Hi,
OpenVPN on my iphone with Google Authenticator is getting disconnected (AUTH_FAILED error) after about 5 minutes. Eventhough I have reneg-sec 86400 (one day) on the server (tried with reneg-sec 0 and reneg-sec 86400 on client side - both did not work)
Authentication failing with Google Authenticator option enabled. If I disable google authenticator and just do the regular VPN password, the VPN connection stays on
following is the log file
>>>
2021-06-12 16:49:16 1
2021-06-12 16:49:16 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit
2021-06-12 16:49:16 OpenVPN core 3.git::58b92569 ios arm64
64-bit
2021-06-12 16:49:16 Frame=512/2048/512 mssfix-ctrl=1250
2021-06-12 16:49:16 UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
5 [tls-client]
7 [reneg-sec] [0]
8 [resolv-retry] [infinite]
10 [verify-x509-name] [vpn.xxxx.com] [name]
2021-06-12 16:49:16 EVENT: RESOLVE
2021-06-12 16:49:16 Contacting [ ]:1194/TCP via TCPv4
2021-06-12 16:49:16 EVENT: WAIT
2021-06-12 16:49:16 Connecting to [xxxx.xxxx.xxxx.xxx]:1194
(xxxxx) via TCPv4
2021-06-12 16:49:16 EVENT: CONNECTING
2021-06-12 16:49:16 Tunnel Options:V4,dev-type tun,link-mtu
1559,tun-mtu 1500,proto
TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize
256,tls-auth,key-method 2,
tls-client
2021-06-12 16:49:16 Creds: Username/Password
2021-06-12 16:49:16 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
2021-06-12 16:49:16 VERIFY OK: depth=1,
/C=US/ST=Newyork/L=syracuse/xxx/
emailAddress=xxxk.com/CN=openvpn-ca-default
2021-06-12 16:49:16 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/xxxx/
emailAddress=xxxxxe.com/CN=vpn.xxxx
2021-06-12 16:49:17 SSL Handshake: CN=vpn.xxxx, TLSv1.3,
cipher TLSv1.3
TLS_AES_256_GCM_SHA384, 2048 bit RSA
2021-06-12 16:49:17 Session is ACTIVE
2021-06-12 16:49:17 EVENT: GET_CONFIG
2021-06-12 16:49:17 Sending PUSH_REQUEST to server...
2021-06-12 16:49:18 OPTIONS:
0 [route] [192.168.0.0] [255.255.248.0]
1 [dhcp-option] [DNS] [192.168.0.1]
2 [dhcp-option] [DNS] [8.8.8.8]
3 [route] [192.168.0.0] [255.255.255.0] [10.0.182.1] [1]
4 [route-gateway] [10.0.182.1]
5 [topology] [subnet]
6 [ping] [10]
7 [ping-restart] [480]
8 [ifconfig] [10.0.182.5] [255.255.255.0]
2021-06-12 16:49:18 PROTOCOL OPTIONS:
cipher: AES-256-CBC
digest: SHA1
compress: NONE
peer ID: -1
2021-06-12 16:49:18 EVENT: ASSIGN_IP
2021-06-12 16:49:18 NIP: preparing TUN network settings
2021-06-12 16:49:18 NIP: init TUN network settings with
endpoint: xxxx
2021-06-12 16:49:18 NIP: adding IPv4 address to network
settings 10.0.182.5/255.255.255.0
2021-06-12 16:49:18 NIP: adding (included) IPv4 route
10.0.182.0/24
2021-06-12 16:49:18 NIP: adding (included) IPv4 route
192.168.0.0/21
2021-06-12 16:49:18 NIP: adding DNS 192.168.0.251
2021-06-12 16:49:18 NIP: adding DNS 8.8.8.8
2021-06-12 16:49:18 NIP: adding match domain ALL
2021-06-12 16:49:18 NIP: adding DNS specific routes:
2021-06-12 16:49:18 NIP: adding (included) IPv4 route
192.168.0.251/32
2021-06-12 16:49:18 NIP: adding (included) IPv4 route
8.8.8.8/32
2021-06-12 16:49:18 Connected via NetworkExtensionTUN
2021-06-12 16:49:18 EVENT: CONNECTED
xxxx@xxxx@xxxx:1194 (xxxx) via /TCPv4 on
NetworkExtensionTUN/10.0.182.5/ gw=[/]
2021-06-12 16:50:26 OS Event: SLEEP
2021-06-12 16:50:26 EVENT: PAUSE
2021-06-12 16:54:15 OS Event: WAKEUP
2021-06-12 16:54:18 RESUME TEST:
Internet:ReachableViaWiFi/-R -------
2021-06-12 16:54:18 STANDARD RESUME
2021-06-12 16:54:18 EVENT: RESUME
2021-06-12 16:54:18 EVENT: RECONNECTING
2021-06-12 16:54:18 EVENT: RESOLVE
2021-06-12 16:54:18 Contacting [xxxx]:1194/TCP via TCPv4
2021-06-12 16:54:18 EVENT: WAIT
2021-06-12 16:54:18 Connecting to [xxxx]:1194 (xxxx) via
TCPv4
2021-06-12 16:54:18 EVENT: CONNECTING
2021-06-12 16:54:18 Tunnel Options:V4,dev-type tun,link-mtu
1559,
tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-
CBC,auth SHA1,
keysize 256,tls-auth,key-method 2,tls-client
2021-06-12 16:54:18 Creds: Username/Password
2021-06-12 16:54:18 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
2021-06-12 16:54:18 VERIFY OK: depth=1,
/C=US/ST=Newyork/L=syracuse/xxxx/
emailAddress=xxxk.com/CN=openvpn-ca-default
2021-06-12 16:54:18 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/xxxx/
emailAddress=xxxx.com/CN=vpn.xxxx
2021-06-12 16:54:19 SSL Handshake: CN=vpn.xxxx, TLSv1.3,
cipher TLSv1.3
TLS_AES_256_GCM_SHA384, 2048 bit RSA
2021-06-12 16:54:19 Session is ACTIVE
2021-06-12 16:54:19 EVENT: GET_CONFIG
2021-06-12 16:54:19 Sending PUSH_REQUEST to server...
