No reauth comes through when using expired auth-gen-token

[Rumbles]

I set up a test config last week, as I was advised to ensure I was using reneg-sec != 0 and since I use Duo for 2FA, I didn't want to get a reauth pushed to my phone every time it needed to renegotiate. I set up the following config:

View OriginalClient Config

remote vpn.domain.com
proto udp
port 2018
verb 3
dev tun
persist-tun
persist-key
client
cipher AES-256-GCM
ca ca.crt
cert user.crt
key user.key
auth-user-pass
reneg-sec 3600

View OriginalServer Config

port 2018
proto udp
dev tun
ca ca.crt
cert vpn.crt
key vpn.key # This file should be kept secret
dh dh2048.pem
server 10.10.18.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.8.0 255.255.248.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.10.10.3"
push "dhcp-option DNS 10.10.10.6"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DOMAIN domain.com"
keepalive 10 120
cipher AES-256-GCM
user nobody
group nogroup
persist-key
persist-tun
status openvpn-2018-status.log
log-append /var/log/openvpn-2018.log
verb 4
reneg-sec 3600
auth-gen-token 86400
plugin /opt/duo/duo_openvpn.so 'REDACTED'

With this config I can connect fine to the VPN and it remains stable, but after 24 hours, when I would expect a reauth to be pushed to my phone (it should always be pushed to my phone when I use a password "push" or blank or anything that isn't the valid key that Duo generates)

Around the time I would expect it to reauth, I see these messages:

Code: Select all

Sun Apr  1 09:59:51 2018 us=329084 Rumbles/10.10.10.139:54259 Auth-token for client expired

Sun Apr  1 09:59:51 2018 us=340558 Rumbles/10.10.10.139:54259 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Apr  1 10:00:52 2018 us=666506 Rumbles/10.10.10.139:54259 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.10.10.139:54259 [4]
Sun Apr  1 10:00:52 2018 us=916760 Rumbles/10.10.10.139:54259 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.10.10.139:54259 [4]
Sun Apr  1 10:00:53 2018 us=166491 Rumbles/10.10.10.139:54259 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.10.10.139:54259 [4]

The "out of sync" messages continue until my connection times out. On my laptop the VPN icon remains in the (Gnome Shell) tray and my laptop can't get any network traffic as the VPN is dead.

Is there anything else I need to add to my config to get it to request a re-auth correctly?

[TinCanTech]

The "out of sync" messages continue until my connection times out.

That is as expected ..

On my laptop the VPN icon remains in the (Gnome Shell) tray and my laptop can't get any network traffic as the VPN is dead.

Do you mean the VPN does not reconnect at all ?

I don't know how you have your 2FA configured but you may need --auth-retry interact in the client.

See --auth-retry interact in the manual.

[Rumbles]

Thanks for the tip, I tried this and got some weird behaviour.

In order to test it quickly, I changed the reneg-sec to 30 and auth-gen-token to 120. I updated my client config file, then imported it in to Network manager (everyone is using gnome or KDE, so NM is the normal way everyone connects). I can see this config option has been added by checking in ps, and I can see in the command string "auth-retry interact"

As I connect to the VPN, I get a push come through to my device, as expected, but a second or 2 after approving that, a second request comes through. I accepted the second request as well, and the VPN works until the key expires at which point the VPN dies and no push gets sent to my device.

