Hello,
We are looking into using auth-gen-token on our new VPN server which will
be using version 2.5.5. However, we've noticed that the behaviour of
auth-gen-token has changed and our clients are being kicked off every hour
which corresponds with the renegotiation interval (3600 secs).
>127.0.0.1:57748 --auth-token-gen: auth-token from client expired
On our existing VPN server which uses 2.4.7, clients are able to stay
connected up to 12 hours with an auth token and this is not affected by the
renegotiation interval. In 2.5.0 an additional auth token check was added
that seems to limit the token lifetime to as long as the renegotiation
interval, but we don't understand what this is for.
>/* Accept session tokens that not expired are in the acceptable range
>* for renogiations */
>bool in_renog_time = now >= timestamp
> && now < timestamp + 2 *
session->opt->renegotiate_seconds;
...
>if (ret & AUTH_TOKEN_EXPIRED)
>{
> /* Tell client that the session token is expired */
> auth_set_client_reason(multi, "SESSION: token expired");
> msg(M_INFO, "--auth-token-gen: auth-token from client expired");
>}
>return ret;
We could probably change the reneg-sec to 0 as a workaround but this
probably isn't a secure way of doing things.
Could anybody clarify that this behaviour is intentional or what the
purpose of it is?
Thanks
--
*This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you are not the named addressee you must not disseminate, distribute or
copy this e-mail. Please notify us on regulat...@b2c2.net
<mailto:regulat...@b2c2.net> immediately if you have received this e-mail
by mistake and delete this e-mail from your system. If you are not the
intended recipient you are notified that disclosing, copying, distributing
or taking any action in reliance on the contents of this information is
strictly prohibited.*
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