2021-06-12 16:54:20 Sending PUSH_REQUEST to server...
2021-06-12 16:54:21 AUTH_FAILED
2021-06-12 16:54:21 EVENT: AUTH_FAILED [ERR]
2021-06-12 16:54:21 Raw stats on disconnect:
BYTES_IN : 15099
BYTES_OUT : 12022
PACKETS_IN : 42
PACKETS_OUT : 57
TUN_BYTES_IN : 2033
TUN_BYTES_OUT : 4864
TUN_PACKETS_IN : 31
TUN_PACKETS_OUT : 31
N_PAUSE : 1
N_RECONNECT : 1
2021-06-12 16:54:21 Performance stats on disconnect:
CPU usage (microseconds): 126784
Tunnel compression ratio (uplink): 5.91343
Tunnel compression ratio (downlink): 3.10424
Network bytes per CPU second: 213915
Tunnel bytes per CPU second: 54399
2021-06-12 16:54:21 EVENT: DISCONNECTED
2021-06-12 16:54:21 Raw stats on disconnect:
BYTES_IN : 15099
BYTES_OUT : 12022
PACKETS_IN : 42
PACKETS_OUT : 57
TUN_BYTES_IN : 2033
TUN_BYTES_OUT : 4864
TUN_PACKETS_IN : 31
TUN_PACKETS_OUT : 31
AUTH_FAILED : 1
N_PAUSE : 1
N_RECONNECT : 1
2021-06-12 16:54:21 Performance stats on disconnect:
CPU usage (microseconds): 133514
Tunnel compression ratio (uplink): 5.91343
Tunnel compression ratio (downlink): 3.10424
Network bytes per CPU second: 203132
Tunnel bytes per CPU second: 51657
2021-06-12 16:57:03 1
2021-06-12 16:57:03 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit
2021-06-12 16:57:03 OpenVPN core 3.git::58b92569 ios arm64
64-bit
2021-06-12 16:57:03 Frame=512/2048/512 mssfix-ctrl=1250
2021-06-12 16:57:03 UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
5 [tls-client]
7 [reneg-sec] [0]
8 [resolv-retry] [infinite]
10 [verify-x509-name] [vpn.xxxx] [name]
2021-06-12 16:57:03 EVENT: RESOLVE
2021-06-12 16:57:03 Contacting [xxxxx]:1194/TCP via TCPv4
2021-06-12 16:57:03 EVENT: WAIT
2021-06-12 16:57:03 Connecting to [xxxx]:1194 (xxx) via TCPv4
2021-06-12 16:57:03 EVENT: CONNECTING
2021-06-12 16:57:03 Tunnel Options:V4,dev-type tun,link-mtu
1559,tun-mtu 1500,
proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth
SHA1,keysize 256,
tls-auth,key-method 2,tls-client
2021-06-12 16:57:03 Creds: Username/Password
2021-06-12 16:57:03 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
2021-06-12 16:57:03 VERIFY OK: depth=1,
/C=US/ST=Newyork/L=syracuse/xxxx/
emailAddress=xxxxx.com/CN=openvpn-ca-default
2021-06-12 16:57:03 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/xxxx/
emailAddress=xxxxx.com/CN=vpn.xxxx
2021-06-12 16:57:04 SSL Handshake: CN=vpn.xxxx, TLSv1.3,
cipher TLSv1.3
TLS_AES_256_GCM_SHA384, 2048 bit RSA
2021-06-12 16:57:04 Session is ACTIVE
2021-06-12 16:57:04 EVENT: GET_CONFIG
2021-06-12 16:57:04 Sending PUSH_REQUEST to server...
