time(?) issue after standby of client leads to endless "AUTH_FAILED" on the server without dropping connection

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
pi-2007
OpenVpn Newbie
Posts: 4
Joined: Wed Mar 15, 2023 1:29 pm

time(?) issue after standby of client leads to endless "AUTH_FAILED" on the server without dropping connection

Post by pi-2007 » Wed Mar 22, 2023 1:28 pm

Hello,

I use openvpn 2.5.5 via apt on an Ubuntu 22.04 server, and the latest openvpn community Windows client (2.6.1), and my configuration works fine until one of the users puts the computer in standby ("closes the lid"). Upon waking from standby, the route is inaccessible. The client connects successfully to the server, but fails to authenticate. The result is that the user sees an active openvpn connection but the established routes are blocked due to failed authentication. The problem is that this is not communicated to the user, nor is the connection dropped - it tries to connect indefinitely which creates confusion for the user.

I think (but I'm not sure) that is because the openvpn-client has a wrong time (while the laptop/Windows itself has the correct time immediately after wakeup from standby), at least there are some minutes differences between the server (e.g. in the first example the client shows 11:04 while its actually 11:16 at the server, and in reality), and the client.

I tried to use

Code: Select all

auth-retry interact
so the client should interact with the user, but that change didn't solve the issue. Maybe because this setting is only meant for user/password authentication?

I also tried to follow the recommendation by disabling/commenting persist-key (or persist-tun) or tls-exit on the client side, but that didn't solve the problem either.

Generally, a search for my error messages results in finding problems with user/password-based authentication (

Code: Select all

auth-user-pass
), but my server only authenticates via certificates.

Only, when setting

Code: Select all

reneg-sec 30
(e.g.) at the client, the connection luckily times out after some time, and the user gets the connection failure popup from the openvpn client (so the user can then reconnect). However, this forces the client to renegotiate every 30 seconds, which floods the server logfile.

So I would like to know if there are better ways to fix this (before I start distributing the ovpn files to all the users).

Please find my config, and log files enclosed.


server config

Code: Select all

port 1194
proto udp
dev tun
ca ./server/ca.crt
cert ./server/mycert.crt
key ./server/mykey.key  # This file should be kept secret
dh none
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp_udp.txt
push "route ip.to.push 255.255.255.255 vpn_gateway" #testing
push "route ip.to.push 255.255.255.255 vpn_gateway" #WAN of BXL office
keepalive 10 120
tls-crypt ./server/ta.key
cipher AES-256-GCM
auth SHA512
ecdh-curve secp521r1 #see easy-rsa vars configuration
tls-version-min 1.3
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
tls-cert-profile preferred #suiteb
tls-server #on the server-side
opt-verify #reject clients with incompatible options
remote-cert-tls client #client certs need correct extend key usage
verify-client-cert require #reject connections without certificates
crl-verify /etc/openvpn/crl.pem
persist-key
persist-tun
status /var/log/openvpn/openvpn-status_udp.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
client config

Code: Select all

client
dev tun
server-poll-timeout 10 #timeout after 10 seconds
resolv-retry infinite
nobind
persist-key
persist-tun
ca [inline]
cert [inline]
key [inline]
tls-crypt [inline]
remote-cert-tls server
cipher AES-256-GCM
auth SHA512
ecdh-curve secp521r1 #see easy-rsa vars configuration
tls-version-min 1.3
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
tls-cert-profile preferred
tls-client #on the client-side
remote-cert-tls server
verify-x509-name CN=myorg CN
verb 3
auth-nocache
auth-retry interact
<ca>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
XXXX
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
XXXX
-----END OpenVPN Static key V1-----
</tls-crypt>
connect-retry 3 10
connect-retry-max 5

<connection>
remote myopenvpn.server.org 1194 udp
</connection>
    
<connection>
remote myopenvpn.server.org 443 tcp
</connection>

logfile on server (no reneg-sec set at the client)

