VPN timeout with 2FA (probably due to renegotiation)

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
OpenVpn Newbie
Posts: 1
Joined: Thu Feb 29, 2024 8:41 am

VPN timeout with 2FA (probably due to renegotiation)

Post by il_mix » Thu Feb 29, 2024 8:55 am

Hi, everyone!

I have am OpenVPN server configured on a Ubuntu 22.04.3 LTS server machine. Here is the server.conf file

Code: Select all

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/issued/server.crt
key /etc/openvpn/server/private/server.key  
dh /etc/openvpn/server/dh.pem
topology subnet
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
keepalive 10 120
cipher AES-256-GCM
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
crl-verify /etc/openvpn/server/crl.pem
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
Everything was ok. During Covid time it was used a lot without problems.
I've added 2FA some months ago. Now I have complains from my coworkers that sometimes the connection drops and they have to reconnect.
On the client side, we use OpenVPN GUI on Windows. Here is the client.ovpn configuration file

Code: Select all

dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
ca ca.crt
cert cristofolini.crt
key cristofolini.key
remote-cert-tls server
data-ciphers-fallback AES-256-CBC
verb 3
As you can see from the configuration files, we use certificates for the connection (no user/password). As said, I've added the 2FA (via Google Authenticator).

I've read some similar problems here. Looks like this is due to renegotiation, and more specifically the `reneg-bytes` parameter (set to 64M by default)
I tried adding `reneg-bytes 0`to server.config, and the connection looks stable. It seems it doesn't need to be set on the client side, too.

Looks like the renegotiation was automatic before 2FA (server asked for renegotiation, client sent certificates again, everything went on smoothly). With 2FA I suppose it requires an updated code, but somehow the client doesn't ask for it, and the connection just drops.

To the questions:
- am I right thinking the cause is the renegotiation, and more precisely the `reneg-bytes` parameter, or can there be some other issue? (given myu config files)
- setting `reneg-bytes 0` is not recommanded. I can set a higher value. What's the syntax to set it in MB? Is writing, e.g, 128M ok or do I need to write 13107331072?
- increasing the value won't let the problem disappear; it just delays it. How can I have the client ask the 2FA password again on renegotiation, instead of silently drop it?


Post Reply