2021-06-12 16:57:05 OPTIONS:
0 [route] [192.168.0.0] [255.255.248.0]
1 [dhcp-option] [DNS] [192.168.0.251]
2 [dhcp-option] [DNS] [8.8.8.8]
3 [route] [192.168.0.0] [255.255.255.0] [10.0.182.1] [1]
4 [route-gateway] [10.0.182.1]
5 [topology] [subnet]
6 [ping] [10]
7 [ping-restart] [480]
8 [ifconfig] [10.0.182.5] [255.255.255.0]
2021-06-12 16:57:05 PROTOCOL OPTIONS:
cipher: AES-256-CBC
digest: SHA1
compress: NONE
peer ID: -1
2021-06-12 16:57:05 EVENT: ASSIGN_IP
2021-06-12 16:57:05 NIP: preparing TUN network settings
2021-06-12 16:57:05 NIP: init TUN network settings with
endpoint: xxxx
2021-06-12 16:57:05 NIP: adding IPv4 address to network
settings 10.0.182.5/255.255.255.0
2021-06-12 16:57:05 NIP: adding (included) IPv4 route
10.0.182.0/24
2021-06-12 16:57:05 NIP: adding (included) IPv4 route
192.168.0.0/21
2021-06-12 16:57:05 NIP: adding DNS 192.168.0.201
2021-06-12 16:57:05 NIP: adding DNS 8.8.8.8
2021-06-12 16:57:05 NIP: adding match domain ALL
2021-06-12 16:57:05 NIP: adding DNS specific routes:
2021-06-12 16:57:05 NIP: adding (included) IPv4 route
192.168.0.201/32
2021-06-12 16:57:05 NIP: adding (included) IPv4 route
8.8.8.8/32
2021-06-12 16:57:05 Connected via NetworkExtensionTUN
2021-06-12 16:57:05 EVENT: CONNECTED
xxxx@xxxx@xxxx:1194 (xxxx) via
/TCPv4 on NetworkExtensionTUN/10.0.182.5/ gw=[/]
2021-06-12 16:58:23 OS Event: SLEEP
2021-06-12 16:58:23 EVENT: PAUSE
2021-06-12 16:58:26 OS Event: WAKEUP
2021-06-12 16:58:29 RESUME TEST:
Internet:ReachableViaWiFi/-R -------
2021-06-12 16:58:29 STANDARD RESUME
2021-06-12 16:58:29 EVENT: RESUME
2021-06-12 16:58:29 EVENT: RECONNECTING
2021-06-12 16:58:29 EVENT: RESOLVE
2021-06-12 16:58:29 Contacting [xxxx]:1194/TCP via TCPv4
2021-06-12 16:58:29 EVENT: WAIT
2021-06-12 16:58:29 Connecting to [xxxx]:1194 (xxxx) via
TCPv4
2021-06-12 16:58:29 OS Event: SLEEP
2021-06-12 16:58:29 EVENT: PAUSE
2021-06-12 17:02:09 OS Event: WAKEUP
2021-06-12 17:02:12 RESUME TEST:
Internet:ReachableViaWiFi/-R -------
2021-06-12 17:02:12 STANDARD RESUME
2021-06-12 17:02:12 EVENT: RESUME
2021-06-12 17:02:12 EVENT: RECONNECTING
2021-06-12 17:02:12 EVENT: RESOLVE
2021-06-12 17:02:12 Contacting [xxxx]:1194/TCP via TCPv4
2021-06-12 17:02:12 EVENT: WAIT
2021-06-12 17:02:12 Connecting to [xxxx]:1194 (xxxx) via
TCPv4
2021-06-12 17:02:12 EVENT: CONNECTING
2021-06-12 17:02:12 Tunnel Options:V4,dev-type tun,link-mtu
1559,tun-mtu
1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth
SHA1,keysize 256,
tls-auth,key-method 2,tls-client
2021-06-12 17:02:12 Creds: Username/Password
2021-06-12 17:02:12 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
2021-06-12 17:02:12 VERIFY OK: depth=1,
/C=US/ST=Newyork/L=syracuse/xxxx/
emailAddress=xxxx.com/CN=openvpn-ca-default
2021-06-12 17:02:12 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/xxxx/
emailAddress=xxxx.com/CN=vpn.xxxx
2021-06-12 17:02:13 SSL Handshake: CN=vpn.xxxxx, TLSv1.3,
cipher TLSv1.3
TLS_AES_256_GCM_SHA384, 2048 bit RSA
2021-06-12 17:02:13 Session is ACTIVE
2021-06-12 17:02:13 EVENT: GET_CONFIG
2021-06-12 17:02:13 Sending PUSH_REQUEST to server...
2021-06-12 17:02:14 Sending PUSH_REQUEST to server...
