Opened 6 weeks ago

Last modified 4 weeks ago

#965 new Bug / Defect

openvpn fails on reconnect when server is restarted

Reported by: chipitsine Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


the following setup

server 2.5 git master, authentication by login/password
client either linux or windows (tested both)

when client connects, auth token is issued, which is used as a password later
after I restart server, client still tries to authenticate with auth token, authentication fails

I assume client should retry to authenticate with login/password in such case (if token failed), however it does not happen

Attachments (1)

965.tar (20.0 KB) - added by chipitsine 4 weeks ago.
server config + client config + auth log

Download all attachments as: .zip

Change History (6)

comment:1 Changed 5 weeks ago by selvanair

I failed reproduce this. Probably you do not have --auth-retry interact in the client config? If you do, the client is expected to try to reconnect on auth failure. Logs may have something useful.

Also if you add --explicit-exit-notify to the server things would work even better: the client will get a reset when the server is restarted and it will not even try to reuse the old auth-token. The same option in the client will cause the server to get notified if/when the client goes down.

Changed 4 weeks ago by chipitsine

server config + client config + auth log

comment:2 Changed 4 weeks ago by chipitsine

Hi, I attached configs + auth log

authentication is done using shell script. It only knows test/test, however, when I restart server,
token is passed there

test test
test HWk+VVuZw7+BSN6neLIwrexiyBtLv0hWYmtUHGDXrdU=

I beleive, that is not expected behaviour.

as for "explicit-exit-notify" - I'm not sure, I'll play with that.
I want to restart server without bothering clients. With such option, all the clients will be disconnected, right ?

as "auth-retry" - I'll play with it as well. But what does it mean ? auth is failed, try again, maybe it will succeed ? really )) ?

Last edited 4 weeks ago by chipitsine (previous) (diff)

comment:3 Changed 4 weeks ago by selvanair

The log you posted contains no logs, but going by the client and server configs, what you see is the expected behaviour on Linux. On Windows it depends on whether the GUI is in use or not.

Client lost connection but has no idea server exited so it gets a ping restart after a while. That causes reconnection with the saved password (ie., auth-token). Server has restarted so has no idea of the token and rejects it. Client exits as auth-retry is none by default.

(i) Add --explicit-exit-notify in server conf so that client will know when server restarts gets a reset
(ii) Add --auth-retry interact to client config so that client will not exit on auth failure but retry. The retry will cause a re-prompt for password as auth failed.

If the client is using Windows GUI, --auth-retry interact is automatically added by the GUI but will revert to --auth-retry none if auth fails more than twice in a row. In that case I can't say why it exited after only one failure without seeing the logs.

comment:4 Changed 4 weeks ago by chipitsine

well, it is not an openvpn log, it is log
from my point of view, it is wrong, let me explain

client connects for the first time using login/password --> client is assigned auth-token --> client uses login/token

it is good until server is restarted. after server restart token is not valid, but client does have password. if token auth is failed, why not to try password right after ? (also, I beleive that passing login/token to is a bad design, it should not get that far)

I'll play with all suggested options a bit later

Last edited 4 weeks ago by chipitsine (previous) (diff)

comment:5 Changed 4 weeks ago by selvanair

In openvpn.exe, auth-token replaces the password, so there is no password
to try again with. It can only try again by prompting for a password, but you asked openvpn not retry on auth failure by the implicit use of --auth-retry none.

If GUI is in use and password is being saved in the GUI, post the logs.

Note: See TracTickets for help on using tickets.