Code: Select all

2023-03-22 11:01:39 it-test/cli.ent.ip:55836 SENT CONTROL [it-test]: 'PUSH_REPLY,route ip.to.rou.te2 255.255.255.255 vpn_gateway,route ip.to.rou.te 255.255.255.255 vpn_gateway,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
2023-03-22 11:06:15 it-test/cli.ent.ip:55836 [it-test] Inactivity timeout (--ping-restart), restarting
2023-03-22 11:06:15 it-test/cli.ent.ip:55836 SIGUSR1[soft,ping-restart] received, client-instance restarting
2023-03-22 11:16:20 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:16:20 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:16:20 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:16:20 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:16:20 TCP connection established with [AF_INET]198.177.125.225:33766
2023-03-22 11:16:20 198.177.125.225:33766 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
2023-03-22 11:16:20 198.177.125.225:33766 Connection reset, restarting [0]
2023-03-22 11:16:20 198.177.125.225:33766 SIGUSR1[soft,connection-reset] received, client-instance restarting
2023-03-22 11:17:33 cli.ent.ip:61138 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:17:33 cli.ent.ip:61138 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:17:33 cli.ent.ip:61138 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:17:33 cli.ent.ip:61138 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:17:33 cli.ent.ip:61138 TLS: Initial packet from [AF_INET]cli.ent.ip:61138, sid=0f066e46 ce326cef
2023-03-22 11:17:33 cli.ent.ip:61138 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:17:33 cli.ent.ip:61138 VERIFY KU OK
2023-03-22 11:17:33 cli.ent.ip:61138 Validating certificate extended key usage
2023-03-22 11:17:33 cli.ent.ip:61138 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2023-03-22 11:17:33 cli.ent.ip:61138 VERIFY EKU OK
2023-03-22 11:17:33 cli.ent.ip:61138 VERIFY OK: depth=0, CN=it-test
2023-03-22 11:17:33 cli.ent.ip:61138 peer info: IV_VER=2.6.0
2023-03-22 11:17:33 cli.ent.ip:61138 peer info: IV_PLAT=win
2023-03-22 11:17:33 cli.ent.ip:61138 peer info: IV_TCPNL=1
2023-03-22 11:17:33 cli.ent.ip:61138 peer info: IV_MTU=1600
2023-03-22 11:17:33 cli.ent.ip:61138 peer info: IV_NCP=2
2023-03-22 11:17:33 cli.ent.ip:61138 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-03-22 11:17:33 cli.ent.ip:61138 peer info: IV_PROTO=478
2023-03-22 11:17:33 cli.ent.ip:61138 peer info: IV_LZO_STUB=1
2023-03-22 11:17:33 cli.ent.ip:61138 peer info: IV_COMP_STUB=1
2023-03-22 11:17:33 cli.ent.ip:61138 peer info: IV_COMP_STUBv2=1
2023-03-22 11:17:33 cli.ent.ip:61138 peer info: IV_GUI_VER=OpenVPN_GUI_11
2023-03-22 11:17:33 cli.ent.ip:61138 peer info: IV_SSO=openurl,webauth,crtext
2023-03-22 11:17:33 cli.ent.ip:61138 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1552'
2023-03-22 11:17:33 cli.ent.ip:61138 Option inconsistency warnings triggering disconnect due to --opt-verify
2023-03-22 11:17:33 cli.ent.ip:61138 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:17:33 cli.ent.ip:61138 [it-test] Peer Connection Initiated with [AF_INET]cli.ent.ip:61138
2023-03-22 11:17:34 cli.ent.ip:61138 PUSH: Received control message: 'PUSH_REQUEST'
2023-03-22 11:17:34 cli.ent.ip:61138 Delayed exit in 5 seconds
2023-03-22 11:17:34 cli.ent.ip:61138 SENT CONTROL [it-test]: 'AUTH_FAILED' (status=1)
2023-03-22 11:17:37 cli.ent.ip:61139 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:17:37 cli.ent.ip:61139 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:17:37 cli.ent.ip:61139 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:17:37 cli.ent.ip:61139 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:17:37 cli.ent.ip:61139 TLS: Initial packet from [AF_INET]cli.ent.ip:61139, sid=99ee7122 58504506
2023-03-22 11:17:37 cli.ent.ip:61139 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:17:37 cli.ent.ip:61139 VERIFY KU OK
2023-03-22 11:17:37 cli.ent.ip:61139 Validating certificate extended key usage
2023-03-22 11:17:37 cli.ent.ip:61139 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2023-03-22 11:17:37 cli.ent.ip:61139 VERIFY EKU OK
2023-03-22 11:17:37 cli.ent.ip:61139 VERIFY OK: depth=0, CN=it-test
2023-03-22 11:17:37 cli.ent.ip:61139 peer info: IV_VER=2.6.0
2023-03-22 11:17:37 cli.ent.ip:61139 peer info: IV_PLAT=win
2023-03-22 11:17:37 cli.ent.ip:61139 peer info: IV_TCPNL=1
2023-03-22 11:17:37 cli.ent.ip:61139 peer info: IV_MTU=1600
2023-03-22 11:17:37 cli.ent.ip:61139 peer info: IV_NCP=2
2023-03-22 11:17:37 cli.ent.ip:61139 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-03-22 11:17:37 cli.ent.ip:61139 peer info: IV_PROTO=478
2023-03-22 11:17:37 cli.ent.ip:61139 peer info: IV_LZO_STUB=1
2023-03-22 11:17:37 cli.ent.ip:61139 peer info: IV_COMP_STUB=1
2023-03-22 11:17:37 cli.ent.ip:61139 peer info: IV_COMP_STUBv2=1
2023-03-22 11:17:37 cli.ent.ip:61139 peer info: IV_GUI_VER=OpenVPN_GUI_11
2023-03-22 11:17:37 cli.ent.ip:61139 peer info: IV_SSO=openurl,webauth,crtext
2023-03-22 11:17:37 cli.ent.ip:61139 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1552'
2023-03-22 11:17:37 cli.ent.ip:61139 Option inconsistency warnings triggering disconnect due to --opt-verify
2023-03-22 11:17:37 cli.ent.ip:61139 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:17:37 cli.ent.ip:61139 [it-test] Peer Connection Initiated with [AF_INET]cli.ent.ip:61139
2023-03-22 11:17:39 cli.ent.ip:61139 PUSH: Received control message: 'PUSH_REQUEST'
2023-03-22 11:17:39 cli.ent.ip:61139 Delayed exit in 5 seconds
2023-03-22 11:17:39 cli.ent.ip:61139 SENT CONTROL [it-test]: 'AUTH_FAILED' (status=1)
2023-03-22 11:17:40 cli.ent.ip:61138 SIGTERM[soft,delayed-exit] received, client-instance exiting
2023-03-22 11:17:42 cli.ent.ip:61140 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:17:42 cli.ent.ip:61140 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:17:42 cli.ent.ip:61140 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:17:42 cli.ent.ip:61140 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:17:42 cli.ent.ip:61140 TLS: Initial packet from [AF_INET]cli.ent.ip:61140, sid=19a56308 33ac8fd3
2023-03-22 11:17:42 cli.ent.ip:61140 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:17:42 cli.ent.ip:61140 VERIFY KU OK
2023-03-22 11:17:42 cli.ent.ip:61140 Validating certificate extended key usage
2023-03-22 11:17:42 cli.ent.ip:61140 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2023-03-22 11:17:42 cli.ent.ip:61140 VERIFY EKU OK
2023-03-22 11:17:42 cli.ent.ip:61140 VERIFY OK: depth=0, CN=it-test
2023-03-22 11:17:42 cli.ent.ip:61140 peer info: IV_VER=2.6.0
2023-03-22 11:17:42 cli.ent.ip:61140 peer info: IV_PLAT=win
2023-03-22 11:17:42 cli.ent.ip:61140 peer info: IV_TCPNL=1
2023-03-22 11:17:42 cli.ent.ip:61140 peer info: IV_MTU=1600

client log (no reneg-sec set):