2021-06-12 17:02:14 AUTH_FAILED
2021-06-12 17:02:14 EVENT: AUTH_FAILED [ERR]
2021-06-12 17:02:14 Raw stats on disconnect:
BYTES_IN : 10639
BYTES_OUT : 9542
PACKETS_IN : 30
PACKETS_OUT : 38
TUN_BYTES_IN : 484
TUN_BYTES_OUT : 1370
TUN_PACKETS_IN : 8
TUN_PACKETS_OUT : 8
N_PAUSE : 2
N_RECONNECT : 2
2021-06-12 17:02:14 Performance stats on disconnect:
CPU usage (microseconds): 131748
Tunnel compression ratio (uplink): 19.7149
Tunnel compression ratio (downlink): 7.76569
Network bytes per CPU second: 153178
Tunnel bytes per CPU second: 14072
2021-06-12 17:02:14 EVENT: DISCONNECTED
2021-06-12 17:02:14 Raw stats on disconnect:
BYTES_IN : 10639
BYTES_OUT : 9542
PACKETS_IN : 30
PACKETS_OUT : 38
TUN_BYTES_IN : 484
TUN_BYTES_OUT : 1370
TUN_PACKETS_IN : 8
TUN_PACKETS_OUT : 8
AUTH_FAILED : 1
N_PAUSE : 2
N_RECONNECT : 2
2021-06-12 17:02:14 Performance stats on disconnect:
CPU usage (microseconds): 138191
Tunnel compression ratio (uplink): 19.7149
T
Thanks
OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Jun 13, 2021 12:05 am
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected
Hello shaw22,
It is always a little difficult to pinpoint the exact solution from one log and a description, but I believe the problem is related to authentication. It seems the device has gone to sleep and then resumed and now OpenVPN Connect needs to reconnect. I can see that it tries to do so but is obviously missing the 2FA factor. This looks like an open source server. I would suggest you look into enabling session tokens. That way, when the OpenVPN connection wants to start up again after a device sleep, it can offer the session token, and reconnect again. OpenVPN Access Server and our OpenVPN Cloud products both use session tokens to make this experience smoother.
People often confuse reauthentication with rekeying. The rekeying is where the data channel encryption key gets replaced. Reneg-sec controls when either server or client triggers a request for a rekey. When this is done, the client will be asked to reauthenticate - we can't have just anyone requesting a new encryption key. But it will be able to do this normally with a session token. Meaning the user isn't challenged to enter his details every single time the data channel key gets replaced. In your case though what you did basically changed nothing because it just turned it off on the client side, but the server probably still has a default value set. You shouldn't disable it completely in any case, that's not good for your security.
Another thing I see is that the log shows connection attempts to a TCP server. OpenVPN Access Server by default is set up to use UDP and TCP. And UDP will then always be tried first. That is because despite what people might think about TCP being more stable than UDP, the opposite is true when you transport a TCP stream inside a TCP stream. For more information on that phenomenon read up on what is called 'TCP Meltdown'. In short though what I recommend here is that you try to let the connection establish via UDP, as it may be more stable.
I hope that information helps.
Kind regards,
Johan
It is always a little difficult to pinpoint the exact solution from one log and a description, but I believe the problem is related to authentication. It seems the device has gone to sleep and then resumed and now OpenVPN Connect needs to reconnect. I can see that it tries to do so but is obviously missing the 2FA factor. This looks like an open source server. I would suggest you look into enabling session tokens. That way, when the OpenVPN connection wants to start up again after a device sleep, it can offer the session token, and reconnect again. OpenVPN Access Server and our OpenVPN Cloud products both use session tokens to make this experience smoother.
People often confuse reauthentication with rekeying. The rekeying is where the data channel encryption key gets replaced. Reneg-sec controls when either server or client triggers a request for a rekey. When this is done, the client will be asked to reauthenticate - we can't have just anyone requesting a new encryption key. But it will be able to do this normally with a session token. Meaning the user isn't challenged to enter his details every single time the data channel key gets replaced. In your case though what you did basically changed nothing because it just turned it off on the client side, but the server probably still has a default value set. You shouldn't disable it completely in any case, that's not good for your security.
Another thing I see is that the log shows connection attempts to a TCP server. OpenVPN Access Server by default is set up to use UDP and TCP. And UDP will then always be tried first. That is because despite what people might think about TCP being more stable than UDP, the opposite is true when you transport a TCP stream inside a TCP stream. For more information on that phenomenon read up on what is called 'TCP Meltdown'. In short though what I recommend here is that you try to let the connection establish via UDP, as it may be more stable.
I hope that information helps.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected
Moved topic from Connect: macOS to Connect: iOS.
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Jun 13, 2021 12:05 am
Re: OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected
Thank You Johan.
