Hi,
I'm still having trouble with OTP. Everything is set up, client is able to connect (management-client-auth is used with client-auth-nt), but after 2 hours the client re-requests the credentials to log in (auth-nocache is set on client, external DHCP is used with server-bridge). Server is 2.4.8@Debian10 <mailto:2.4.8@Debian10> , client is Win10(v11.14) In the client log I have the following: Mon Apr 27 11:30:13 2020 us=473611 MANAGEMENT: >STATE:1587979813,GET_CONFIG,,,,,, Mon Apr 27 11:30:13 2020 us=473611 SENT CONTROL [myvpn.domain.com]: 'PUSH_REQUEST' (status=1) Mon Apr 27 11:30:18 2020 us=519013 SENT CONTROL [myvpn.domain.com]: 'PUSH_REQUEST' (status=1) Mon Apr 27 11:30:18 2020 us=536968 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,router-gateway 10.14.12.1,route 10.14.0.0 255.255.0.0 10.14.12.1,ping 60,route-gateway dhcp,ping 10,ping-restart 120,socket-flags TCP_NODELAY,peer-id 0,cipher AES-256-GCM,auth-token' Mon Apr 27 11:30:18 2020 us=536968 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:2: router-gateway (2.4.8) Mon Apr 27 11:30:18 2020 us=537963 OPTIONS IMPORT: timers and/or timeouts modified ... Mon Apr 27 11:30:23 2020 us=185637 MANAGEMENT: >STATE:1587979823,CONNECTED,SUCCESS,,MYSERVER_IP,443,192.168.0.52,52182 Mon Apr 27 12:30:12 2020 us=117820 TLS: soft reset sec=0 bytes=97397169/-1 pkts=198208/0 Mon Apr 27 12:30:12 2020 us=145390 VERIFY OK: depth=1, CN=MyServer CA Mon Apr 27 12:30:12 2020 us=148416 VERIFY KU OK Mon Apr 27 12:30:12 2020 us=148416 Validating certificate extended key usage Mon Apr 27 12:30:12 2020 us=148416 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Apr 27 12:30:12 2020 us=148416 VERIFY EKU OK Mon Apr 27 12:30:12 2020 us=148416 VERIFY X509NAME OK: CN=myserver.domain.com Mon Apr 27 12:30:12 2020 us=148416 VERIFY OK: depth=0, CN=myserver.domain.com Mon Apr 27 12:30:12 2020 us=177444 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Mon Apr 27 12:30:12 2020 us=177444 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Mon Apr 27 12:30:12 2020 us=177444 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit EC, curve: secp521r1 Mon Apr 27 13:30:12 2020 us=20692 TLS: soft reset sec=0 bytes=131243846/-1 pkts=301943/0 Mon Apr 27 13:30:12 2020 us=125662 Connection reset, restarting [0] Mon Apr 27 13:30:12 2020 us=125662 TCP/UDP: Closing socket Mon Apr 27 13:30:12 2020 us=126639 SIGUSR1[soft,connection-reset] received, process restarting Mon Apr 27 13:30:12 2020 us=126639 MANAGEMENT: >STATE:1587987012,RECONNECTING,connection-reset,,,,, Server log (verb 3 for now): Mon Apr 27 11:30:10 2020 TCP connection established with [AF_INET]CLIENT_PUB_IP:52182 Mon Apr 27 11:30:10 2020 Socket flags: TCP_NODELAY=1 succeeded Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 TLS: Initial packet from [AF_INET]CLIENT_PUB_IP:52182, sid=9a1a5456 eb60e5a2 Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 peer info: IV_VER=2.4.8 Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 peer info: IV_PLAT=win Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 peer info: IV_PROTO=2 Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 peer info: IV_NCP=2 Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 peer info: IV_LZ4=1 Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 peer info: IV_LZ4v2=1 Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 peer info: IV_LZO=1 Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 peer info: IV_COMP_STUB=1 Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 peer info: IV_COMP_STUBv2=1 Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 peer info: IV_TCPNL=1 Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 peer info: IV_GUI_VER=OpenVPN_GUI_11 Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 TLS: Username/Password authentication deferred for username 'MYUSER' [CN SET] Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 Mon Apr 27 11:30:11 2020 CLIENT_PUB_IP:52182 [MYUSER] Peer Connection Initiated with [AF_INET]CLIENT_PUB_IP:52182 Mon Apr 27 11:30:12 2020 CLIENT_PUB_IP:52182 PUSH: Received control message: 'PUSH_REQUEST' Mon Apr 27 11:30:13 2020 MANAGEMENT: CMD 'client-auth-nt 137 0' Mon Apr 27 11:30:13 2020 MYUSER/CLIENT_PUB_IP:52182 MULTI: no dynamic or static remote --ifconfig address is available for MYUSER/CLIENT_PUB_IP:52182 Mon Apr 27 11:30:17 2020 MYUSER/CLIENT_PUB_IP:52182 PUSH: Received control message: 'PUSH_REQUEST' Mon Apr 27 11:30:17 2020 MYUSER/CLIENT_PUB_IP:52182 SENT CONTROL [MYUSER]: 'PUSH_REPLY,redirect-gateway def1,router-gateway 10.14.12.1,route 10.14.0.0 255.255.0.0 10.14.12.1,ping 60,route-gateway dhcp,ping 10,ping-restart 120,socket-flags TCP_NODELAY,peer-id 0,cipher AES-256-GCM,auth-token' (status=1) Mon Apr 27 11:30:17 2020 MYUSER/CLIENT_PUB_IP:52182 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Mon Apr 27 11:30:17 2020 MYUSER/CLIENT_PUB_IP:52182 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Mon Apr 27 11:30:17 2020 MYUSER/CLIENT_PUB_IP:52182 MULTI: Learn: 00:ff:3b:1c:a6:93 -> MYUSER/CLIENT_PUB_IP:52182 ... Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 TLS: soft reset sec=0 bytes=97417225/-1 pkts=198208/0 Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 peer info: IV_VER=2.4.8 Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 peer info: IV_PLAT=win Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 peer info: IV_PROTO=2 Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 peer info: IV_LZ4=1 Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 peer info: IV_LZ4v2=1 Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 peer info: IV_LZO=1 Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 peer info: IV_COMP_STUB=1 Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 peer info: IV_COMP_STUBv2=1 Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 peer info: IV_TCPNL=1 Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 peer info: IV_GUI_VER=OpenVPN_GUI_11 Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 TLS: Username/auth-token authentication succeeded for username 'MYUSER' [CN SET] Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Mon Apr 27 12:30:11 2020 MYUSER/CLIENT_PUB_IP:52182 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 .. Mon Apr 27 13:30:10 2020 MYUSER/CLIENT_PUB_IP:52182 SIGTERM[soft,auth-control-exit] received, client-instance exiting Mon Apr 27 13:30:14 2020 TCP connection established with [AF_INET]CLIENT_PUB_IP:51401 Mon Apr 27 13:30:14 2020 Socket flags: TCP_NODELAY=1 succeeded Mon Apr 27 13:30:15 2020 CLIENT_PUB_IP:51401 TLS: Initial packet from [AF_INET]CLIENT_PUB_IP:51401, sid=560f6ec6 299adf12 Server config (relevant settings): # we will use token after first successful auth auth-gen-token 39600 keepalive 10 120 management /etc/openvpn/server/.server-auth-socket unix management-client-auth In the mgmt-client-auth log there is nothing for 12:30 timestamp (will log REAUTH as well). reneg time is not set anywhere. Why does the token expire after ~1-2 hours? I shouldn't use auth-token with management-client-auth? Thanks, Tom
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