Code: Select all

2023-03-22 11:01:30 Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
2023-03-22 11:01:30 OpenVPN 2.6.0 [git:v2.6.0/b999466418dddb89] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Feb 15 2023
2023-03-22 11:01:30 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-03-22 11:01:30 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-03-22 11:01:30 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2023-03-22 11:01:30 Need hold release from management interface, waiting...
2023-03-22 11:01:30 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:54241
2023-03-22 11:01:30 MANAGEMENT: CMD 'state on'
2023-03-22 11:01:30 MANAGEMENT: CMD 'log on all'
2023-03-22 11:01:30 MANAGEMENT: CMD 'echo on all'
2023-03-22 11:01:30 MANAGEMENT: CMD 'bytecount 5'
2023-03-22 11:01:30 MANAGEMENT: CMD 'state'
2023-03-22 11:01:30 MANAGEMENT: CMD 'hold off'
2023-03-22 11:01:30 MANAGEMENT: CMD 'hold release'
2023-03-22 11:01:39 MANAGEMENT: CMD 'password [...]'
2023-03-22 11:01:39 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:01:39 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:01:39 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:01:39 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:01:39 MANAGEMENT: >STATE:1679479299,RESOLVE,,,,,,
2023-03-22 11:01:39 TCP/UDP: Preserving recently used remote address: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:01:39 ovpn-dco device [OpenVPN Data Channel Offload] opened
2023-03-22 11:01:39 UDP link local: (not bound)
2023-03-22 11:01:39 UDP link remote: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:01:39 MANAGEMENT: >STATE:1679479299,WAIT,,,,,,
2023-03-22 11:01:39 MANAGEMENT: >STATE:1679479299,AUTH,,,,,,
2023-03-22 11:01:39 TLS: Initial packet from [AF_INET]IP.of.VPN.SRV:1194, sid=5b4d1008 34a062aa
2023-03-22 11:01:39 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:01:39 VERIFY KU OK
2023-03-22 11:01:39 Validating certificate extended key usage
2023-03-22 11:01:39 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-03-22 11:01:39 VERIFY EKU OK
2023-03-22 11:01:39 VERIFY X509NAME OK: CN=myopenvpn.server.org
2023-03-22 11:01:39 VERIFY OK: depth=0, CN=myopenvpn.server.org
2023-03-22 11:01:39 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:01:39 [myopenvpn.server.org] Peer Connection Initiated with [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:01:39 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-03-22 11:01:39 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-03-22 11:01:39 PUSH: Received control message: 'PUSH_REPLY,route ip.to.rou.te2 255.255.255.255 vpn_gateway,route ip.to.rou.te 255.255.255.255 vpn_gateway,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2023-03-22 11:01:39 OPTIONS IMPORT: timers and/or timeouts modified
2023-03-22 11:01:39 OPTIONS IMPORT: --ifconfig/up options modified
2023-03-22 11:01:39 OPTIONS IMPORT: route options modified
2023-03-22 11:01:39 OPTIONS IMPORT: peer-id set
2023-03-22 11:01:39 OPTIONS IMPORT: data channel crypto options modified
2023-03-22 11:01:39 interactive service msg_channel=588
2023-03-22 11:01:39 MANAGEMENT: >STATE:1679479299,ASSIGN_IP,,10.8.0.6,,,,
2023-03-22 11:01:39 INET address service: add 10.8.0.6/30
2023-03-22 11:01:39 IPv4 MTU set to 1500 on interface 9 using service
2023-03-22 11:01:39 MANAGEMENT: >STATE:1679479299,ADD_ROUTES,,,,,,
2023-03-22 11:01:39 C:\Windows\system32\route.exe ADD ip.to.rou.te2 MASK 255.255.255.255 10.8.0.5 METRIC 200
2023-03-22 11:01:39 Route addition via service succeeded
2023-03-22 11:01:39 C:\Windows\system32\route.exe ADD ip.to.rou.te MASK 255.255.255.255 10.8.0.5 METRIC 200
2023-03-22 11:01:39 Route addition via service succeeded
2023-03-22 11:01:39 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5 METRIC 200
2023-03-22 11:01:39 Route addition via service succeeded
2023-03-22 11:01:39 Initialization Sequence Completed
2023-03-22 11:01:39 MANAGEMENT: >STATE:1679479299,CONNECTED,SUCCESS,10.8.0.6,IP.of.VPN.SRV,1194,,
2023-03-22 11:04:14 read UDP: The specified network name is no longer available.   (fd=512,code=64)
2023-03-22 11:04:14 [myopenvpn.server.org] Inactivity timeout (--ping-restart), restarting
2023-03-22 11:04:14 SIGUSR1[soft,ping-restart] received, process restarting
2023-03-22 11:04:14 MANAGEMENT: >STATE:1679479454,RECONNECTING,ping-restart,,,,,
2023-03-22 11:04:14 Restart pause, 3 second(s)
2023-03-22 11:04:17 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:04:17 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:04:17 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:04:17 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:04:17 TCP/UDP: Preserving recently used remote address: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:17 UDP link local: (not bound)
2023-03-22 11:04:17 UDP link remote: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:17 MANAGEMENT: >STATE:1679479457,WAIT,,,,,,
2023-03-22 11:04:17 MANAGEMENT: >STATE:1679479457,AUTH,,,,,,
2023-03-22 11:04:17 TLS: Initial packet from [AF_INET]IP.of.VPN.SRV:1194, sid=42158b9e dea024fa
2023-03-22 11:04:17 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:04:17 VERIFY KU OK
2023-03-22 11:04:17 Validating certificate extended key usage
2023-03-22 11:04:17 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-03-22 11:04:17 VERIFY EKU OK
2023-03-22 11:04:17 VERIFY X509NAME OK: CN=myopenvpn.server.org
2023-03-22 11:04:17 VERIFY OK: depth=0, CN=myopenvpn.server.org
2023-03-22 11:04:17 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:04:17 [myopenvpn.server.org] Peer Connection Initiated with [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:17 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-03-22 11:04:17 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-03-22 11:04:18 MANAGEMENT: >STATE:1679479458,GET_CONFIG,,,,,,
2023-03-22 11:04:18 SENT CONTROL [myopenvpn.server.org]: 'PUSH_REQUEST' (status=1)
2023-03-22 11:04:18 AUTH: Received control message: AUTH_FAILED
2023-03-22 11:04:18 SIGUSR1[soft,auth-failure] received, process restarting
2023-03-22 11:04:18 MANAGEMENT: >STATE:1679479458,RECONNECTING,auth-failure,,,,,
2023-03-22 11:04:18 Restart pause, 3 second(s)
2023-03-22 11:04:21 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:04:21 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:04:21 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:04:21 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:04:21 TCP/UDP: Preserving recently used remote address: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:21 UDP link local: (not bound)
2023-03-22 11:04:21 UDP link remote: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:21 MANAGEMENT: >STATE:1679479461,WAIT,,,,,,