The Windows and linux clients connecting to same server (using the same ovpn file), I am able to keep the connection open for 24 hours without reauthentication by entering reneg-sec 0 on server side and reneg-sec 86400 on the client side. It looks like the IOS device is triggering a reauthentication - how can i stop ios client from issueing a reauthentication request for 24 hours? Is it because of iphone going to sleep ? see below:
>>>
ovpn config client:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
reneg-sec 0
resolv-retry infinite
remote xxxx.xxxx.xxxx.xxxx 1194 tcp-client
verify-x509-name "vpn.xxxxxx.com" name
auth-user-pass
ns-cert-type server
reneg-sec 86400
**** Log from Windows Workstation using same ovpn config file as the IOS device - No Reauthorization after initial authorization at 22:54 June 13 ****
Sun Jun 13 22:54:17 2021 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Sun Jun 13 22:54:18 2021 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
Sun Jun 13 22:54:18 2021 TCPv4_CLIENT link local: [undef]
Sun Jun 13 22:54:18 2021 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Sun Jun 13 22:54:19 2021 [vpn.xxxxx.com] Peer Connection Initiated with [AF_INET]xxxx.xxxx.xxxx.xxxx:1194
Sun Jun 13 22:54:21 2021 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jun 13 22:54:21 2021 open_tun, tt->ipv6=0
Sun Jun 13 22:54:21 2021 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{7E992055- }.tap
Sun Jun 13 22:54:21 2021 Set TAP-Windows TUN subnet mode network/local/netmask = 10.0.182.0/10.0.182.2/255.255.255.0 [SUCCEEDED]
Sun Jun 13 22:54:21 2021 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.182.2/255.255.255.0 on interface {7E992055-33BA-414C-A0CA-0DF08F5A109F} [DHCP-serv: 10.0.182.254, lease-time: 31536000]
Sun Jun 13 22:54:21 2021 Successful ARP Flush on interface [24] {7E992055-3}
Sun Jun 13 22:54:26 2021 Initialization Sequence Completed
**** end of log from Windows Workstation ****
***** Log from IOS device (Iphone) that shows reauthorization attempt after a few mins ****
2021-06-13 23:53:18 EVENT: GET_CONFIG
2021-06-13 23:53:18 Sending PUSH_REQUEST to server...
2021-06-13 23:53:19 OPTIONS:
0 [route] [192.168.0.0] [255.255.248.0]
1 [dhcp-option] [DNS] [192.168.0.251]
2 [dhcp-option] [DNS] [8.8.8.8]
3 [route] [192.168.0.0] [255.255.255.0] [10.0.182.1] [1]
4 [route-gateway] [10.0.182.1]
5 [topology] [subnet]
6 [ping] [10]
7 [ping-restart] [86400]
8 [ifconfig] [10.0.182.3] [255.255.255.0]
2021-06-13 23:53:19 PROTOCOL OPTIONS:
cipher: AES-256-CBC
digest: SHA1
compress: NONE
peer ID: -1
2021-06-13 23:53:19 EVENT: ASSIGN_IP
2021-06-13 23:53:19 Connected via NetworkExtensionTUN
2021-06-13 23:53:19 EVENT: CONNECTED xxxx@domain.com@xxx.xxx.xxx.xxx:1194 via /TCPv4 on NetworkExtensionTUN/10.0.182.3/ gw=[/]
2021-06-13 23:54:50 OS Event: SLEEP
2021-06-13 23:54:50 EVENT: PAUSE
2021-06-13 23:55:36 OS Event: WAKEUP
2021-06-13 23:55:39 RESUME TEST: Internet:ReachableViaWiFi/-R -------
2021-06-13 23:55:39 STANDARD RESUME
2021-06-13 23:55:39 EVENT: RESUME
2021-06-13 23:55:39 EVENT: RECONNECTING
2021-06-13 23:55:39 EVENT: RESOLVE
2021-06-13 23:55:39 Contacting [xxx.xxx.xxx.xxx]:1194/TCP via TCPv4
2021-06-13 23:55:39 EVENT: WAIT
2021-06-13 23:55:39 Connecting to [xxx.xxx.xxx.xxx]:1194 (xxx.xxxx.xxxx.xxxx) via TCPv4
2021-06-13 23:55:39 EVENT: CONNECTING
2021-06-13 23:55:39 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2021-06-13 23:55:39 Creds: Username/Password
2021-06-13 23:55:39 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
2021-06-13 23:55:39 VERIFY OK: depth=1, /C=US/ST=Newyork/L=syracuse/O=domain/emailAddress=xxxx@domain.com/CN=openvpn-ca-default
2021-06-13 23:55:39 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/O=domain/emailAddress=xxxx@domain.com/CN=vpn.domain.com
2021-06-13 23:55:40 OS Event: SLEEP
2021-06-13 23:55:40 EVENT: PAUSE
2021-06-13 23:58:04 OS Event: WAKEUP
2021-06-13 23:58:07 RESUME TEST: Internet:ReachableViaWiFi/-R -------
2021-06-13 23:58:07 STANDARD RESUME
2021-06-13 23:58:07 EVENT: RESUME
2021-06-13 23:58:07 EVENT: RECONNECTING
2021-06-13 23:58:07 EVENT: RESOLVE
2021-06-13 23:58:07 Contacting [xxx.xxx.xxx.xxx:1194/TCP via TCPv4
2021-06-13 23:58:07 EVENT: WAIT
2021-06-13 23:58:07 Connecting to [xxx.xxx.xxx.xxx]:1194 () via TCPv4
2021-06-13 23:58:07 EVENT: CONNECTING
2021-06-13 23:58:07 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2021-06-13 23:58:07 Creds: Username/Password
2021-06-13 23:58:07 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
2021-06-13 23:55:39 VERIFY OK: depth=1, /C=US/ST=Newyork/L=syracuse/O=domain/emailAddress=xxxx@domain.com/CN=openvpn-ca-default
