OpenVPN Support Forum

Hi All,

Im facing an issue where the IOS connect app is attempting to use the session token it receives from the server after is has come back from being asleep.

I have some users that use an OTP to authenticate, so the auth-gen-token option is used on the server so that they can renegotiate their connections each hour (default reneg-sec). Otherwise, the re-auth during the reneg would fail as the password would no longer be valid. It works fine in this respect.

The issue on the IOS devices (haven't tried Android) is that when the phone goes to sleep, the server recognizes that the client has disconnected. When the phone wakes, it attempts to use the auth token to authenticate, which fails because the server saw that session end when the phone slept and you can see the server attempting to parse the token as a password.

I could set up the client to ignore the pushed auth-token, but that would break reneg for OTP users.

This looks like a behavior bug in the client. It should (IMO):
- not notify the server that it is disconnecting when sleeping - creating the potential for the session to live across short sleeps.
- try the session code on wake (assuming the above is in place)
- fall back to any saved password if there is one (obviously this wont help OTP users)

Id be keen to know if I've missed something that would achieve that behavior. Or if this a known issue etc.

Many thanks!

This probably is a bug. Auth-token is not really ready for the big world yet and openvpn has a history of not handling device sleep very well.

We had this problem, too. The solution was to upgrade (the server-side) OpenVPN to 2.5.3

With 2.4.x, the token is only good for the current session. As you noted, the iOS client ends the connection when the phone sleeps; and later attempts to reconnect with the token (which fails because the session had been ended).

But with 2.5 they changed it so the token can be used to start a new session (assuming the token hasn't expired). That fixes this problem with the iOS client. Also, since the server can now recognize (and validate) tokens generated for other sessions, I believe (but haven't yet verified) that it will never attempt to interpret the token as the user's password the way 2.4 does.

Hello,

There was indeed a bug in the handling of the auth-token. A solution to the problem has been committed to the OpenVPN3 core project, and OpenVPN Connect v3.3.0 for iOS will contain this fix. We are currently working hard on testing and releasing for iOS. Once it's out this problem should be gone with that release.

Kind regards,
Johan

Is there any update on when v3.3.0 is coming to iOS and Android?