OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
shaw22
OpenVpn Newbie
Posts: 2
Joined: Sun Jun 13, 2021 12:05 am

OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected

Post by shaw22 » Sun Jun 13, 2021 12:46 am

Hi,
OpenVPN on my iphone with Google Authenticator is getting disconnected (AUTH_FAILED error) after about 5 minutes. Eventhough I have reneg-sec 86400 (one day) on the server (tried with reneg-sec 0 and reneg-sec 86400 on client side - both did not work)

Authentication failing with Google Authenticator option enabled. If I disable google authenticator and just do the regular VPN password, the VPN connection stays on

following is the log file

>>>
2021-06-12 16:49:16 1

2021-06-12 16:49:16 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-12 16:49:16 OpenVPN core 3.git::58b92569 ios arm64

64-bit

2021-06-12 16:49:16 Frame=512/2048/512 mssfix-ctrl=1250

2021-06-12 16:49:16 UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
5 [tls-client]
7 [reneg-sec] [0]
8 [resolv-retry] [infinite]
10 [verify-x509-name] [vpn.xxxx.com] [name]

2021-06-12 16:49:16 EVENT: RESOLVE

2021-06-12 16:49:16 Contacting [ ]:1194/TCP via TCPv4

2021-06-12 16:49:16 EVENT: WAIT

2021-06-12 16:49:16 Connecting to [xxxx.xxxx.xxxx.xxx]:1194

(xxxxx) via TCPv4

2021-06-12 16:49:16 EVENT: CONNECTING

2021-06-12 16:49:16 Tunnel Options:V4,dev-type tun,link-mtu

1559,tun-mtu 1500,proto
TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize

256,tls-auth,key-method 2,
tls-client

2021-06-12 16:49:16 Creds: Username/Password

2021-06-12 16:49:16 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl


2021-06-12 16:49:16 VERIFY OK: depth=1,

/C=US/ST=Newyork/L=syracuse/xxx/
emailAddress=xxxk.com/CN=openvpn-ca-default

2021-06-12 16:49:16 VERIFY OK: depth=0,

/C=US/ST=Newyork/L=Syracuse/xxxx/
emailAddress=xxxxxe.com/CN=vpn.xxxx

2021-06-12 16:49:17 SSL Handshake: CN=vpn.xxxx, TLSv1.3,

cipher TLSv1.3
TLS_AES_256_GCM_SHA384, 2048 bit RSA

2021-06-12 16:49:17 Session is ACTIVE

2021-06-12 16:49:17 EVENT: GET_CONFIG

2021-06-12 16:49:17 Sending PUSH_REQUEST to server...

2021-06-12 16:49:18 OPTIONS:
0 [route] [192.168.0.0] [255.255.248.0]
1 [dhcp-option] [DNS] [192.168.0.1]
2 [dhcp-option] [DNS] [8.8.8.8]
3 [route] [192.168.0.0] [255.255.255.0] [10.0.182.1] [1]
4 [route-gateway] [10.0.182.1]
5 [topology] [subnet]
6 [ping] [10]
7 [ping-restart] [480]
8 [ifconfig] [10.0.182.5] [255.255.255.0]


2021-06-12 16:49:18 PROTOCOL OPTIONS:
cipher: AES-256-CBC
digest: SHA1
compress: NONE
peer ID: -1

2021-06-12 16:49:18 EVENT: ASSIGN_IP

2021-06-12 16:49:18 NIP: preparing TUN network settings

2021-06-12 16:49:18 NIP: init TUN network settings with

endpoint: xxxx

2021-06-12 16:49:18 NIP: adding IPv4 address to network

settings 10.0.182.5/255.255.255.0

2021-06-12 16:49:18 NIP: adding (included) IPv4 route

10.0.182.0/24

2021-06-12 16:49:18 NIP: adding (included) IPv4 route

192.168.0.0/21

2021-06-12 16:49:18 NIP: adding DNS 192.168.0.251

2021-06-12 16:49:18 NIP: adding DNS 8.8.8.8

2021-06-12 16:49:18 NIP: adding match domain ALL

2021-06-12 16:49:18 NIP: adding DNS specific routes:

