Getting disconnected from OpenVPN server each hour
The culprit seems to be your authentication configuration. You are using
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login which would require the client to supply a valid username/password combination to connect. Apparently, this is also required upon rekeying and your OpenVPN client seems unable to request the user name from
ERROR: could not read Auth username from stdin).
As for the reason why raising reneg-sec in your server configuration does not help matters, this is because the parameter has to be specified in both - the server's and the client's config to be effectively raised above the default of 3600 seconds (which happens to cause the one hour - disconnect you are seeing).
So your options would be to
- use an authentication method which does not require user input (certificates spring to mind)
- troubleshoot why your client is unable to prompt for the user name / password combination after connection establishment
- raise the rekeying period or disable rekeying entirely (which weakens your connection's security, so it surely is only an inferior workaround to your problem)
you can try to
reneg-sec 0 in your
it's quite simple really. Since OpenVPN tries to renegociate a new TLS Session every 3600 secs by default, you'd have to re-authenticate each time, using a new OTP. To avoid this kind of behaviour, it's just a matter of telling openvpn to never renegociate a TLS session and keep the existing one alive, if you combine
keepalive directive and
reneg-sec 0, you're going to have a stable connection, with no renegociation whatsoever.
I experienced a similar effect when I added the 'auth-nocache' option to my client configuration. I use certificates AND a username + password combination to authenticate.
A few times I noticed in the connection logs that openvpn reported the following warning:
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
So I thought I'll just add this option and see what happens. Well, the above warning does go away, but after an hour a dialog box popped up, asking me for my username and password.
I noticed that the above configuration by Andrew doesn't contain this option so I'm a little puzzled as to why it doesn't cache the password. Maybe this is because I'm using a newer version of openvpn or maybe it can be set on the server config to push this option to the client.
This was seen on: OpenVPN 2.2.1-8+deb7u2 with OpenVPN GUI v5 for Windows.