Logs on my laptop:

Code: Select all

Apr 04 10:35:32 rumbles-laptop NetworkManager[1372]: <info>  [1522834532.0920] audit: op="connection-activate" uuid="8eded980-0d83-43e3-90d6-5a4fba1054bf" name="domain TEST" pid=3162 uid=840201107 result="success"
Apr 04 10:35:32 rumbles-laptop NetworkManager[1372]: <info>  [1522834532.1046] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",0]: Started the VPN service, PID 11218
Apr 04 10:35:32 rumbles-laptop NetworkManager[1372]: <info>  [1522834532.1183] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",0]: Saw the service appear; activating connection
Apr 04 10:35:36 rumbles-laptop NetworkManager[1372]: <info>  [1522834536.5879] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",0]: VPN plugin: state changed: starting (3)
Apr 04 10:35:36 rumbles-laptop NetworkManager[1372]: <info>  [1522834536.5887] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",0]: VPN connection: (ConnectInteractive) reply received
Apr 04 10:35:36 rumbles-laptop nm-openvpn[11296]: WARNING: file '/home/Rumbles/Keys/vpn.Rumbles/Rumbles.key' is group or others accessible
Apr 04 10:35:36 rumbles-laptop nm-openvpn[11296]: OpenVPN 2.4.5 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar  1 2018
Apr 04 10:35:36 rumbles-laptop nm-openvpn[11296]: library versions: OpenSSL 1.1.0h-fips  27 Mar 2018, LZO 2.08
Apr 04 10:35:36 rumbles-laptop nm-openvpn[11296]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Apr 04 10:35:36 rumbles-laptop nm-openvpn[11296]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 04 10:35:37 rumbles-laptop nm-openvpn[11296]: TCP/UDP: Preserving recently used remote address: [AF_INET]TARGET_IP:2018
Apr 04 10:35:37 rumbles-laptop nm-openvpn[11296]: UDP link local: (not bound)
Apr 04 10:35:37 rumbles-laptop nm-openvpn[11296]: UDP link remote: [AF_INET]TARGET_IP:2018
Apr 04 10:35:37 rumbles-laptop nm-openvpn[11296]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Apr 04 10:35:37 rumbles-laptop nm-openvpn[11296]: [vpn.sheffield.domain.com] Peer Connection Initiated with [AF_INET]TARGET_IP:2018
Apr 04 10:35:44 rumbles-laptop gvfsd[3121]: Error calling org.gtk.vfs.MonitorClient.Changed(): Timeout was reached (g-io-error-quark, 24)
Apr 04 10:35:44 rumbles-laptop gvfsd[3121]: Error calling org.gtk.vfs.MonitorClient.Changed(): Timeout was reached (g-io-error-quark, 24)
Apr 04 10:35:48 rumbles-laptop nm-openvpn[11296]: auth-token received, disabling auth-nocache for the authentication token
Apr 04 10:35:48 rumbles-laptop nm-openvpn[11296]: TUN/TAP device tun0 opened
Apr 04 10:35:48 rumbles-laptop nm-openvpn[11296]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 11218 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_146 --tun -- tun0 1500 1624 10.10.18.6 10.10.18.5 init
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9204] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/41)
Apr 04 10:35:48 rumbles-laptop systemd-udevd[11561]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9461] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",0]: VPN connection: (IP Config Get) reply received.
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9467] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: VPN connection: (IP4 Config Get) reply received
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9476] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: VPN Gateway: TARGET_IP
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9477] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Tunnel Device: "tun0"
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9477] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: IPv4 configuration:
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9477] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data:   Internal Gateway: 10.10.18.5
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9477] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data:   Internal Address: 10.10.18.6
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9477] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data:   Internal Prefix: 32
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data:   Internal Point-to-Point Address: 10.10.18.5
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data:   Maximum Segment Size (MSS): 0
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data:   Static Route: 10.10.8.0/21   Next Hop: 10.10.18.5
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data:   Static Route: 10.10.18.1/32   Next Hop: 10.10.18.5
Apr 04 10:35:48 rumbles-laptop nm-openvpn[11296]: GID set to nm-openvpn
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data:   Forbid Default Route: no
Apr 04 10:35:48 rumbles-laptop nm-openvpn[11296]: UID set to nm-openvpn
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data:   Internal DNS: 10.10.10.3
Apr 04 10:35:48 rumbles-laptop nm-openvpn[11296]: Initialization Sequence Completed
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data:   Internal DNS: 10.10.10.6
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9479] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data:   Internal DNS: 8.8.8.8
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9479] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data:   DNS Domain: 'sheffield.domain.com'
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9479] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: No IPv6 configuration
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9480] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: VPN plugin: state changed: started (4)
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=filter family=2 entries=97
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=nat family=2 entries=57
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=mangle family=2 entries=41
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=raw family=2 entries=30
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=filter family=10 entries=88
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=nat family=10 entries=52
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=mangle family=10 entries=40
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=raw family=10 entries=31
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9924] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: VPN connection: (IP Config Get) complete
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info>  [1522834548.9946] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', internal state 'external')
Apr 04 10:35:48 rumbles-laptop dbus-daemon[1266]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.8' (uid=0 pid=1372 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0")
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info>  [1522834549.0005] keyfile: add connection in-memory (6d985204-4c02-49ed-8742-1c6173642af5,"tun0")
Apr 04 10:35:49 rumbles-laptop systemd[1]: Starting Network Manager Script Dispatcher Service...
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info>  [1522834549.0018] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', internal state 'external')
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info>  [1522834549.0033] device (tun0): Activation: starting connection 'tun0' (6d985204-4c02-49ed-8742-1c6173642af5)
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info>  [1522834549.0040] device (tun0): state change: disconnected -> prepare (reason 'none', internal state 'external')
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info>  [1522834549.0044] device (tun0): state change: prepare -> config (reason 'none', internal state 'external')
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info>  [1522834549.0046] device (tun0): state change: config -> ip-config (reason 'none', internal state 'external')
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info>  [1522834549.0087] device (tun0): state change: ip-config -> ip-check (reason 'none', internal state 'external')
Apr 04 10:35:49 rumbles-laptop dbus-daemon[1266]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'