2023-03-22 11:04:21 MANAGEMENT: >STATE:1679479461,AUTH,,,,,,
2023-03-22 11:04:21 TLS: Initial packet from [AF_INET]IP.of.VPN.SRV:1194, sid=de157a16 abaa5507
2023-03-22 11:04:22 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:04:22 VERIFY KU OK
2023-03-22 11:04:22 Validating certificate extended key usage
2023-03-22 11:04:22 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-03-22 11:04:22 VERIFY EKU OK
2023-03-22 11:04:22 VERIFY X509NAME OK: CN=myopenvpn.server.org
2023-03-22 11:04:22 VERIFY OK: depth=0, CN=myopenvpn.server.org
2023-03-22 11:04:22 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:04:22 [myopenvpn.server.org] Peer Connection Initiated with [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:22 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-03-22 11:04:22 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-03-22 11:04:23 MANAGEMENT: >STATE:1679479463,GET_CONFIG,,,,,,
2023-03-22 11:04:23 SENT CONTROL [myopenvpn.server.org]: 'PUSH_REQUEST' (status=1)
2023-03-22 11:04:23 AUTH: Received control message: AUTH_FAILED
2023-03-22 11:04:23 SIGUSR1[soft,auth-failure] received, process restarting
2023-03-22 11:04:23 MANAGEMENT: >STATE:1679479463,RECONNECTING,auth-failure,,,,,
2023-03-22 11:04:23 Restart pause, 3 second(s)
2023-03-22 11:04:26 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:04:26 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:04:26 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:04:26 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:04:26 TCP/UDP: Preserving recently used remote address: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:26 UDP link local: (not bound)
2023-03-22 11:04:26 UDP link remote: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:26 MANAGEMENT: >STATE:1679479466,WAIT,,,,,,
2023-03-22 11:04:26 MANAGEMENT: >STATE:1679479466,AUTH,,,,,,
2023-03-22 11:04:26 TLS: Initial packet from [AF_INET]IP.of.VPN.SRV:1194, sid=53204e41 77471ecd
2023-03-22 11:04:26 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:04:26 VERIFY KU OK
2023-03-22 11:04:26 Validating certificate extended key usage
2023-03-22 11:04:26 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-03-22 11:04:26 VERIFY EKU OK
2023-03-22 11:04:26 VERIFY X509NAME OK: CN=myopenvpn.server.org
2023-03-22 11:04:26 VERIFY OK: depth=0, CN=myopenvpn.server.org
2023-03-22 11:04:26 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:04:26 [myopenvpn.server.org] Peer Connection Initiated with [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:26 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-03-22 11:04:26 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-03-22 11:04:27 MANAGEMENT: >STATE:1679479467,GET_CONFIG,,,,,,
2023-03-22 11:04:27 SENT CONTROL [myopenvpn.server.org]: 'PUSH_REQUEST' (status=1)
2023-03-22 11:04:27 AUTH: Received control message: AUTH_FAILED
2023-03-22 11:04:27 SIGUSR1[soft,auth-failure] received, process restarting
2023-03-22 11:04:27 MANAGEMENT: >STATE:1679479467,RECONNECTING,auth-failure,,,,,
2023-03-22 11:04:27 Restart pause, 3 second(s)
2023-03-22 11:04:30 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:04:30 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:04:30 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:04:30 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:04:30 TCP/UDP: Preserving recently used remote address: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:30 UDP link local: (not bound)
2023-03-22 11:04:30 UDP link remote: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:30 MANAGEMENT: >STATE:1679479470,WAIT,,,,,,
2023-03-22 11:04:30 MANAGEMENT: >STATE:1679479470,AUTH,,,,,,
2023-03-22 11:04:30 TLS: Initial packet from [AF_INET]IP.of.VPN.SRV:1194, sid=d6ebecf6 90435749
2023-03-22 11:04:30 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:04:30 VERIFY KU OK
2023-03-22 11:04:30 Validating certificate extended key usage
2023-03-22 11:04:30 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-03-22 11:04:30 VERIFY EKU OK
2023-03-22 11:04:30 VERIFY X509NAME OK: CN=myopenvpn.server.org
2023-03-22 11:04:30 VERIFY OK: depth=0, CN=myopenvpn.server.org
2023-03-22 11:04:30 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:04:30 [myopenvpn.server.org] Peer Connection Initiated with [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:30 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-03-22 11:04:30 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-03-22 11:04:32 MANAGEMENT: >STATE:1679479472,GET_CONFIG,,,,,,
2023-03-22 11:04:32 SENT CONTROL [myopenvpn.server.org]: 'PUSH_REQUEST' (status=1)
2023-03-22 11:04:32 AUTH: Received control message: AUTH_FAILED
2023-03-22 11:04:32 SIGUSR1[soft,auth-failure] received, process restarting
2023-03-22 11:04:32 MANAGEMENT: >STATE:1679479472,RECONNECTING,auth-failure,,,,,
2023-03-22 11:04:32 Restart pause, 3 second(s)
2023-03-22 11:04:35 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:04:35 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:04:35 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:04:35 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:04:35 TCP/UDP: Preserving recently used remote address: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:35 UDP link local: (not bound)
2023-03-22 11:04:35 UDP link remote: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:35 MANAGEMENT: >STATE:1679479475,WAIT,,,,,,
2023-03-22 11:04:35 MANAGEMENT: >STATE:1679479475,AUTH,,,,,,
2023-03-22 11:04:35 TLS: Initial packet from [AF_INET]IP.of.VPN.SRV:1194, sid=8dacfd0f 075ae66f
2023-03-22 11:04:35 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:04:35 VERIFY KU OK
2023-03-22 11:04:35 Validating certificate extended key usage
2023-03-22 11:04:35 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-03-22 11:04:35 VERIFY EKU OK
2023-03-22 11:04:35 VERIFY X509NAME OK: CN=myopenvpn.server.org
2023-03-22 11:04:35 VERIFY OK: depth=0, CN=myopenvpn.server.org
2023-03-22 11:04:35 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:04:35 [myopenvpn.server.org] Peer Connection Initiated with [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:04:35 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-03-22 11:04:35 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-03-22 11:04:36 MANAGEMENT: >STATE:1679479476,GET_CONFIG,,,,,,
2023-03-22 11:04:36 SENT CONTROL [myopenvpn.server.org]: 'PUSH_REQUEST' (status=1)
2023-03-22 11:04:36 AUTH: Received control message: AUTH_FAILED
2023-03-22 11:04:36 SIGUSR1[soft,auth-failure] received, process restarting
2023-03-22 11:04:36 MANAGEMENT: >STATE:1679479476,RECONNECTING,auth-failure,,,,,

