Opened 6 years ago
Last modified 6 years ago
#965 new Bug / Defect
openvpn fails on reconnect when server is restarted
| Reported by: | chipitsine | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Generic / unclassified | Version: | OpenVPN 2.4.4 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
the following setup
server 2.5 git master, authentication by login/password
client either linux or windows (tested both)
when client connects, auth token is issued, which is used as a password later
after I restart server, client still tries to authenticate with auth token, authentication fails
I assume client should retry to authenticate with login/password in such case (if token failed), however it does not happen
Attachments (1)
Change History (6)
comment:1 Changed 6 years ago by
comment:2 Changed 6 years ago by
Hi, I attached configs + auth log
authentication is done using shell script. It only knows test/test, however, when I restart server,
token is passed there
test test -------------------- test HWk+VVuZw7+BSN6neLIwrexiyBtLv0hWYmtUHGDXrdU= --------------------
I beleive, that is not expected behaviour.
as for "explicit-exit-notify" - I'm not sure, I'll play with that.
I want to restart server without bothering clients. With such option, all the clients will be disconnected, right ?
as "auth-retry" - I'll play with it as well. But what does it mean ? auth is failed, try again, maybe it will succeed ? really )) ?
comment:3 Changed 6 years ago by
The log you posted contains no logs, but going by the client and server configs, what you see is the expected behaviour on Linux. On Windows it depends on whether the GUI is in use or not.
Client lost connection but has no idea server exited so it gets a ping restart after a while. That causes reconnection with the saved password (ie., auth-token). Server has restarted so has no idea of the token and rejects it. Client exits as auth-retry is none by default.
(i) Add --explicit-exit-notify in server conf so that client will know when server restarts gets a reset
(ii) Add --auth-retry interact to client config so that client will not exit on auth failure but retry. The retry will cause a re-prompt for password as auth failed.
If the client is using Windows GUI, --auth-retry interact is automatically added by the GUI but will revert to --auth-retry none if auth fails more than twice in a row. In that case I can't say why it exited after only one failure without seeing the logs.
comment:4 Changed 6 years ago by
well, it is not an openvpn log, it is auth.sh log
from my point of view, it is wrong, let me explain
client connects for the first time using login/password --> client is assigned auth-token --> client uses login/token
it is good until server is restarted. after server restart token is not valid, but client does have password. if token auth is failed, why not to try password right after ? (also, I beleive that passing login/token to auth.sh is a bad design, it should not get that far)
I'll play with all suggested options a bit later
comment:5 Changed 6 years ago by
In openvpn.exe, auth-token replaces the password, so there is no password
to try again with. It can only try again by prompting for a password, but you asked openvpn not retry on auth failure by the implicit use of --auth-retry none.
If GUI is in use and password is being saved in the GUI, post the logs.
I failed reproduce this. Probably you do not have --auth-retry interact in the client config? If you do, the client is expected to try to reconnect on auth failure. Logs may have something useful.
Also if you add --explicit-exit-notify to the server things would work even better: the client will get a reset when the server is restarted and it will not even try to reuse the old auth-token. The same option in the client will cause the server to get notified if/when the client goes down.