2021-06-12 16:49:18 NIP: adding (included) IPv4 route

192.168.0.251/32

2021-06-12 16:49:18 NIP: adding (included) IPv4 route

8.8.8.8/32

2021-06-12 16:49:18 Connected via NetworkExtensionTUN

2021-06-12 16:49:18 EVENT: CONNECTED

xxxx@xxxx@xxxx:1194 (xxxx) via /TCPv4 on
NetworkExtensionTUN/10.0.182.5/ gw=[/]

2021-06-12 16:50:26 OS Event: SLEEP

2021-06-12 16:50:26 EVENT: PAUSE

2021-06-12 16:54:15 OS Event: WAKEUP

2021-06-12 16:54:18 RESUME TEST:

Internet:ReachableViaWiFi/-R -------

2021-06-12 16:54:18 STANDARD RESUME

2021-06-12 16:54:18 EVENT: RESUME

2021-06-12 16:54:18 EVENT: RECONNECTING

2021-06-12 16:54:18 EVENT: RESOLVE

2021-06-12 16:54:18 Contacting [xxxx]:1194/TCP via TCPv4

2021-06-12 16:54:18 EVENT: WAIT

2021-06-12 16:54:18 Connecting to [xxxx]:1194 (xxxx) via

TCPv4

2021-06-12 16:54:18 EVENT: CONNECTING

2021-06-12 16:54:18 Tunnel Options:V4,dev-type tun,link-mtu

1559,
tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-

CBC,auth SHA1,
keysize 256,tls-auth,key-method 2,tls-client

2021-06-12 16:54:18 Creds: Username/Password

2021-06-12 16:54:18 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl


2021-06-12 16:54:18 VERIFY OK: depth=1,

/C=US/ST=Newyork/L=syracuse/xxxx/
emailAddress=xxxk.com/CN=openvpn-ca-default

2021-06-12 16:54:18 VERIFY OK: depth=0,

/C=US/ST=Newyork/L=Syracuse/xxxx/
emailAddress=xxxx.com/CN=vpn.xxxx

2021-06-12 16:54:19 SSL Handshake: CN=vpn.xxxx, TLSv1.3,

cipher TLSv1.3
TLS_AES_256_GCM_SHA384, 2048 bit RSA

2021-06-12 16:54:19 Session is ACTIVE

2021-06-12 16:54:19 EVENT: GET_CONFIG

2021-06-12 16:54:19 Sending PUSH_REQUEST to server...

2021-06-12 16:54:20 Sending PUSH_REQUEST to server...

2021-06-12 16:54:21 AUTH_FAILED

2021-06-12 16:54:21 EVENT: AUTH_FAILED [ERR]

2021-06-12 16:54:21 Raw stats on disconnect:
BYTES_IN : 15099
BYTES_OUT : 12022
PACKETS_IN : 42
PACKETS_OUT : 57
TUN_BYTES_IN : 2033
TUN_BYTES_OUT : 4864
TUN_PACKETS_IN : 31
TUN_PACKETS_OUT : 31
N_PAUSE : 1
N_RECONNECT : 1

2021-06-12 16:54:21 Performance stats on disconnect:
CPU usage (microseconds): 126784
Tunnel compression ratio (uplink): 5.91343
Tunnel compression ratio (downlink): 3.10424
Network bytes per CPU second: 213915
Tunnel bytes per CPU second: 54399

2021-06-12 16:54:21 EVENT: DISCONNECTED

2021-06-12 16:54:21 Raw stats on disconnect:
BYTES_IN : 15099
BYTES_OUT : 12022
PACKETS_IN : 42
PACKETS_OUT : 57
TUN_BYTES_IN : 2033
TUN_BYTES_OUT : 4864
TUN_PACKETS_IN : 31
TUN_PACKETS_OUT : 31
AUTH_FAILED : 1
N_PAUSE : 1
N_RECONNECT : 1

2021-06-12 16:54:21 Performance stats on disconnect:
CPU usage (microseconds): 133514
Tunnel compression ratio (uplink): 5.91343
Tunnel compression ratio (downlink): 3.10424
Network bytes per CPU second: 203132
Tunnel bytes per CPU second: 51657

2021-06-12 16:57:03 1

2021-06-12 16:57:03 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-12 16:57:03 OpenVPN core 3.git::58b92569 ios arm64