2021-06-13 23:55:39 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/O=domain/emailAddress=xxxx@domain.com/CN=vpn.domain.com
2021-06-13 23:58:08 OS Event: SLEEP
2021-06-13 23:58:08 EVENT: PAUSE
2021-06-13 23:59:57 OS Event: WAKEUP
2021-06-14 00:00:00 RESUME TEST: Internet:ReachableViaWiFi/-R -------
2021-06-14 00:00:00 STANDARD RESUME
2021-06-14 00:00:00 EVENT: RESUME
2021-06-14 00:00:00 EVENT: RECONNECTING
2021-06-14 00:00:00 EVENT: RESOLVE
2021-06-14 00:00:00 Contacting [xxx.xxx.xxx.xxx]:1194/TCP via TCPv4
2021-06-14 00:00:00 EVENT: WAIT
2021-06-14 00:00:00 Connecting to [xxx.xxx.xxx.xxx]:1194 ( ) via TCPv4
2021-06-14 00:00:00 EVENT: CONNECTING
2021-06-14 00:00:00 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2021-06-14 00:00:00 Creds: Username/Password
2021-06-14 00:00:00 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
2021-06-13 23:55:39 VERIFY OK: depth=1, /C=US/ST=Newyork/L=syracuse/O=domain/emailAddress=xxxx@domain.com/CN=openvpn-ca-default
2021-06-13 23:55:39 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/O=domain/emailAddress=xxxx@domain.com/CN=vpn.domain.com
2021-06-14 00:00:01 SSL Handshake: CN=vpn.domain.com, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2021-06-14 00:00:01 Session is ACTIVE
2021-06-14 00:00:01 EVENT: GET_CONFIG
2021-06-14 00:00:01 Sending PUSH_REQUEST to server...
2021-06-14 00:00:02 Sending PUSH_REQUEST to server...
2021-06-14 00:00:02 AUTH_FAILED
2021-06-14 00:00:02 EVENT: AUTH_FAILED [ERR]
2021-06-14 00:00:02 Raw stats on disconnect:
BYTES_IN : 19339
BYTES_OUT : 18157
PACKETS_IN : 49
PACKETS_OUT : 60
TUN_BYTES_IN : 1121
TUN_BYTES_OUT : 2860
TUN_PACKETS_IN : 17
TUN_PACKETS_OUT : 17
N_PAUSE : 3
N_RECONNECT : 3
2021-06-14 00:00:02 Performance stats on disconnect:
CPU usage (microseconds): 162643
Tunnel compression ratio (uplink): 16.1971
Tunnel compression ratio (downlink): 6.76189
Network bytes per CPU second: 230541
Tunnel bytes per CPU second: 24476
2021-06-14 00:00:02 EVENT: DISCONNECTED
2021-06-14 00:00:02 Raw stats on disconnect:
BYTES_IN : 19339
BYTES_OUT : 18157
PACKETS_IN : 49
PACKETS_OUT : 60
TUN_BYTES_IN : 1121
TUN_BYTES_OUT : 2860
TUN_PACKETS_IN : 17
TUN_PACKETS_OUT : 17
AUTH_FAILED : 1
N_PAUSE : 3
N_RECONNECT : 3
2021-06-14 00:00:02 Performance stats on disconnect:
CPU usage (microseconds): 171624
Tunnel compression ratio (uplink): 16.1971
Tunnel compression ratio (downlink): 6.76189
Network bytes per CPU second: 218477
Tunnel bytes per CPU second: 23196
****** end of log ios iphone ****
The Windows and linux clients connecting to same server (using the same ovpn file), I am able to keep the connection open for 24 hours without reauthentication by entering reneg-sec 0 on server side and reneg-sec 86400 on the client side. It looks like the IOS device is triggering a reauthentication - how can i stop ios client from issueing a reauthentication request for 24 hours? Is it because of iphone going to sleep ? see below:
>>>
ovpn config client:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
reneg-sec 0
resolv-retry infinite
remote xxxx.xxxx.xxxx.xxxx 1194 tcp-client
verify-x509-name "vpn.xxxxxx.com" name
auth-user-pass
ns-cert-type server
reneg-sec 86400
**** Log from Windows Workstation using same ovpn config file as the IOS device - No Reauthorization after initial authorization at 22:54 June 13 ****
Sun Jun 13 22:54:17 2021 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Sun Jun 13 22:54:18 2021 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
Sun Jun 13 22:54:18 2021 TCPv4_CLIENT link local: [undef]
Sun Jun 13 22:54:18 2021 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Sun Jun 13 22:54:19 2021 [vpn.xxxxx.com] Peer Connection Initiated with [AF_INET]xxxx.xxxx.xxxx.xxxx:1194
Sun Jun 13 22:54:21 2021 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jun 13 22:54:21 2021 open_tun, tt->ipv6=0
Sun Jun 13 22:54:21 2021 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{7E992055- }.tap
Sun Jun 13 22:54:21 2021 Set TAP-Windows TUN subnet mode network/local/netmask = 10.0.182.0/10.0.182.2/255.255.255.0 [SUCCEEDED]
Sun Jun 13 22:54:21 2021 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.182.2/255.255.255.0 on interface {7E992055-33BA-414C-A0CA-0DF08F5A109F} [DHCP-serv: 10.0.182.254, lease-time: 31536000]
Sun Jun 13 22:54:21 2021 Successful ARP Flush on interface [24] {7E992055-3}
Sun Jun 13 22:54:26 2021 Initialization Sequence Completed
**** end of log from Windows Workstation ****
***** Log from IOS device (Iphone) that shows reauthorization attempt after a few mins ****
2021-06-13 23:53:18 EVENT: GET_CONFIG
2021-06-13 23:53:18 Sending PUSH_REQUEST to server...