Then after a load of keys out of sync messages, this:

Code: Select all

Apr 04 10:38:12 rumbles-laptop NetworkManager[1372]: <info>  [1522834692.6690] audit: op="connection-deactivate" uuid="8eded980-0d83-43e3-90d6-5a4fba1054bf" name="domain TEST" pid=3162 uid=840201107 result="success"

I don't see any reason there for the second request coming through early in the connection and I don't see openvpn trying to auth again after the key has expired.

[TinCanTech]

In order to test it quickly, I changed the reneg-sec to 30 and auth-gen-token to 120

In my experience this maybe too fast as other timeouts come into play, I tend to use something between 2 and 10 minutes.

then imported it in to Network manager (everyone is using gnome or KDE, so NM is the normal way everyone connects).

I do not use NM .. it is another layer of complexity that is best removed while you get the underlying mechanism to work. I do not mean remove NM, I just mean don't configure openvpn via NM.

As I connect to the VPN, I get a push come through to my device, as expected, but a second or 2 after approving that, a second request comes through. I accepted the second request as well, and the VPN works until the key expires at which point the VPN dies and no push gets sent to my device.

This statement does not make sense to me ..

You cannot not drop privileges in the client otherwise the connection will fail when the token expires.

[Rumbles]

Thanks, I will try doing my test over a slightly longer time frame.
Sorry if I didn't explain that very well. Basically, I connected to VPN, I got a request to my device as normal. But as soon as I had accepted one, it received a second request, which is not normal. The VPN stayed connected and reauthed a number of times when the reneg-sec timeout was up, but after the key expired the VPN failed to renegotiate and I didn't get a request pushed to my device.

[TinCanTech]

The VPN stayed connected and reauthed a number of times when the reneg-sec timeout was up, but after the key expired the VPN failed to renegotiate

That is correct excpet that when the key expires you should be prompted for your 2FA password again, which will then restart the --auth-token timer and push you a new token. (That is what should happen)

and I didn't get a request pushed to my device

That is correct because you did not authenticate again as above.