64-bit

2021-06-12 16:57:03 Frame=512/2048/512 mssfix-ctrl=1250

2021-06-12 16:57:03 UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
5 [tls-client]
7 [reneg-sec] [0]
8 [resolv-retry] [infinite]
10 [verify-x509-name] [vpn.xxxx] [name]

2021-06-12 16:57:03 EVENT: RESOLVE

2021-06-12 16:57:03 Contacting [xxxxx]:1194/TCP via TCPv4

2021-06-12 16:57:03 EVENT: WAIT

2021-06-12 16:57:03 Connecting to [xxxx]:1194 (xxx) via TCPv4

2021-06-12 16:57:03 EVENT: CONNECTING

2021-06-12 16:57:03 Tunnel Options:V4,dev-type tun,link-mtu

1559,tun-mtu 1500,
proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth

SHA1,keysize 256,
tls-auth,key-method 2,tls-client

2021-06-12 16:57:03 Creds: Username/Password

2021-06-12 16:57:03 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl


2021-06-12 16:57:03 VERIFY OK: depth=1,

/C=US/ST=Newyork/L=syracuse/xxxx/
emailAddress=xxxxx.com/CN=openvpn-ca-default

2021-06-12 16:57:03 VERIFY OK: depth=0,

/C=US/ST=Newyork/L=Syracuse/xxxx/
emailAddress=xxxxx.com/CN=vpn.xxxx

2021-06-12 16:57:04 SSL Handshake: CN=vpn.xxxx, TLSv1.3,

cipher TLSv1.3
TLS_AES_256_GCM_SHA384, 2048 bit RSA

2021-06-12 16:57:04 Session is ACTIVE

2021-06-12 16:57:04 EVENT: GET_CONFIG

2021-06-12 16:57:04 Sending PUSH_REQUEST to server...

2021-06-12 16:57:05 OPTIONS:
0 [route] [192.168.0.0] [255.255.248.0]
1 [dhcp-option] [DNS] [192.168.0.251]
2 [dhcp-option] [DNS] [8.8.8.8]
3 [route] [192.168.0.0] [255.255.255.0] [10.0.182.1] [1]
4 [route-gateway] [10.0.182.1]
5 [topology] [subnet]
6 [ping] [10]
7 [ping-restart] [480]
8 [ifconfig] [10.0.182.5] [255.255.255.0]


2021-06-12 16:57:05 PROTOCOL OPTIONS:
cipher: AES-256-CBC
digest: SHA1
compress: NONE
peer ID: -1

2021-06-12 16:57:05 EVENT: ASSIGN_IP

2021-06-12 16:57:05 NIP: preparing TUN network settings

2021-06-12 16:57:05 NIP: init TUN network settings with

endpoint: xxxx

2021-06-12 16:57:05 NIP: adding IPv4 address to network

settings 10.0.182.5/255.255.255.0

2021-06-12 16:57:05 NIP: adding (included) IPv4 route

10.0.182.0/24

2021-06-12 16:57:05 NIP: adding (included) IPv4 route

192.168.0.0/21

2021-06-12 16:57:05 NIP: adding DNS 192.168.0.201

2021-06-12 16:57:05 NIP: adding DNS 8.8.8.8

2021-06-12 16:57:05 NIP: adding match domain ALL

2021-06-12 16:57:05 NIP: adding DNS specific routes:

2021-06-12 16:57:05 NIP: adding (included) IPv4 route

192.168.0.201/32

2021-06-12 16:57:05 NIP: adding (included) IPv4 route

8.8.8.8/32

2021-06-12 16:57:05 Connected via NetworkExtensionTUN

2021-06-12 16:57:05 EVENT: CONNECTED

xxxx@xxxx@xxxx:1194 (xxxx) via
/TCPv4 on NetworkExtensionTUN/10.0.182.5/ gw=[/]

2021-06-12 16:58:23 OS Event: SLEEP

2021-06-12 16:58:23 EVENT: PAUSE

2021-06-12 16:58:26 OS Event: WAKEUP

2021-06-12 16:58:29 RESUME TEST:

Internet:ReachableViaWiFi/-R -------

2021-06-12 16:58:29 STANDARD RESUME

2021-06-12 16:58:29 EVENT: RESUME

2021-06-12 16:58:29 EVENT: RECONNECTING

2021-06-12 16:58:29 EVENT: RESOLVE

2021-06-12 16:58:29 Contacting [xxxx]:1194/TCP via TCPv4

2021-06-12 16:58:29 EVENT: WAIT

2021-06-12 16:58:29 Connecting to [xxxx]:1194 (xxxx) via

TCPv4

2021-06-12 16:58:29 OS Event: SLEEP

2021-06-12 16:58:29 EVENT: PAUSE

2021-06-12 17:02:09 OS Event: WAKEUP

2021-06-12 17:02:12 RESUME TEST:

Internet:ReachableViaWiFi/-R -------

2021-06-12 17:02:12 STANDARD RESUME

2021-06-12 17:02:12 EVENT: RESUME

2021-06-12 17:02:12 EVENT: RECONNECTING

2021-06-12 17:02:12 EVENT: RESOLVE

2021-06-12 17:02:12 Contacting [xxxx]:1194/TCP via TCPv4

2021-06-12 17:02:12 EVENT: WAIT

2021-06-12 17:02:12 Connecting to [xxxx]:1194 (xxxx) via

TCPv4

2021-06-12 17:02:12 EVENT: CONNECTING

2021-06-12 17:02:12 Tunnel Options:V4,dev-type tun,link-mtu

1559,tun-mtu
1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth

SHA1,keysize 256,
tls-auth,key-method 2,tls-client

2021-06-12 17:02:12 Creds: Username/Password

2021-06-12 17:02:12 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl


2021-06-12 17:02:12 VERIFY OK: depth=1,

/C=US/ST=Newyork/L=syracuse/xxxx/
emailAddress=xxxx.com/CN=openvpn-ca-default

2021-06-12 17:02:12 VERIFY OK: depth=0,

/C=US/ST=Newyork/L=Syracuse/xxxx/
emailAddress=xxxx.com/CN=vpn.xxxx

2021-06-12 17:02:13 SSL Handshake: CN=vpn.xxxxx, TLSv1.3,

cipher TLSv1.3
TLS_AES_256_GCM_SHA384, 2048 bit RSA

2021-06-12 17:02:13 Session is ACTIVE

2021-06-12 17:02:13 EVENT: GET_CONFIG

2021-06-12 17:02:13 Sending PUSH_REQUEST to server...

2021-06-12 17:02:14 Sending PUSH_REQUEST to server...

2021-06-12 17:02:14 AUTH_FAILED

2021-06-12 17:02:14 EVENT: AUTH_FAILED [ERR]

2021-06-12 17:02:14 Raw stats on disconnect:
BYTES_IN : 10639
BYTES_OUT : 9542
PACKETS_IN : 30
PACKETS_OUT : 38
TUN_BYTES_IN : 484
TUN_BYTES_OUT : 1370
TUN_PACKETS_IN : 8
TUN_PACKETS_OUT : 8
N_PAUSE : 2
N_RECONNECT : 2

2021-06-12 17:02:14 Performance stats on disconnect:
CPU usage (microseconds): 131748
Tunnel compression ratio (uplink): 19.7149
Tunnel compression ratio (downlink): 7.76569
Network bytes per CPU second: 153178
Tunnel bytes per CPU second: 14072

2021-06-12 17:02:14 EVENT: DISCONNECTED

2021-06-12 17:02:14 Raw stats on disconnect:
BYTES_IN : 10639
BYTES_OUT : 9542
PACKETS_IN : 30
PACKETS_OUT : 38
TUN_BYTES_IN : 484
TUN_BYTES_OUT : 1370
TUN_PACKETS_IN : 8
TUN_PACKETS_OUT : 8
AUTH_FAILED : 1
N_PAUSE : 2
N_RECONNECT : 2

2021-06-12 17:02:14 Performance stats on disconnect:
CPU usage (microseconds): 138191
Tunnel compression ratio (uplink): 19.7149
T


Thanks

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected

Post by openvpn_inc » Mon Jun 14, 2021 8:23 am

Hello shaw22,

It is always a little difficult to pinpoint the exact solution from one log and a description, but I believe the problem is related to authentication. It seems the device has gone to sleep and then resumed and now OpenVPN Connect needs to reconnect. I can see that it tries to do so but is obviously missing the 2FA factor. This looks like an open source server. I would suggest you look into enabling session tokens. That way, when the OpenVPN connection wants to start up again after a device sleep, it can offer the session token, and reconnect again. OpenVPN Access Server and our OpenVPN Cloud products both use session tokens to make this experience smoother.

