id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 1482,openvpn 2.4.7 with auth-user-pass-optional breaks auth-gen-token,wdoekes,,"Hi, as far as I understand, we can use this on the server side: {{{ auth-user-pass-verify my-auth-script via-file reneg-sec 3600 auth-gen-token 57600 # 16 hours.. you need one reconnect/repassword daily }}} This should cause the user to get a 2FA prompt only once every 16 hours. If we then combine this with: {{{ auth-user-pass-optional }}} making the 2FA optional (*) and a client that does not provide a password, we get these errors on the server every 3600 seconds: {{{ TLS Auth Error: Auth-token verification failed for username '' TLS Error: local/remote TLS keys are out of sync: [AF_INET]: [0] TLS Error: local/remote TLS keys are out of sync: [AF_INET]: [0] ... }}} after which the connection is terminated in due time because the keepalives start to fail. I assume the cause is that the client doesn't know it should send any tokens at all, while the server starts expecting tokens after the first hour. There appear to be two workarounds for this: (1) Pass a bogus username/password from the client (and ignore the bogus values in the {{auth-user-pass-verify}} module): {{{ auth-user-pass /etc/protocols }}} (2) Don't use {{auth-gen-token}} in the server, but increase {{reneg-sec}}: {{{ reneg-sec 57600 # 16 hours.. you need one reconnect/repassword daily #auth-gen-token 57600 }}} This issue looks related, but not equal, to #1447. To me, it looks like the bogus username/password passing is the more secure option -- because then we do get renegotiation. But it is also the ugliest. Cheers, Walter Doekes OSSO B.V. (*) Why optional 2FA? For systems without humans attached we have separate security measures (IP whitelists, etc.). (**) This behaviour was observed with the default openvpn on Ubuntu/Focal. I did not find tickets/changes that looked like this was fixed in newer versions. ",Bug / Defect,new,minor,,Generic / unclassified,OpenVPN 2.4.7 (Community Ed),"Not set (select this one, unless your'e a OpenVPN developer)",,,walter.openvpn@…