I connected to VPN, I got a request to my device as normal. But as soon as I had accepted one, it received a second request, which is not normal

This, again, does not make sense to me .. perhaps you can provide your client log at verb 4.

[TinCanTech]

Unfortunately, it has come to my attention that --auth-gen-token code is not quite production ready ..

Infact, the --auth-gen-token code is now considered to be a work-around for servers which do not employ a suitable plugin or script to do the work. (Sorry about this late information)

For me personally, the code works to a suitable degree but it is not ready for all eventualities.

Some further reading:
https://patchwork.openvpn.net/patch/263/
https://www.mail-archive.com/openvpn-de ... 16729.html

[Rumbles]

Thanks for clarifying that issue.

Would you say it is likely that these fixes for auth-gen-token that are discussed are likely to make it in to the stable branch of openvpn any time in the next few months? Or is this likely to be some way off?

If the auth-gen-token feature is not production ready, are there any scripts that are available for us to use to handle the token generation/sharing/verification? Or do we need to write our own? I have looked and found something for yubikey OTP in Perl, but I don't know Perl and so modifying that to work for my case could be a pain.

I have seen this page: https://community.openvpn.net/openvpn/wiki/SWEET32 where it gives an example of a script that can do this work. But it says that the scripts need to be adapted before use, they shouldn't be used as is. But I'm unclear on how to change them. Reading over them I think I understand most of the basic steps, but I don't see how the tokens are passed between the server and client or what would need to be modified to make them production ready.

[TinCanTech]

Would you say it is likely that these fixes for auth-gen-token that are discussed are likely to make it in to the stable branch of openvpn any time in the next few months? Or is this likely to be some way off?

Patches to improve --auth-gen-token/--auth-token have been submitted and should make it into master quite soon. I have heard that a new release (2.4.6) is imminent .. so this ought to be available soon.

But even then, this function seems to be downplayed as a simple solution to a more complex problem.

As to an actual fully fledged solution .. it seems that you are expected to do it yourself.
Personally, I do not really understand the reasoning behind this decision ..

Perhaps we can work on something ourselves, if you want to contact me: tincanteksup <at> gmail

[Rumbles]

Thanks for the info again, I will wait for 2.4.6 to be available from the repo provided by openvpn and test that out with my old config. If that doesn't work I may revisit creating my own script for this purpose. I have also asked Duo about these steps and how they would recommend I proceed as well as whether they have ever looked in to creating their own script for this. (I also asked them where they stand on using reneg-sec 0 as their docs do recommend that, and obviously it's not a great thing to recommend if you are security minded)

[fdellwing]

The changelogs to 2.4.7 are stating:

fallback to password authentication when auth-token fails

This seems to be not true for the use of auth-gen-token.

We use an auth-user-pass-verify script to login the users, as this is pretty IO heavy in our case we would like to use auth-gen-token. I tested 3 scenarios:

1.

Code: Select all

[...]
auth-retry interact
reneg-sec 30
[...]

Works as intended, every 30 seconds the script is called and the session renewed.

2.

Code: Select all

[...]
auth-gen-token
auth-retry interact
reneg-sec 30
[...]

Works as intended, every 30 seconds the session is renewed without calling the script.

3.

Code: Select all

[...]
auth-gen-token 15
auth-retry interact
reneg-sec 30
[...]

Does not work, after 30 seconds Auth-token for client expired (as expected) and afterwards the connection is terminated (should use the script instead). Anything comes to mind that should be done differently to get this to work?

Code: Select all

OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019
library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_ifconfig_path=/sbin/ifconfig with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route with_sysroot=no

[TinCanTech]

As far as I am aware, --auth-gen-token renewal does not work correctly at this time.

[fdellwing]

As far as I am aware, --auth-gen-token renewal does not work correctly at this time.

I'm not quite sure what you want to say? If you provide a valid token, everything works. Only if the token is expired the fallback is not used. But I thought this is exactly what was fixed in 2.4.7?