But with 2.5 they changed it so the token can be used to start a new session (assuming the token hasn't expired). That fixes this problem with the iOS client. Also, since the server can now recognize (and validate) tokens generated for other sessions, I believe (but haven't yet verified) that it will never attempt to interpret the token as the user's password the way 2.4 does.
With 2.4.x, the token is only good for the current session. As you noted, the iOS client ends the connection when the phone sleeps; and later attempts to reconnect with the token (which fails because the session had been ended).
But with 2.5 they changed it so the token can be used to start a new session (assuming the token hasn't expired). That fixes this problem with the iOS client. Also, since the server can now recognize (and validate) tokens generated for other sessions, I believe (but haven't yet verified) that it will never attempt to interpret the token as the user's password the way 2.4 does.
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Auth failure after sleep with auth-gen-token
Hello,
There was indeed a bug in the handling of the auth-token. A solution to the problem has been committed to the OpenVPN3 core project, and OpenVPN Connect v3.3.0 for iOS will contain this fix. We are currently working hard on testing and releasing for iOS. Once it's out this problem should be gone with that release.
Kind regards,
Johan
There was indeed a bug in the handling of the auth-token. A solution to the problem has been committed to the OpenVPN3 core project, and OpenVPN Connect v3.3.0 for iOS will contain this fix. We are currently working hard on testing and releasing for iOS. Once it's out this problem should be gone with that release.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Jul 29, 2021 7:47 am
Re: Auth failure after sleep with auth-gen-token
Is there any update on when v3.3.0 is coming to iOS and Android?