Thanks for the tip, I tried this and got some weird behaviour.
In order to test it quickly, I changed the reneg-sec to 30 and auth-gen-token to 120. I updated my client config file, then imported it in to Network manager (everyone is using gnome or KDE, so NM is the normal way everyone connects). I can see this config option has been added by checking in ps, and I can see in the command string "auth-retry interact"
As I connect to the VPN, I get a push come through to my device, as expected, but a second or 2 after approving that, a second request comes through. I accepted the second request as well, and the VPN works until the key expires at which point the VPN dies and no push gets sent to my device.
Logs on my laptop:
Code: Select all
Apr 04 10:35:32 rumbles-laptop NetworkManager[1372]: <info> [1522834532.0920] audit: op="connection-activate" uuid="8eded980-0d83-43e3-90d6-5a4fba1054bf" name="domain TEST" pid=3162 uid=840201107 result="success"
Apr 04 10:35:32 rumbles-laptop NetworkManager[1372]: <info> [1522834532.1046] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",0]: Started the VPN service, PID 11218
Apr 04 10:35:32 rumbles-laptop NetworkManager[1372]: <info> [1522834532.1183] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",0]: Saw the service appear; activating connection
Apr 04 10:35:36 rumbles-laptop NetworkManager[1372]: <info> [1522834536.5879] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",0]: VPN plugin: state changed: starting (3)
Apr 04 10:35:36 rumbles-laptop NetworkManager[1372]: <info> [1522834536.5887] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",0]: VPN connection: (ConnectInteractive) reply received
Apr 04 10:35:36 rumbles-laptop nm-openvpn[11296]: WARNING: file '/home/Rumbles/Keys/vpn.Rumbles/Rumbles.key' is group or others accessible
Apr 04 10:35:36 rumbles-laptop nm-openvpn[11296]: OpenVPN 2.4.5 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 1 2018
Apr 04 10:35:36 rumbles-laptop nm-openvpn[11296]: library versions: OpenSSL 1.1.0h-fips 27 Mar 2018, LZO 2.08
Apr 04 10:35:36 rumbles-laptop nm-openvpn[11296]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Apr 04 10:35:36 rumbles-laptop nm-openvpn[11296]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 04 10:35:37 rumbles-laptop nm-openvpn[11296]: TCP/UDP: Preserving recently used remote address: [AF_INET]TARGET_IP:2018
Apr 04 10:35:37 rumbles-laptop nm-openvpn[11296]: UDP link local: (not bound)
Apr 04 10:35:37 rumbles-laptop nm-openvpn[11296]: UDP link remote: [AF_INET]TARGET_IP:2018
Apr 04 10:35:37 rumbles-laptop nm-openvpn[11296]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Apr 04 10:35:37 rumbles-laptop nm-openvpn[11296]: [vpn.sheffield.domain.com] Peer Connection Initiated with [AF_INET]TARGET_IP:2018
Apr 04 10:35:44 rumbles-laptop gvfsd[3121]: Error calling org.gtk.vfs.MonitorClient.Changed(): Timeout was reached (g-io-error-quark, 24)
Apr 04 10:35:44 rumbles-laptop gvfsd[3121]: Error calling org.gtk.vfs.MonitorClient.Changed(): Timeout was reached (g-io-error-quark, 24)
Apr 04 10:35:48 rumbles-laptop nm-openvpn[11296]: auth-token received, disabling auth-nocache for the authentication token
Apr 04 10:35:48 rumbles-laptop nm-openvpn[11296]: TUN/TAP device tun0 opened
Apr 04 10:35:48 rumbles-laptop nm-openvpn[11296]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 11218 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_146 --tun -- tun0 1500 1624 10.10.18.6 10.10.18.5 init
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9204] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/41)
Apr 04 10:35:48 rumbles-laptop systemd-udevd[11561]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9461] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",0]: VPN connection: (IP Config Get) reply received.
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9467] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: VPN connection: (IP4 Config Get) reply received
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9476] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: VPN Gateway: TARGET_IP
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9477] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Tunnel Device: "tun0"
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9477] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: IPv4 configuration:
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9477] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Internal Gateway: 10.10.18.5
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9477] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Internal Address: 10.10.18.6
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9477] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Internal Prefix: 32
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Internal Point-to-Point Address: 10.10.18.5
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Maximum Segment Size (MSS): 0
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Static Route: 10.10.8.0/21 Next Hop: 10.10.18.5
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Static Route: 10.10.18.1/32 Next Hop: 10.10.18.5
Apr 04 10:35:48 rumbles-laptop nm-openvpn[11296]: GID set to nm-openvpn
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Forbid Default Route: no
Apr 04 10:35:48 rumbles-laptop nm-openvpn[11296]: UID set to nm-openvpn
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Internal DNS: 10.10.10.3
Apr 04 10:35:48 rumbles-laptop nm-openvpn[11296]: Initialization Sequence Completed
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9478] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Internal DNS: 10.10.10.6
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9479] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: Internal DNS: 8.8.8.8
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9479] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: DNS Domain: 'sheffield.domain.com'
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9479] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: Data: No IPv6 configuration
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9480] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: VPN plugin: state changed: started (4)
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=filter family=2 entries=97
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=nat family=2 entries=57
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=mangle family=2 entries=41
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=raw family=2 entries=30
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=filter family=10 entries=88
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=nat family=10 entries=52
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=mangle family=10 entries=40
Apr 04 10:35:48 rumbles-laptop audit: NETFILTER_CFG table=raw family=10 entries=31
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9924] vpn-connection[0x56061f50a2c0,8eded980-0d83-43e3-90d6-5a4fba1054bf,"domain TEST",41:(tun0)]: VPN connection: (IP Config Get) complete
Apr 04 10:35:48 rumbles-laptop NetworkManager[1372]: <info> [1522834548.9946] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', internal state 'external')
Apr 04 10:35:48 rumbles-laptop dbus-daemon[1266]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.8' (uid=0 pid=1372 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0")
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info> [1522834549.0005] keyfile: add connection in-memory (6d985204-4c02-49ed-8742-1c6173642af5,"tun0")
Apr 04 10:35:49 rumbles-laptop systemd[1]: Starting Network Manager Script Dispatcher Service...
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info> [1522834549.0018] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', internal state 'external')
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info> [1522834549.0033] device (tun0): Activation: starting connection 'tun0' (6d985204-4c02-49ed-8742-1c6173642af5)
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info> [1522834549.0040] device (tun0): state change: disconnected -> prepare (reason 'none', internal state 'external')
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info> [1522834549.0044] device (tun0): state change: prepare -> config (reason 'none', internal state 'external')
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info> [1522834549.0046] device (tun0): state change: config -> ip-config (reason 'none', internal state 'external')
Apr 04 10:35:49 rumbles-laptop NetworkManager[1372]: <info> [1522834549.0087] device (tun0): state change: ip-config -> ip-check (reason 'none', internal state 'external')
Apr 04 10:35:49 rumbles-laptop dbus-daemon[1266]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Then after a load of keys out of sync messages, this:
Code: Select all
Apr 04 10:38:12 rumbles-laptop NetworkManager[1372]: <info> [1522834692.6690] audit: op="connection-deactivate" uuid="8eded980-0d83-43e3-90d6-5a4fba1054bf" name="domain TEST" pid=3162 uid=840201107 result="success"
I don't see any reason there for the second request coming through early in the connection and I don't see openvpn trying to auth again after the key has expired.