.... goes on forever

if I add

Code: Select all

reneg-sec 30
to the client ovpn log, I can for a very short time access forwarded route via the server, but then the client terminates the connection.

server log:

Code: Select all

2023-03-22 11:50:02 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:50:02 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:50:02 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:50:02 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:50:02 TCP connection established with [AF_INET]cli.ent.ip:59776
2023-03-22 11:50:02 cli.ent.ip:59776 TLS: Initial packet from [AF_INET]cli.ent.ip:59776, sid=f49c02ff a238ba74
2023-03-22 11:50:02 cli.ent.ip:59776 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:50:02 cli.ent.ip:59776 VERIFY KU OK
2023-03-22 11:50:02 cli.ent.ip:59776 Validating certificate extended key usage
2023-03-22 11:50:02 cli.ent.ip:59776 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2023-03-22 11:50:02 cli.ent.ip:59776 VERIFY EKU OK
2023-03-22 11:50:02 cli.ent.ip:59776 VERIFY OK: depth=0, CN=it-test
2023-03-22 11:50:02 cli.ent.ip:59776 peer info: IV_VER=2.6.0
2023-03-22 11:50:02 cli.ent.ip:59776 peer info: IV_PLAT=win
2023-03-22 11:50:02 cli.ent.ip:59776 peer info: IV_TCPNL=1
2023-03-22 11:50:02 cli.ent.ip:59776 peer info: IV_MTU=1600
2023-03-22 11:50:02 cli.ent.ip:59776 peer info: IV_NCP=2
2023-03-22 11:50:02 cli.ent.ip:59776 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-03-22 11:50:02 cli.ent.ip:59776 peer info: IV_PROTO=478
2023-03-22 11:50:02 cli.ent.ip:59776 peer info: IV_LZO_STUB=1
2023-03-22 11:50:02 cli.ent.ip:59776 peer info: IV_COMP_STUB=1
2023-03-22 11:50:02 cli.ent.ip:59776 peer info: IV_COMP_STUBv2=1
2023-03-22 11:50:02 cli.ent.ip:59776 peer info: IV_GUI_VER=OpenVPN_GUI_11
2023-03-22 11:50:02 cli.ent.ip:59776 peer info: IV_SSO=openurl,webauth,crtext
2023-03-22 11:50:02 cli.ent.ip:59776 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1551', remote='link-mtu 1554'
2023-03-22 11:50:02 cli.ent.ip:59776 Option inconsistency warnings triggering disconnect due to --opt-verify
2023-03-22 11:50:02 cli.ent.ip:59776 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:50:02 cli.ent.ip:59776 [it-test] Peer Connection Initiated with [AF_INET]cli.ent.ip:59776
2023-03-22 11:50:03 cli.ent.ip:59776 PUSH: Received control message: 'PUSH_REQUEST'
2023-03-22 11:50:03 cli.ent.ip:59776 Delayed exit in 5 seconds
2023-03-22 11:50:03 cli.ent.ip:59776 SENT CONTROL [it-test]: 'AUTH_FAILED' (status=1)
2023-03-22 11:50:05 cli.ent.ip:59776 Connection reset, restarting [-1]
2023-03-22 11:50:05 cli.ent.ip:59776 SIGUSR1[soft,connection-reset] received, client-instance restarting
2023-03-22 11:52:00 cli.ent.ip:52108 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:52:00 cli.ent.ip:52108 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:52:00 cli.ent.ip:52108 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:52:00 cli.ent.ip:52108 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:52:00 cli.ent.ip:52108 TLS: Initial packet from [AF_INET]cli.ent.ip:52108, sid=0e7be215 d7d8e6d2
2023-03-22 11:52:00 cli.ent.ip:52108 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:52:00 cli.ent.ip:52108 VERIFY KU OK
2023-03-22 11:52:00 cli.ent.ip:52108 Validating certificate extended key usage
2023-03-22 11:52:00 cli.ent.ip:52108 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2023-03-22 11:52:00 cli.ent.ip:52108 VERIFY EKU OK
2023-03-22 11:52:00 cli.ent.ip:52108 VERIFY OK: depth=0, CN=it-test
2023-03-22 11:52:00 cli.ent.ip:52108 peer info: IV_VER=2.6.0
2023-03-22 11:52:00 cli.ent.ip:52108 peer info: IV_PLAT=win
2023-03-22 11:52:00 cli.ent.ip:52108 peer info: IV_TCPNL=1
2023-03-22 11:52:00 cli.ent.ip:52108 peer info: IV_MTU=1600
2023-03-22 11:52:00 cli.ent.ip:52108 peer info: IV_NCP=2
2023-03-22 11:52:00 cli.ent.ip:52108 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-03-22 11:52:00 cli.ent.ip:52108 peer info: IV_PROTO=478
2023-03-22 11:52:00 cli.ent.ip:52108 peer info: IV_LZO_STUB=1
2023-03-22 11:52:00 cli.ent.ip:52108 peer info: IV_COMP_STUB=1
2023-03-22 11:52:00 cli.ent.ip:52108 peer info: IV_COMP_STUBv2=1
2023-03-22 11:52:00 cli.ent.ip:52108 peer info: IV_GUI_VER=OpenVPN_GUI_11
2023-03-22 11:52:00 cli.ent.ip:52108 peer info: IV_SSO=openurl,webauth,crtext
2023-03-22 11:52:00 cli.ent.ip:52108 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:52:00 cli.ent.ip:52108 [it-test] Peer Connection Initiated with [AF_INET]cli.ent.ip:52108
2023-03-22 11:52:00 it-test/cli.ent.ip:52108 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
2023-03-22 11:52:00 it-test/cli.ent.ip:52108 MULTI: Learn: 10.8.0.6 -> it-test/cli.ent.ip:52108
2023-03-22 11:52:00 it-test/cli.ent.ip:52108 MULTI: primary virtual IP for it-test/cli.ent.ip:52108: 10.8.0.6
2023-03-22 11:52:00 it-test/cli.ent.ip:52108 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-22 11:52:00 it-test/cli.ent.ip:52108 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-22 11:52:00 it-test/cli.ent.ip:52108 SENT CONTROL [it-test]: 'PUSH_REPLY,route ip.to.rou.te2 255.255.255.255 vpn_gateway,route ip.to.rou.te 255.255.255.255 vpn_gateway,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
2023-03-22 11:52:00 it-test/cli.ent.ip:52108 PUSH: Received control message: 'PUSH_REQUEST'
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 VERIFY KU OK
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 Validating certificate extended key usage
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 VERIFY EKU OK
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 VERIFY OK: depth=0, CN=it-test
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 peer info: IV_VER=2.6.0
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 peer info: IV_PLAT=win
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 peer info: IV_TCPNL=1