2021-06-13 23:53:19 OPTIONS:
0 [route] [192.168.0.0] [255.255.248.0]
1 [dhcp-option] [DNS] [192.168.0.251]
2 [dhcp-option] [DNS] [8.8.8.8]
3 [route] [192.168.0.0] [255.255.255.0] [10.0.182.1] [1]
4 [route-gateway] [10.0.182.1]
5 [topology] [subnet]
6 [ping] [10]
7 [ping-restart] [86400]
8 [ifconfig] [10.0.182.3] [255.255.255.0]
2021-06-13 23:53:19 PROTOCOL OPTIONS:
cipher: AES-256-CBC
digest: SHA1
compress: NONE
peer ID: -1
2021-06-13 23:53:19 EVENT: ASSIGN_IP
2021-06-13 23:53:19 Connected via NetworkExtensionTUN
2021-06-13 23:53:19 EVENT: CONNECTED xxxx@domain.com@xxx.xxx.xxx.xxx:1194 via /TCPv4 on NetworkExtensionTUN/10.0.182.3/ gw=[/]
2021-06-13 23:54:50 OS Event: SLEEP
2021-06-13 23:54:50 EVENT: PAUSE
2021-06-13 23:55:36 OS Event: WAKEUP
2021-06-13 23:55:39 RESUME TEST: Internet:ReachableViaWiFi/-R -------
2021-06-13 23:55:39 STANDARD RESUME
2021-06-13 23:55:39 EVENT: RESUME
2021-06-13 23:55:39 EVENT: RECONNECTING
2021-06-13 23:55:39 EVENT: RESOLVE
2021-06-13 23:55:39 Contacting [xxx.xxx.xxx.xxx]:1194/TCP via TCPv4
2021-06-13 23:55:39 EVENT: WAIT
2021-06-13 23:55:39 Connecting to [xxx.xxx.xxx.xxx]:1194 (xxx.xxxx.xxxx.xxxx) via TCPv4
2021-06-13 23:55:39 EVENT: CONNECTING
2021-06-13 23:55:39 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2021-06-13 23:55:39 Creds: Username/Password
2021-06-13 23:55:39 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
2021-06-13 23:55:39 VERIFY OK: depth=1, /C=US/ST=Newyork/L=syracuse/O=domain/emailAddress=xxxx@domain.com/CN=openvpn-ca-default
2021-06-13 23:55:39 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/O=domain/emailAddress=xxxx@domain.com/CN=vpn.domain.com
2021-06-13 23:55:40 OS Event: SLEEP
2021-06-13 23:55:40 EVENT: PAUSE
2021-06-13 23:58:04 OS Event: WAKEUP
2021-06-13 23:58:07 RESUME TEST: Internet:ReachableViaWiFi/-R -------
2021-06-13 23:58:07 STANDARD RESUME
2021-06-13 23:58:07 EVENT: RESUME
2021-06-13 23:58:07 EVENT: RECONNECTING
2021-06-13 23:58:07 EVENT: RESOLVE
2021-06-13 23:58:07 Contacting [xxx.xxx.xxx.xxx:1194/TCP via TCPv4
2021-06-13 23:58:07 EVENT: WAIT
2021-06-13 23:58:07 Connecting to [xxx.xxx.xxx.xxx]:1194 () via TCPv4
2021-06-13 23:58:07 EVENT: CONNECTING
2021-06-13 23:58:07 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2021-06-13 23:58:07 Creds: Username/Password
2021-06-13 23:58:07 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
2021-06-13 23:55:39 VERIFY OK: depth=1, /C=US/ST=Newyork/L=syracuse/O=domain/emailAddress=xxxx@domain.com/CN=openvpn-ca-default
2021-06-13 23:55:39 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/O=domain/emailAddress=xxxx@domain.com/CN=vpn.domain.com
2021-06-13 23:58:08 OS Event: SLEEP
2021-06-13 23:58:08 EVENT: PAUSE
2021-06-13 23:59:57 OS Event: WAKEUP
2021-06-14 00:00:00 RESUME TEST: Internet:ReachableViaWiFi/-R -------
2021-06-14 00:00:00 STANDARD RESUME
2021-06-14 00:00:00 EVENT: RESUME
2021-06-14 00:00:00 EVENT: RECONNECTING
2021-06-14 00:00:00 EVENT: RESOLVE
2021-06-14 00:00:00 Contacting [xxx.xxx.xxx.xxx]:1194/TCP via TCPv4
2021-06-14 00:00:00 EVENT: WAIT
2021-06-14 00:00:00 Connecting to [xxx.xxx.xxx.xxx]:1194 ( ) via TCPv4
2021-06-14 00:00:00 EVENT: CONNECTING
2021-06-14 00:00:00 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2021-06-14 00:00:00 Creds: Username/Password
2021-06-14 00:00:00 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
2021-06-13 23:55:39 VERIFY OK: depth=1, /C=US/ST=Newyork/L=syracuse/O=domain/emailAddress=xxxx@domain.com/CN=openvpn-ca-default
2021-06-13 23:55:39 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/O=domain/emailAddress=xxxx@domain.com/CN=vpn.domain.com
2021-06-14 00:00:01 SSL Handshake: CN=vpn.domain.com, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2021-06-14 00:00:01 Session is ACTIVE
2021-06-14 00:00:01 EVENT: GET_CONFIG
2021-06-14 00:00:01 Sending PUSH_REQUEST to server...