People often confuse reauthentication with rekeying. The rekeying is where the data channel encryption key gets replaced. Reneg-sec controls when either server or client triggers a request for a rekey. When this is done, the client will be asked to reauthenticate - we can't have just anyone requesting a new encryption key. But it will be able to do this normally with a session token. Meaning the user isn't challenged to enter his details every single time the data channel key gets replaced. In your case though what you did basically changed nothing because it just turned it off on the client side, but the server probably still has a default value set. You shouldn't disable it completely in any case, that's not good for your security.

Another thing I see is that the log shows connection attempts to a TCP server. OpenVPN Access Server by default is set up to use UDP and TCP. And UDP will then always be tried first. That is because despite what people might think about TCP being more stable than UDP, the opposite is true when you transport a TCP stream inside a TCP stream. For more information on that phenomenon read up on what is called 'TCP Meltdown'. In short though what I recommend here is that you try to let the connection establish via UDP, as it may be more stable.

I hope that information helps.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected

Post by openvpn_inc » Mon Jun 14, 2021 8:29 am

Moved topic from Connect: macOS to Connect: iOS.
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

shaw22
OpenVpn Newbie
Posts: 2
Joined: Sun Jun 13, 2021 12:05 am

Re: OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected

Post by shaw22 » Mon Jun 14, 2021 1:47 pm

Thank You Johan.
The Windows and linux clients connecting to same server (using the same ovpn file), I am able to keep the connection open for 24 hours without reauthentication by entering reneg-sec 0 on server side and reneg-sec 86400 on the client side. It looks like the IOS device is triggering a reauthentication - how can i stop ios client from issueing a reauthentication request for 24 hours? Is it because of iphone going to sleep ? see below:

>>>
ovpn config client:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
reneg-sec 0
resolv-retry infinite
remote xxxx.xxxx.xxxx.xxxx 1194 tcp-client
verify-x509-name "vpn.xxxxxx.com" name
auth-user-pass
ns-cert-type server
reneg-sec 86400


**** Log from Windows Workstation using same ovpn config file as the IOS device - No Reauthorization after initial authorization at 22:54 June 13 ****

Sun Jun 13 22:54:17 2021 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Sun Jun 13 22:54:18 2021 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
Sun Jun 13 22:54:18 2021 TCPv4_CLIENT link local: [undef]
Sun Jun 13 22:54:18 2021 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Sun Jun 13 22:54:19 2021 [vpn.xxxxx.com] Peer Connection Initiated with [AF_INET]xxxx.xxxx.xxxx.xxxx:1194
Sun Jun 13 22:54:21 2021 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jun 13 22:54:21 2021 open_tun, tt->ipv6=0
Sun Jun 13 22:54:21 2021 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{7E992055- }.tap
Sun Jun 13 22:54:21 2021 Set TAP-Windows TUN subnet mode network/local/netmask = 10.0.182.0/10.0.182.2/255.255.255.0 [SUCCEEDED]
Sun Jun 13 22:54:21 2021 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.182.2/255.255.255.0 on interface {7E992055-33BA-414C-A0CA-0DF08F5A109F} [DHCP-serv: 10.0.182.254, lease-time: 31536000]
Sun Jun 13 22:54:21 2021 Successful ARP Flush on interface [24] {7E992055-3}
Sun Jun 13 22:54:26 2021 Initialization Sequence Completed

**** end of log from Windows Workstation ****


***** Log from IOS device (Iphone) that shows reauthorization attempt after a few mins ****

2021-06-13 23:53:18 EVENT: GET_CONFIG
2021-06-13 23:53:18 Sending PUSH_REQUEST to server...