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 peer info: IV_MTU=1600
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 peer info: IV_NCP=2
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 peer info: IV_PROTO=478
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 peer info: IV_LZO_STUB=1
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 peer info: IV_COMP_STUB=1
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 peer info: IV_COMP_STUBv2=1
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 peer info: IV_GUI_VER=OpenVPN_GUI_11
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 peer info: IV_SSO=openurl,webauth,crtext
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-22 11:52:30 it-test/cli.ent.ip:52108 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:56:30 it-test/cli.ent.ip:52108 [it-test] Inactivity timeout (--ping-restart), restarting
2023-03-22 11:56:30 it-test/cli.ent.ip:52108 SIGUSR1[soft,ping-restart] received, client-instance restarting
2023-03-22 12:01:48 cli.ent.ip:52108 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 12:01:48 cli.ent.ip:52108 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 12:01:48 cli.ent.ip:52108 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 12:01:48 cli.ent.ip:52108 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 12:01:48 cli.ent.ip:52108 TLS: Initial packet from [AF_INET]cli.ent.ip:52108, sid=744d8968 cc41a9c6
2023-03-22 12:01:48 cli.ent.ip:52108 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 12:01:48 cli.ent.ip:52108 VERIFY KU OK
2023-03-22 12:01:48 cli.ent.ip:52108 Validating certificate extended key usage
2023-03-22 12:01:48 cli.ent.ip:52108 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2023-03-22 12:01:48 cli.ent.ip:52108 VERIFY EKU OK
2023-03-22 12:01:48 cli.ent.ip:52108 VERIFY OK: depth=0, CN=it-test
2023-03-22 12:01:48 cli.ent.ip:52108 peer info: IV_VER=2.6.0
2023-03-22 12:01:48 cli.ent.ip:52108 peer info: IV_PLAT=win
2023-03-22 12:01:48 cli.ent.ip:52108 peer info: IV_TCPNL=1
2023-03-22 12:01:48 cli.ent.ip:52108 peer info: IV_MTU=1600
2023-03-22 12:01:48 cli.ent.ip:52108 peer info: IV_NCP=2
2023-03-22 12:01:48 cli.ent.ip:52108 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-03-22 12:01:48 cli.ent.ip:52108 peer info: IV_PROTO=478
2023-03-22 12:01:48 cli.ent.ip:52108 peer info: IV_LZO_STUB=1
2023-03-22 12:01:48 cli.ent.ip:52108 peer info: IV_COMP_STUB=1
2023-03-22 12:01:48 cli.ent.ip:52108 peer info: IV_COMP_STUBv2=1
2023-03-22 12:01:48 cli.ent.ip:52108 peer info: IV_GUI_VER=OpenVPN_GUI_11
2023-03-22 12:01:48 cli.ent.ip:52108 peer info: IV_SSO=openurl,webauth,crtext
2023-03-22 12:01:48 cli.ent.ip:52108 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 12:01:48 cli.ent.ip:52108 [it-test] Peer Connection Initiated with [AF_INET]cli.ent.ip:52108
2023-03-22 12:01:48 it-test/cli.ent.ip:52108 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
2023-03-22 12:01:48 it-test/cli.ent.ip:52108 MULTI: Learn: 10.8.0.6 -> it-test/cli.ent.ip:52108
2023-03-22 12:01:48 it-test/cli.ent.ip:52108 MULTI: primary virtual IP for it-test/cli.ent.ip:52108: 10.8.0.6
2023-03-22 12:01:48 it-test/cli.ent.ip:52108 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-22 12:01:48 it-test/cli.ent.ip:52108 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-22 12:01:48 it-test/cli.ent.ip:52108 SENT CONTROL [it-test]: 'PUSH_REPLY,route ip.to.rou.te2 255.255.255.255 vpn_gateway,route ip.to.rou.te 255.255.255.255 vpn_gateway,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
2023-03-22 12:01:54 it-test/cli.ent.ip:52108 TLS Error: local/remote TLS keys are out of sync: [AF_INET]cli.ent.ip:52108 [1]
2023-03-22 12:01:54 it-test/cli.ent.ip:52108 TLS Error: local/remote TLS keys are out of sync: [AF_INET]cli.ent.ip:52108 [1]
2023-03-22 12:01:55 it-test/cli.ent.ip:52108 TLS Error: local/remote TLS keys are out of sync: [AF_INET]cli.ent.ip:52108 [1]
2023-03-22 12:01:56 it-test/cli.ent.ip:52108 TLS Error: local/remote TLS keys are out of sync: [AF_INET]cli.ent.ip:52108 [1]
2023-03-22 12:01:57 it-test/cli.ent.ip:52108 TLS Error: local/remote TLS keys are out of sync: [AF_INET]cli.ent.ip:52108 [1]
2023-03-22 12:02:00 it-test/cli.ent.ip:52108 TLS Error: local/remote TLS keys are out of sync: [AF_INET]cli.ent.ip:52108 [1]
2023-03-22 12:02:03 it-test/cli.ent.ip:52108 TLS Error: local/remote TLS keys are out of sync: [AF_INET]cli.ent.ip:52108 [1]
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 VERIFY KU OK
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 Validating certificate extended key usage
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 VERIFY EKU OK
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 VERIFY OK: depth=0, CN=it-test
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 peer info: IV_VER=2.6.0
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 peer info: IV_PLAT=win
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 peer info: IV_TCPNL=1
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 peer info: IV_MTU=1600
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 peer info: IV_NCP=2
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 peer info: IV_PROTO=478
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 peer info: IV_LZO_STUB=1
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 peer info: IV_COMP_STUB=1
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 peer info: IV_COMP_STUBv2=1
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 peer info: IV_GUI_VER=OpenVPN_GUI_11
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 peer info: IV_SSO=openurl,webauth,crtext
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-22 12:02:18 it-test/cli.ent.ip:52108 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512

client log:

Code: Select all

2023-03-22 11:51:52 Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
2023-03-22 11:51:52 OpenVPN 2.6.0 [git:v2.6.0/b999466418dddb89] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Feb 15 2023
2023-03-22 11:51:52 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-03-22 11:51:52 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-03-22 11:51:52 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2023-03-22 11:51:52 Need hold release from management interface, waiting...
2023-03-22 11:51:52 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:54430
2023-03-22 11:51:52 MANAGEMENT: CMD 'state on'
2023-03-22 11:51:52 MANAGEMENT: CMD 'log on all'
2023-03-22 11:51:52 MANAGEMENT: CMD 'echo on all'
2023-03-22 11:51:52 MANAGEMENT: CMD 'bytecount 5'
2023-03-22 11:51:52 MANAGEMENT: CMD 'state'
2023-03-22 11:51:52 MANAGEMENT: CMD 'hold off'
2023-03-22 11:51:52 MANAGEMENT: CMD 'hold release'
2023-03-22 11:51:59 MANAGEMENT: CMD 'password [...]'
2023-03-22 11:51:59 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:51:59 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:51:59 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-03-22 11:51:59 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-03-22 11:51:59 MANAGEMENT: >STATE:1679482319,RESOLVE,,,,,,
2023-03-22 11:51:59 TCP/UDP: Preserving recently used remote address: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:51:59 ovpn-dco device [OpenVPN Data Channel Offload] opened
2023-03-22 11:51:59 UDP link local: (not bound)
2023-03-22 11:51:59 UDP link remote: [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:51:59 MANAGEMENT: >STATE:1679482319,WAIT,,,,,,
2023-03-22 11:51:59 MANAGEMENT: >STATE:1679482319,AUTH,,,,,,
2023-03-22 11:51:59 TLS: Initial packet from [AF_INET]IP.of.VPN.SRV:1194, sid=2414a3e2 668b88b0
2023-03-22 11:51:59 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:51:59 VERIFY KU OK
2023-03-22 11:51:59 Validating certificate extended key usage
2023-03-22 11:51:59 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-03-22 11:51:59 VERIFY EKU OK
2023-03-22 11:51:59 VERIFY X509NAME OK: CN=myopenvpn.server.org
2023-03-22 11:51:59 VERIFY OK: depth=0, CN=myopenvpn.server.org
2023-03-22 11:51:59 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:51:59 [myopenvpn.server.org] Peer Connection Initiated with [AF_INET]IP.of.VPN.SRV:1194
2023-03-22 11:51:59 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-03-22 11:51:59 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-03-22 11:52:00 MANAGEMENT: >STATE:1679482320,GET_CONFIG,,,,,,
2023-03-22 11:52:00 SENT CONTROL [myopenvpn.server.org]: 'PUSH_REQUEST' (status=1)
2023-03-22 11:52:00 PUSH: Received control message: 'PUSH_REPLY,route ip.to.rou.te2 255.255.255.255 vpn_gateway,route ip.to.rou.te 255.255.255.255 vpn_gateway,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2023-03-22 11:52:00 OPTIONS IMPORT: timers and/or timeouts modified
2023-03-22 11:52:00 OPTIONS IMPORT: --ifconfig/up options modified
2023-03-22 11:52:00 OPTIONS IMPORT: route options modified
2023-03-22 11:52:00 OPTIONS IMPORT: peer-id set
2023-03-22 11:52:00 OPTIONS IMPORT: data channel crypto options modified
2023-03-22 11:52:00 interactive service msg_channel=680
2023-03-22 11:52:00 MANAGEMENT: >STATE:1679482320,ASSIGN_IP,,10.8.0.6,,,,
2023-03-22 11:52:00 INET address service: add 10.8.0.6/30
2023-03-22 11:52:00 IPv4 MTU set to 1500 on interface 9 using service
2023-03-22 11:52:00 MANAGEMENT: >STATE:1679482320,ADD_ROUTES,,,,,,
2023-03-22 11:52:00 C:\Windows\system32\route.exe ADD ip.to.rou.te2 MASK 255.255.255.255 10.8.0.5 METRIC 200
2023-03-22 11:52:00 Route addition via service succeeded
2023-03-22 11:52:00 C:\Windows\system32\route.exe ADD ip.to.rou.te MASK 255.255.255.255 10.8.0.5 METRIC 200
2023-03-22 11:52:00 Route addition via service succeeded
2023-03-22 11:52:00 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5 METRIC 200
2023-03-22 11:52:00 Route addition via service succeeded
2023-03-22 11:52:00 Initialization Sequence Completed
2023-03-22 11:52:00 MANAGEMENT: >STATE:1679482320,CONNECTED,SUCCESS,10.8.0.6,IP.of.VPN.SRV,1194,,
2023-03-22 11:52:29 TLS: soft reset sec=30/30 bytes=0/-1 pkts=0/0
2023-03-22 11:52:29 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:52:29 VERIFY KU OK
2023-03-22 11:52:29 Validating certificate extended key usage
2023-03-22 11:52:29 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-03-22 11:52:29 VERIFY EKU OK
2023-03-22 11:52:29 VERIFY X509NAME OK: CN=myopenvpn.server.org
2023-03-22 11:52:29 VERIFY OK: depth=0, CN=myopenvpn.server.org
2023-03-22 11:52:29 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:52:59 TLS: soft reset sec=30/30 bytes=0/-1 pkts=0/0
2023-03-22 11:52:59 dco_del_key: peer-id 0, slot 1 called but ignored
2023-03-22 11:53:59 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2023-03-22 11:53:59 TLS Error: TLS handshake failed
2023-03-22 11:53:59 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1
2023-03-22 11:53:59 MANAGEMENT: >STATE:1679482439,WAIT,,,,,,
2023-03-22 11:53:59 MANAGEMENT: >STATE:1679482439,AUTH,,,,,,
2023-03-22 11:53:59 TLS: Initial packet from [AF_INET]IP.of.VPN.SRV:1194, sid=431c7aee 8d1f3b5d
2023-03-22 11:53:59 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:53:59 VERIFY KU OK
2023-03-22 11:53:59 Validating certificate extended key usage
2023-03-22 11:53:59 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-03-22 11:53:59 VERIFY EKU OK
2023-03-22 11:53:59 VERIFY X509NAME OK: CN=myopenvpn.server.org
2023-03-22 11:53:59 VERIFY OK: depth=0, CN=myopenvpn.server.org
2023-03-22 11:54:00 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:54:00 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-03-22 11:54:00 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-03-22 11:54:00 PUSH: Received control message: 'PUSH_REPLY,route ip.to.rou.te2 255.255.255.255 vpn_gateway,route ip.to.rou.te 255.255.255.255 vpn_gateway,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2023-03-22 11:54:00 Initialization Sequence Completed
2023-03-22 11:54:00 MANAGEMENT: >STATE:1679482440,CONNECTED,SUCCESS,10.8.0.6,IP.of.VPN.SRV,1194,,
2023-03-22 11:54:30 TLS: soft reset sec=30/30 bytes=0/-1 pkts=0/0
2023-03-22 11:54:30 VERIFY OK: depth=1, CN=myorg CN
2023-03-22 11:54:30 VERIFY KU OK
2023-03-22 11:54:30 Validating certificate extended key usage
2023-03-22 11:54:30 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-03-22 11:54:30 VERIFY EKU OK
2023-03-22 11:54:30 VERIFY X509NAME OK: CN=myopenvpn.server.org
2023-03-22 11:54:30 VERIFY OK: depth=0, CN=myopenvpn.server.org
2023-03-22 11:54:30 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
2023-03-22 11:54:47 MANAGEMENT: Client disconnected
2023-03-22 11:54:47 Assertion failed at C:\buildbot\msbuild\openvpn-build\src\openvpn\src\openvpn\dco.c:175 (primary->dco_status != DCO_NOT_INSTALLED)
2023-03-22 11:54:47 Exiting due to fatal error
2023-03-22 11:54:47 C:\Windows\system32\route.exe DELETE ip.to.rou.te2 MASK 255.255.255.255 10.8.0.5
2023-03-22 11:54:47 Route deletion via service succeeded
2023-03-22 11:54:47 C:\Windows\system32\route.exe DELETE ip.to.rou.te MASK 255.255.255.255 10.8.0.5
2023-03-22 11:54:47 Route deletion via service succeeded
2023-03-22 11:54:47 C:\Windows\system32\route.exe DELETE 10.8.0.1 MASK 255.255.255.255 10.8.0.5
2023-03-22 11:54:47 Route deletion via service succeeded
2023-03-22 11:54:47 Closing DCO interface
2023-03-22 11:54:47 IPv4 dns servers deleted using service
2023-03-22 11:54:47 INET address service: remove 10.8.0.6/30