2021-06-14 00:00:02 Sending PUSH_REQUEST to server...
2021-06-14 00:00:02 AUTH_FAILED
2021-06-14 00:00:02 EVENT: AUTH_FAILED [ERR]
2021-06-14 00:00:02 Raw stats on disconnect:
BYTES_IN : 19339
BYTES_OUT : 18157
PACKETS_IN : 49
PACKETS_OUT : 60
TUN_BYTES_IN : 1121
TUN_BYTES_OUT : 2860
TUN_PACKETS_IN : 17
TUN_PACKETS_OUT : 17
N_PAUSE : 3
N_RECONNECT : 3
2021-06-14 00:00:02 Performance stats on disconnect:
CPU usage (microseconds): 162643
Tunnel compression ratio (uplink): 16.1971
Tunnel compression ratio (downlink): 6.76189
Network bytes per CPU second: 230541
Tunnel bytes per CPU second: 24476
2021-06-14 00:00:02 EVENT: DISCONNECTED
2021-06-14 00:00:02 Raw stats on disconnect:
BYTES_IN : 19339
BYTES_OUT : 18157
PACKETS_IN : 49
PACKETS_OUT : 60
TUN_BYTES_IN : 1121
TUN_BYTES_OUT : 2860
TUN_PACKETS_IN : 17
TUN_PACKETS_OUT : 17
AUTH_FAILED : 1
N_PAUSE : 3
N_RECONNECT : 3
2021-06-14 00:00:02 Performance stats on disconnect:
CPU usage (microseconds): 171624
Tunnel compression ratio (uplink): 16.1971
Tunnel compression ratio (downlink): 6.76189
Network bytes per CPU second: 218477
Tunnel bytes per CPU second: 23196
****** end of log ios iphone ****
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected
Hello shaw22,
You can't stop a reauthentication on iOS after a sleep. But session tokens make things relatively smooth. Or autologin profiles. And yes it is because the device goes to sleep. When the iOS device goes to sleep, the VPN API goes dead. There is no way around that unless you jailbreak and use alternative software (if such software that does that exists). But this will have serious impact on your battery life for sure, even if you manage to do it.
I suggest looking into session tokens. Generating those and providing those to the client, so that it can reestablish connection within a reasonable timeframe to this server without having to reauthenticate. But a long sleep and such a token can still expire. But you could make session tokens last a long time, it's configurable.
Kind regards,
Johan
You can't stop a reauthentication on iOS after a sleep. But session tokens make things relatively smooth. Or autologin profiles. And yes it is because the device goes to sleep. When the iOS device goes to sleep, the VPN API goes dead. There is no way around that unless you jailbreak and use alternative software (if such software that does that exists). But this will have serious impact on your battery life for sure, even if you manage to do it.
I suggest looking into session tokens. Generating those and providing those to the client, so that it can reestablish connection within a reasonable timeframe to this server without having to reauthenticate. But a long sleep and such a token can still expire. But you could make session tokens last a long time, it's configurable.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sat Jul 24, 2021 8:57 pm
Re: OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected
We have exactly the same issue here with ios devices and am a little confused about comment saying the ios device is going to sleep as we are actively using the device and connection when it drops off after an attempt to reauthenticate. It is always around 5 mins of use before this occurs.
I will also look into session tokens to see if that helps but the device is not going to sleep for sure.
I will also look into session tokens to see if that helps but the device is not going to sleep for sure.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sat Jul 24, 2021 8:57 pm
Re: OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected
Just to add to this, I tested on an ios device version 14.3 with OpenVPN 3.2.3 and the issue is not present - the client does not disconnect.