2021-06-13 23:53:19 OPTIONS:
0 [route] [192.168.0.0] [255.255.248.0]
1 [dhcp-option] [DNS] [192.168.0.251]
2 [dhcp-option] [DNS] [8.8.8.8]
3 [route] [192.168.0.0] [255.255.255.0] [10.0.182.1] [1]
4 [route-gateway] [10.0.182.1]
5 [topology] [subnet]
6 [ping] [10]
7 [ping-restart] [86400]
8 [ifconfig] [10.0.182.3] [255.255.255.0]


2021-06-13 23:53:19 PROTOCOL OPTIONS:
cipher: AES-256-CBC
digest: SHA1
compress: NONE
peer ID: -1

2021-06-13 23:53:19 EVENT: ASSIGN_IP
2021-06-13 23:53:19 Connected via NetworkExtensionTUN

2021-06-13 23:53:19 EVENT: CONNECTED xxxx@domain.com@xxx.xxx.xxx.xxx:1194 via /TCPv4 on NetworkExtensionTUN/10.0.182.3/ gw=[/]

2021-06-13 23:54:50 OS Event: SLEEP
2021-06-13 23:54:50 EVENT: PAUSE
2021-06-13 23:55:36 OS Event: WAKEUP
2021-06-13 23:55:39 RESUME TEST: Internet:ReachableViaWiFi/-R -------
2021-06-13 23:55:39 STANDARD RESUME
2021-06-13 23:55:39 EVENT: RESUME
2021-06-13 23:55:39 EVENT: RECONNECTING
2021-06-13 23:55:39 EVENT: RESOLVE

2021-06-13 23:55:39 Contacting [xxx.xxx.xxx.xxx]:1194/TCP via TCPv4
2021-06-13 23:55:39 EVENT: WAIT
2021-06-13 23:55:39 Connecting to [xxx.xxx.xxx.xxx]:1194 (xxx.xxxx.xxxx.xxxx) via TCPv4

2021-06-13 23:55:39 EVENT: CONNECTING

2021-06-13 23:55:39 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client

2021-06-13 23:55:39 Creds: Username/Password

2021-06-13 23:55:39 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl


2021-06-13 23:55:39 VERIFY OK: depth=1, /C=US/ST=Newyork/L=syracuse/O=domain/emailAddress=xxxx@domain.com/CN=openvpn-ca-default

2021-06-13 23:55:39 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/O=domain/emailAddress=xxxx@domain.com/CN=vpn.domain.com

2021-06-13 23:55:40 OS Event: SLEEP

2021-06-13 23:55:40 EVENT: PAUSE

2021-06-13 23:58:04 OS Event: WAKEUP

2021-06-13 23:58:07 RESUME TEST: Internet:ReachableViaWiFi/-R -------

2021-06-13 23:58:07 STANDARD RESUME

2021-06-13 23:58:07 EVENT: RESUME

2021-06-13 23:58:07 EVENT: RECONNECTING

2021-06-13 23:58:07 EVENT: RESOLVE

2021-06-13 23:58:07 Contacting [xxx.xxx.xxx.xxx:1194/TCP via TCPv4

2021-06-13 23:58:07 EVENT: WAIT

2021-06-13 23:58:07 Connecting to [xxx.xxx.xxx.xxx]:1194 () via TCPv4

2021-06-13 23:58:07 EVENT: CONNECTING

2021-06-13 23:58:07 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client

2021-06-13 23:58:07 Creds: Username/Password

2021-06-13 23:58:07 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl

2021-06-13 23:55:39 VERIFY OK: depth=1, /C=US/ST=Newyork/L=syracuse/O=domain/emailAddress=xxxx@domain.com/CN=openvpn-ca-default

2021-06-13 23:55:39 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/O=domain/emailAddress=xxxx@domain.com/CN=vpn.domain.com

2021-06-13 23:58:08 OS Event: SLEEP

2021-06-13 23:58:08 EVENT: PAUSE

2021-06-13 23:59:57 OS Event: WAKEUP

2021-06-14 00:00:00 RESUME TEST: Internet:ReachableViaWiFi/-R -------

2021-06-14 00:00:00 STANDARD RESUME

2021-06-14 00:00:00 EVENT: RESUME

2021-06-14 00:00:00 EVENT: RECONNECTING

2021-06-14 00:00:00 EVENT: RESOLVE

2021-06-14 00:00:00 Contacting [xxx.xxx.xxx.xxx]:1194/TCP via TCPv4

2021-06-14 00:00:00 EVENT: WAIT

2021-06-14 00:00:00 Connecting to [xxx.xxx.xxx.xxx]:1194 ( ) via TCPv4

2021-06-14 00:00:00 EVENT: CONNECTING

2021-06-14 00:00:00 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client

2021-06-14 00:00:00 Creds: Username/Password

2021-06-14 00:00:00 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl

2021-06-13 23:55:39 VERIFY OK: depth=1, /C=US/ST=Newyork/L=syracuse/O=domain/emailAddress=xxxx@domain.com/CN=openvpn-ca-default