can somebody help me fix the time problem? or a better way to deal with it?

pi-2007
OpenVpn Newbie
Posts: 4
Joined: Wed Mar 15, 2023 1:29 pm

Re: time(?) issue after standby of client leads to endless "AUTH_FAILED" on the server without dropping connection

Post by pi-2007 » Thu Mar 23, 2023 2:09 pm

Hello,

just an update (in case somebody else faces the same issue). Re-reading the documentation, I tried various settings to try to disconnect the client when it is in standby, while keeping the connection open even if it is not used (my VPN only routes 2 IPs) which are not used all the time by clients.

1) on the server, instead of

Code: Select all

keepalive 10 120
I only used

Code: Select all

ping 10
, and

Code: Select all

ping-exit 120
. However, the client disconnects even when running (but not connected to one of the routed IPs)

2) using

Code: Select all

single-session
either on server, or client. doesn't change anything (after wakeup from standby, the auth_failed error goes on forever (or default reneg-sec I guess)

3) using

Code: Select all

explicit-exit-notify 1
on client: doesn't change anything (after wakeup from standby, the auth_failed error goes on forever (or default reneg-sec I guess)

4) when trying to push reneg-sec (

Code: Select all

push "reneg-sec 60"
from the server: this doesn't work (the client doesn´t disconnect after "TLS keys are out of sync" error)



So, unfortunately the problem persists and the only solution is to use reneg-sec on the client, and accept big server-log files due to constant renegotiation of the data channel:

Code: Select all

2023-03-23 14:35:57 it-test/ip.of.client.x:50348 VERIFY OK: depth=1, CN=myorg CN
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 VERIFY KU OK
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 Validating certificate extended key usage
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 VERIFY EKU OK
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 VERIFY OK: depth=0, CN=it-test
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 peer info: IV_VER=2.6.1
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 peer info: IV_PLAT=win
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 peer info: IV_TCPNL=1
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 peer info: IV_MTU=1600
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 peer info: IV_NCP=2
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 peer info: IV_PROTO=990
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 peer info: IV_LZO_STUB=1
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 peer info: IV_COMP_STUB=1
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 peer info: IV_COMP_STUBv2=1
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 peer info: IV_GUI_VER=OpenVPN_GUI_11
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 peer info: IV_SSO=openurl,webauth,crtext
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-23 14:35:57 it-test/ip.of.client.x:50348 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
(also I upgraded the client to 2.6.1. In the previous logs I used 2.6.0 just to see whether this problem goes away).

I would only hope that this post might save somebody else some hours of searching, and if there is a solution to this issue, more than happy to read about it!

pi-2007
OpenVpn Newbie
Posts: 4
Joined: Wed Mar 15, 2023 1:29 pm

Re: time(?) issue after standby of client leads to endless "AUTH_FAILED" on the server without dropping connection

Post by pi-2007 » Fri May 19, 2023 2:48 pm

I can provide an answer myself: the problem was combining my specifc(?) config with openvpn server 2.5.5 (22.04 ubuntu) and a 2.6.x openvpn client (with windows).

As soon as I downgraded the client to 2.5.9 on Windows, the client reconnects just as it should after standby and the server logs don't get flooded.

I tested it with latest 2.6.4. and the problem persists.

Post Reply