Page MenuHomeVyOS Platform
Create Task
Maniphest T6943

OpenVPN OTP Breaks Connection After One Hour
Open, HighPublicBUG
Actions

Description

When utilizing TOTP with OpenVPN, the connection appears to try and re-authenticate the user after an hour which causes the client to re-send the originally sent authentication data including the hour-old MFA token as password.

Dec 08 02:06:21 openvpn-vtun0[29642]: test-user/xxx.xxx.245.171:35844 Timers: ping 5, ping-restart 600
Dec 08 02:06:21 openvpn-vtun0[29642]: test-user/xxx.xxx.245.171:35844 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
Dec 08 03:05:02 openvpn-vtun0[29642]: test-user/xxx.xxx.245.171:35844 TLS: soft reset sec=3523/3523 bytes=116235/-1 pkts=1640/0
Dec 08 03:05:02 openvpn-vtun0[29642]: test-user/xxx.xxx.245.171:35844 VERIFY OK: depth=1, C=US, ST=MA, L=Boston, O=TEST, CN=CA
Dec 08 03:05:02 openvpn-vtun0[29642]: test-user/xxx.xxx.245.171:35844 VERIFY OK: depth=0, C=US, ST=MA, L=Boston, O=TEST, CN=test-user
Dec 08 03:05:02 openvpn-vtun0[29642]: test-user/xxx.xxx.245.171:35844 peer info: IV_VER=2.6.12
Dec 08 03:05:02 openvpn-vtun0[29642]: test-user/xxx.xxx.245.171:35844 peer info: IV_PLAT=linux
Dec 08 03:05:02 openvpn-vtun0[29642]: test-user/xxx.xxx.245.171:35844 peer info: IV_TCPNL=1
Dec 08 03:05:02 openvpn-vtun0[29642]: test-user/xxx.xxx.245.171:35844 peer info: IV_MTU=1600
Dec 08 03:05:02 openvpn[29642]: OTP-AUTH: authentication failed for username xxxxxx remote xxx.xxx.245.171:35844

Config stanza:

set openvpn vtun0 hash 'sha512'
set openvpn vtun0 keep-alive failure-count '60'
set openvpn vtun0 keep-alive interval '5'
set openvpn vtun0 local-host 'xxx.xxx.1.2'
set openvpn vtun0 local-port '1194'
set openvpn vtun0 mode 'server'
set openvpn vtun0 persistent-tunnel
set openvpn vtun0 protocol 'udp'
set openvpn vtun0 server client xxxxxx
set openvpn vtun0 server client xxxxxx
set openvpn vtun0 server client xxxxxx
set openvpn vtun0 server client xxxxxx
set openvpn vtun0 server client xxxxxx
set openvpn vtun0 server client xxxxxx
set openvpn vtun0 server client xxxxxx
set openvpn vtun0 server client xxxxxx
set openvpn vtun0 server client-ip-pool start 'xxx.xxx.31.2'
set openvpn vtun0 server client-ip-pool stop 'xxx.xxx.31.14'
set openvpn vtun0 server client-ip-pool subnet-mask 'xxx.xxx.255.240'
set openvpn vtun0 server domain-name xxxxxx
set openvpn vtun0 server mfa totp challenge 'disable'
set openvpn vtun0 server name-server 'xxx.xxx.31.1'
set openvpn vtun0 server push-route xxx.xxx.0.0/16
set openvpn vtun0 server push-route xxx.xxx.0.0/16
set openvpn vtun0 server push-route xxx.xxx.0.0/16
set openvpn vtun0 server reject-unconfigured-clients
set openvpn vtun0 server subnet 'xxx.xxx.31.0/28'
set openvpn vtun0 server topology 'subnet'
set openvpn vtun0 tls ca-certificate 'ovpn-ca'
set openvpn vtun0 tls certificate 'ovpn-srv'
set openvpn vtun0 tls dh-params 'ovpn-dh'
set openvpn vtun0 use-lzo-compression

the client connection uses the CN from the certificate as the username and prompts the user for a password at sign-in which accepts the MFA token (client is Arch Linux utilizing NetworkManager).
When setting

set openvpn vtun0 server mfa totp challenge 'enable'

the client is unable to connect altogether. When using the "disable" option then the initial connection works but users are kicked-off after an hour for failing authentication since the old MFA token is re-submitted as the password.

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

sempervictus created this task.Dec 9 2024, 3:37 PM
sempervictus triaged this task as High priority.
sempervictus created this object in space S1 VyOS Public.
Viacheslav changed the subtype of this task from "Task" to "Bug".Dec 9 2024, 3:41 PM
sempervictus added a comment.Dec 9 2024, 6:42 PM

Per TimH in slack:

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
--auth-gen-token [lifetime]
After successful user/password authentication, the OpenVPN server will with this option generate a temporary authentication token and push that to client. On the following renegotiations, the OpenVPN client will pass this token instead of the users password. On the server side the server will do the token authentication internally and it will NOT do any additional authentications against configured external user/password authentication mechanisms.The lifetime argument defines how long the generated token is valid. The lifetime is defined in seconds. If lifetime is not set or it is set to 0, the token will never expire.This feature is useful for environments which is configured to use One Time Passwords (OTP) as part of the user/password authentications and that authentication mechanism does not implement any auth-token support.
OpenVPNOpenVPN
Reference Manual For OpenVPN 2.4 | OpenVPN
Because OpenVPN tries to be a universal VPN tool offering a great deal of flexibility, there are a lot of options on this reference page for OpenVPN 2.4

attempting to resolve by setting set interfaces openvpn vtun0 openvpn-option "auth-gen-token 0"
If this works, we probably want to add it to the docs or even set it implicitly when MFA is enabled to a default value of 0 which the user can change

pasik subscribed.Dec 9 2024, 10:02 PM
sempervictus added a subscriber: Viacheslav.Dec 10 2024, 2:21 AM

This looks promising:

Connected Since
------------ 
 2024-12-09 18:36:18

so it seems to be holding.

@Viacheslav - any thoughts on whether this should be default behavior or if we want auto-logout every hour to be the default and how to update the docs?