2021-06-13 23:55:39 VERIFY OK: depth=0,
/C=US/ST=Newyork/L=Syracuse/O=domain/emailAddress=xxxx@domain.com/CN=vpn.domain.com

2021-06-14 00:00:01 SSL Handshake: CN=vpn.domain.com, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA

2021-06-14 00:00:01 Session is ACTIVE

2021-06-14 00:00:01 EVENT: GET_CONFIG

2021-06-14 00:00:01 Sending PUSH_REQUEST to server...

2021-06-14 00:00:02 Sending PUSH_REQUEST to server...

2021-06-14 00:00:02 AUTH_FAILED

2021-06-14 00:00:02 EVENT: AUTH_FAILED [ERR]

2021-06-14 00:00:02 Raw stats on disconnect:
BYTES_IN : 19339
BYTES_OUT : 18157
PACKETS_IN : 49
PACKETS_OUT : 60
TUN_BYTES_IN : 1121
TUN_BYTES_OUT : 2860
TUN_PACKETS_IN : 17
TUN_PACKETS_OUT : 17
N_PAUSE : 3
N_RECONNECT : 3

2021-06-14 00:00:02 Performance stats on disconnect:
CPU usage (microseconds): 162643
Tunnel compression ratio (uplink): 16.1971
Tunnel compression ratio (downlink): 6.76189
Network bytes per CPU second: 230541
Tunnel bytes per CPU second: 24476

2021-06-14 00:00:02 EVENT: DISCONNECTED

2021-06-14 00:00:02 Raw stats on disconnect:
BYTES_IN : 19339
BYTES_OUT : 18157
PACKETS_IN : 49
PACKETS_OUT : 60
TUN_BYTES_IN : 1121
TUN_BYTES_OUT : 2860
TUN_PACKETS_IN : 17
TUN_PACKETS_OUT : 17
AUTH_FAILED : 1
N_PAUSE : 3
N_RECONNECT : 3

2021-06-14 00:00:02 Performance stats on disconnect:
CPU usage (microseconds): 171624
Tunnel compression ratio (uplink): 16.1971
Tunnel compression ratio (downlink): 6.76189
Network bytes per CPU second: 218477
Tunnel bytes per CPU second: 23196

****** end of log ios iphone ****

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected

Post by openvpn_inc » Wed Jun 23, 2021 11:38 am

Hello shaw22,

You can't stop a reauthentication on iOS after a sleep. But session tokens make things relatively smooth. Or autologin profiles. And yes it is because the device goes to sleep. When the iOS device goes to sleep, the VPN API goes dead. There is no way around that unless you jailbreak and use alternative software (if such software that does that exists). But this will have serious impact on your battery life for sure, even if you manage to do it.

I suggest looking into session tokens. Generating those and providing those to the client, so that it can reestablish connection within a reasonable timeframe to this server without having to reauthenticate. But a long sleep and such a token can still expire. But you could make session tokens last a long time, it's configurable.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

c9000
OpenVpn Newbie
Posts: 2
Joined: Sat Jul 24, 2021 8:57 pm

Re: OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected

Post by c9000 » Sat Jul 24, 2021 9:02 pm

We have exactly the same issue here with ios devices and am a little confused about comment saying the ios device is going to sleep as we are actively using the device and connection when it drops off after an attempt to reauthenticate. It is always around 5 mins of use before this occurs.

I will also look into session tokens to see if that helps but the device is not going to sleep for sure.

c9000
OpenVpn Newbie
Posts: 2
Joined: Sat Jul 24, 2021 8:57 pm

Re: OpenVPN 3.2 / IOS 14.6 with Google Authenticator reneg-sec 0 has no effect - connection being disconnected

Post by c9000 » Mon Jul 26, 2021 9:27 pm

Just to add to this, I tested on an ios device version 14.3 with OpenVPN 3.2.3 and the issue is not present - the client does not disconnect.

Post Reply