increase delay while waiting for push MFA response

[cameron.epp]

We are using Jumpcloud as our identity provider and Jumpcloud LDAP as our user directory that OpenVPN authenticates against.

When we configure OpenVPN to use Jumpcloud's MFA then, after entering the user's password, Jumpcloud's app shows a notification on the user's mobile device and asks for confirmation to approve the authentication. If the user approves the login, then the authentication completes and OpenVPN connects properly. So far so good.

However, the users only have about 10 seconds to complete the process, and that is not nearly long enough. The ten seconds includes a lot of actions that have delay built into each of them:

• OpenVPN contacts the Jumpcloud server with the password
  Jumpcloud checks the password and user
  Jumpcloud pushes the notification to the user
  The user has to grab their phone and open the notification
  The user has to hit approve and then enter a pin (or fingerprint)
  Jumploud's app sends approval back to Jumpcloud
  Jumpcloud sends approval back to OpenVPN

If I have my phone open and I'm waiting in the Jumpcloud app, I can just barely manage to approve the login before the OpenVPN client times out (80% of the time). For most people, it's annoying and there's no reason to time out so quick.

I have set server-poll-timeout 360 in the client .ovpn file, and I have the LDAP server timeout on the server also set to 360. I cannot find why 10 seconds seem to be the maximum wait time for the session to establish once the password has been sent.

Here are the logs from the client, you can see that there's no error or authentication denied by the server, it's just a timeout after 10 seconds:

[Oct 11, 2023, 16:58:35] Session is ACTIVE
[Oct 11, 2023, 16:58:35] EVENT: GET_CONFIG
[Oct 11, 2023, 16:58:35] Sending PUSH_REQUEST to server...
[Oct 11, 2023, 16:58:36] Sending PUSH_REQUEST to server...
[Oct 11, 2023, 16:58:38] Sending PUSH_REQUEST to server...
[Oct 11, 2023, 16:58:41] Sending PUSH_REQUEST to server...
[Oct 11, 2023, 16:58:44] Sending PUSH_REQUEST to server...
[Oct 11, 2023, 16:58:45] EVENT: CONNECTION_TIMEOUT BYTES_IN : 4042
BYTES_OUT : 1938
PACKETS_IN : 11
PACKETS_OUT : 12
CONNECTION_TIMEOUT : 1
[Oct 11, 2023, 16:58:45] EVENT: DISCONNECTED
[Oct 11, 2023, 16:58:48] Raw stats on disconnect:
BYTES_IN : 4042
BYTES_OUT : 1938
PACKETS_IN : 11
PACKETS_OUT : 12
CONNECTION_TIMEOUT : 1

[Oct 11, 2023, 16:58:48] Performance stats on disconnect:
CPU usage (microseconds): 85696137
Network bytes per CPU second: 69
Tunnel bytes per CPU second: 0

Here is my .ovpn config:

dev tun
auth SHA256
tls-client
client
remote vpn.mydomain.com 1194 udp4
setenv opt block-outside-dns
auth-user-pass
server-poll-timeout 360
remote-cert-tls server
inactive 14400 4096000
reneg-sec 0
<certificate stuff>

Thanks for any help or suggestions you can provide!

[cameron.epp]

I should add that if I use other clients (like tunnelblick), it works fine and the the users have lots of time to respond to the MFA prompt. I'm confident that it's an setting/configuration in the OpenVPN Connect app and I'm hoping that it's not hardcoded and I can change the post-password timeout with a setting...

[orelramadi]

Hey,
I've the same situation, did you manage to solve that?

Thanks,
Orel

[pavel673]

Hello, what plugin do you use for connect OpenVPN server to JumpCloud LDAP?