Best option for server restart

[cr.mark]

Hey guys,

I have Openvpn 2.4.7 community edition + Duo MFA working really well here at work. I'm trying to figure out the best option when it comes to updating the server and rebooting.

We have quite a few users that keep their connections open 24/7. When I reboot the server these connections will try to reconnect and then when OpenVPN is back up and running about 30 seconds later, Duo will obviously prompt for MFA. If a user isn't watching for this on their phone their Duo account will eventually lock, which is quite an issue.

I'm guessing my best option is to add or change an option in the client ovpn files but I'm not sure if I should be playing with any of the following options:

keepalive
connect-retry
connect-retry-max
resolv-retry

How do other people handle this situation?

Thanks!

[SpudHead]

Not sure how Duo MFA works, never used it. But seems to me you need to get the clients to not reconnect after reboot. I assume you have custom written client software? Setup two identical client profiles for each user with the only difference in each profile being the remote port and set your custom client software to try them both on **initial** connection. After connection, the client retries will then only occur on the profile that eventually connected. Then, each time you reboot the server you switch the port openvpn is listening on.

If I've misread then sorry, TFA/MFA is not something I have much respect for. I've always been an AGPIGE guy.

[cr.mark]

We're not using custom client software - just the regular OpenVPN client. I'm trying to avoid setting up another server at the moment but I'll go down that path if I really have to. Surely it's just one of settings in the client ovpn file that I can tweak to get this right.

Thanks anyway!

[SpudHead]

Well I'd imagine you still want your clients to attempt to reconnect normally if they just get disconnected for some other reason. Your issue is of course that the client doesn't know what caused the disconnection so it can't differentiate between a random dropout and you rebooting the server. Maybe you can set a number of retry attempts for the clients before it gives up (connect retry max?) and shut down the OpenVPN server for long enough to cause all clients to exceed the retry count before rebooting. Or maybe you can somehow setup a dummy OpenVPN server on the same port that refuses all connections with an authentication failure. Just before you reboot, you shutdown the main server and start the dummy one. Leave for a while so all clients fail authentication which should stop them retrying. Then do the reboot? Or would the authentication failure cause issues with the MFA?