Page MenuHomePhabricator

OpenVPN server clients disconnected after 60 mins
Closed, InvalidPublicBUG

Description

Hi, team.
We're facing the issue with clients disconnects in 60 mins even when "openvpn-option --reneg-sec 0" and "persistent-tunnel" openvpn-options are on. Also, replacing "persistent-tunnel" with "openvpn-option --persistent-tun" didn't helped as well.
FYI, Client IP was replaced in log to 3.3.3.3, server IP to 5.5.5.5.
Also, notice different timezones between client and server, that's OK.

Interface config:

openvpn vtun1 {
     local-port 1195
     mode server
     openvpn-option "--script-security 2 system"
     openvpn-option duplicate-cn
     openvpn-option "log-append /var/log/openvpn.log"
     openvpn-option "--cipher AES-256-CBC"
     openvpn-option client-cert-not-required
     openvpn-option comp-lzo
     openvpn-option "plugin /config/auth/openvpn-auth-ldap.so /config/auth/auth-ldap.conf"
     openvpn-option "tun-mtu 1500"
     openvpn-option "tun-mtu-extra 32"
     openvpn-option "fragment 1400"
     openvpn-option --persist-tun
     openvpn-option --persist-key
     openvpn-option "--keepalive 10 20"
     openvpn-option "--reneg-sec 0"
     persistent-tunnel
     server {
         name-server 10.10.1.11
         push-route 10.10.1.0/24
         push-route 10.10.4.0/22
         push-route 10.10.8.0/22
         push-route 10.10.12.0/24
         subnet 10.10.7.0/24
     }
     tls {
         ca-cert-file /config/rsa2/keys/ca.crt
         cert-file /config/rsa2/keys/vyos-vpn-msk.crt
         dh-file /config/rsa2/keys/dh2048.pem
         key-file /config/rsa2/keys/vyos-vpn-msk.key
     }

Error log(server side):

Mon Jul 15 15:09:09 2019 3.3.3.3:6083 TLS: Initial packet from [AF_INET]3.3.3.3:6083, sid=6a3d15ce 40b71dbb
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 PLUGIN_CALL: POST /config/auth/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 TLS: Username/Password authentication succeeded for username 'kkulbatskiy'
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 [] Peer Connection Initiated with [AF_INET]3.3.3.3:6083
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 MULTI_sva: pool returned IPv4=10.10.7.2, IPv6=(Not enabled)
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 PLUGIN_CALL: POST /config/auth/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_971bf988a671101deff97e9192beebbd.tmp
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 MULTI: Learn: 10.10.7.2 -> 3.3.3.3:6083
Mon Jul 15 15:09:11 2019 3.3.3.3:6083 MULTI: primary virtual IP for 3.3.3.3:6083: 10.10.7.2
Mon Jul 15 15:09:12 2019 3.3.3.3:6083 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jul 15 15:09:12 2019 3.3.3.3:6083 send_push_reply(): safe_cap=940
Mon Jul 15 15:09:12 2019 3.3.3.3:6083 SENT CONTROL [UNDEF]: 'PUSH_REPLY,dhcp-option DNS 10.10.1.11,route 10.10.1.0 255.255.255.0,route 10.10.4.0 255.255.252.0,route 10.10.8.0 255.255.252.0,route 10.10.12.0
 255.255.255.0,dhcp-option DOMAIN iponweb.lan,route-gateway 10.10.7.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.10.7.2 255.255.255.0' (status=1)
Mon Jul 15 16:09:45 2019 3.3.3.3:7394 TLS: Initial packet from [AF_INET]3.3.3.3:7394, sid=43f7efba 8989c044
Mon Jul 15 16:10:25 2019 3.3.3.3:7394 [UNDEF] Inactivity timeout (--ping-restart), restarting
Mon Jul 15 16:10:25 2019 3.3.3.3:7394 SIGUSR1[soft,ping-restart] received, client-instance restarting

Client log:

kkul@vpn-test-lnd-1:/etc/openvpn$ sudo openvpn --config msk-vpn-linux.ovpn
[sudo] password for kkul:
Mon Jul 15 13:09:03 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Mon Jul 15 13:09:03 2019 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Enter Auth Username: kkulbatskiy
Enter Auth Password: **********
Mon Jul 15 13:09:09 2019 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Jul 15 13:09:09 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jul 15 13:09:09 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]5.5.5.5:1195
Mon Jul 15 13:09:09 2019 UDP link local: (not bound)
Mon Jul 15 13:09:09 2019 UDP link remote: [AF_INET]5.5.5.5:1195
Mon Jul 15 13:09:11 2019 [server] Peer Connection Initiated with [AF_INET]5.5.5.5:1195
Mon Jul 15 13:09:12 2019 TUN/TAP device tun0 opened
Mon Jul 15 13:09:12 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Jul 15 13:09:12 2019 /sbin/ip link set dev tun0 up mtu 1500
Mon Jul 15 13:09:12 2019 /sbin/ip addr add dev tun0 10.10.7.2/24 broadcast 10.10.7.255
Mon Jul 15 13:09:12 2019 /etc/openvpn/update-resolv-conf tun0 1500 1594 10.10.7.2 255.255.255.0 init
Mon Jul 15 13:09:12 2019 Initialization Sequence Completed
Mon Jul 15 14:09:10 2019 [server] Inactivity timeout (--ping-restart), restarting
Mon Jul 15 14:09:11 2019 SIGUSR1[soft,ping-restart] received, process restarting
Mon Jul 15 14:09:11 2019 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Jul 15 14:09:12 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jul 15 14:09:12 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]5.5.5.5:1195
Mon Jul 15 14:09:12 2019 UDP link local: (not bound)
Mon Jul 15 14:09:12 2019 UDP link remote: [AF_INET]5.5.5.5:1195
Enter Auth Username:
Failed to query password: Timer expired
Enter Auth Password:
Failed to query password: Timer expired
Mon Jul 15 14:09:12 2019 ERROR: Failed retrieving username or password
Mon Jul 15 14:09:12 2019 Exiting due to fatal error
Mon Jul 15 14:09:12 2019 /sbin/ip addr del dev tun0 10.10.7.2/24
Mon Jul 15 14:09:12 2019 /etc/openvpn/update-resolv-conf tun0 1500 1658 10.10.7.2 255.255.255.0 init

Let me know if you'll need an additional info\logs.
Thanks

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

KKUL created this task.Jul 15 2019, 1:11 PM
KKUL changed Version from 1.2.1 to 1.2.0.
syncer triaged this task as Low priority.Jul 15 2019, 1:15 PM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
KKUL added a comment.Jul 17 2019, 1:53 PM

Update:
I did tested several server-related option combinations, such as "--ping-restart 0", "--reneg-sec 0", "--reneg-sec 36000"(10h).
Then I realized that I might interpreted --reneg-sec option incorrectly. As stated in(read text in bold) https://openvpn.net/community-resources/reference-manual-for-openvpn-2-3/ :

–reneg-sec n
Renegotiate data channel key after n seconds (default=3600).When using dual-factor authentication, note that this default value may cause the end user to be challenged to reauthorize once per hour.
Also, keep in mind that this option can be used on both the client and server, and whichever uses the lower value will be the one to trigger the renegotiation. A common mistake is to set –reneg-sec to a higher value on either the client or server, while the other side of the connection is still using the default value of 3600 seconds, meaning that the renegotiation will still occur once per 3600 seconds.
The solution is to increase –reneg-sec on both the client and server, or set it to 0 on one side of the connection (to disable), and to your chosen value on the other side.

So I was thinking that disabling it at server side, will disable it from client side as well, but I was wrong.

Finally, I was able to setup OpenVPN server as we wanted to by adding 'reneg-sec 0' to client configuration file and configuring required 'reneg-sec' from server side.

Thus, it's not a bug, but probably should be documented better in https://vyos.readthedocs.io/en/latest/vpn/openvpn.html.

My final server(interface) config with LDAP-2FA is below:

openvpn vtun0 {
  mode server                                                                          
  openvpn-option "--script-security 2 system"                                          
  openvpn-option duplicate-cn                                                          
  openvpn-option "log-append /var/log/openvpn.log"                                     
  openvpn-option "--cipher AES-256-CBC"                                                
  openvpn-option client-cert-not-required                                              
  openvpn-option comp-lzo                                                              
  openvpn-option "plugin /config/auth/openvpn-auth-ldap.so /config/auth/auth-ldap.conf"
  openvpn-option "tun-mtu 1500"                                                        
  openvpn-option "tun-mtu-extra 32"                                                    
  openvpn-option "fragment 1400"                                                       
  openvpn-option --persist-key                                                         
  openvpn-option "--reneg-sec 36000"                                                   
  persistent-tunnel                                                                    
  server {                                                                             
      domain-name *********                                     
      name-server 10.10.1.11                                                           
      push-route 10.10.1.0/24                                                                                                          
      subnet 10.10.6.0/24                                                              
  }                                                                                    
  tls {                                                                                
      ca-cert-file /config/rsa2/keys/ca.crt                                            
      cert-file /config/rsa2/keys/vyos-vpn-msk.crt                                     
      dh-file /config/rsa2/keys/dh2048.pem                                             
      key-file /config/rsa2/keys/vyos-vpn-msk.key                                      
  }

Sorry for bothering you, VyOS team and thanks for your great work!

I have just sent a Pull Request to clarify on the manual how tricky openvpn-option --reneg-sec can be.

https://github.com/vyos/vyos-documentation/pull/105

c-po closed this task as Invalid.Sep 17 2019, 3:41 AM
c-po set Is it a breaking change? to Perfectly compatible.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Oct 13 2019, 3:06 PM