Getting disconnected from OpenVPN server each hour

Solution 1:

The culprit seems to be your authentication configuration. You are using plugin /usr/share/openvpn/plugin/lib/ login which would require the client to supply a valid username/password combination to connect. Apparently, this is also required upon rekeying and your OpenVPN client seems unable to request the user name from stdin (ERROR: could not read Auth username from stdin).

As for the reason why raising reneg-sec in your server configuration does not help matters, this is because the parameter has to be specified in both - the server's and the client's config to be effectively raised above the default of 3600 seconds (which happens to cause the one hour - disconnect you are seeing).

So your options would be to

  • use an authentication method which does not require user input (certificates spring to mind)
  • troubleshoot why your client is unable to prompt for the user name / password combination after connection establishment
  • raise the rekeying period or disable rekeying entirely (which weakens your connection's security, so it surely is only an inferior workaround to your problem)

Solution 2:

you can try to reneg-sec 0 in your server.conf:

it's quite simple really. Since OpenVPN tries to renegociate a new TLS Session every 3600 secs by default, you'd have to re-authenticate each time, using a new OTP. To avoid this kind of behaviour, it's just a matter of telling openvpn to never renegociate a TLS session and keep the existing one alive, if you combine keepalive directive and reneg-sec 0, you're going to have a stable connection, with no renegociation whatsoever.

Solution 3:

I experienced a similar effect when I added the 'auth-nocache' option to my client configuration. I use certificates AND a username + password combination to authenticate.

A few times I noticed in the connection logs that openvpn reported the following warning:

WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

So I thought I'll just add this option and see what happens. Well, the above warning does go away, but after an hour a dialog box popped up, asking me for my username and password.

I noticed that the above configuration by Andrew doesn't contain this option so I'm a little puzzled as to why it doesn't cache the password. Maybe this is because I'm using a newer version of openvpn or maybe it can be set on the server config to push this option to the client.

This was seen on: OpenVPN 2.2.1-8+deb7u2 with OpenVPN GUI v5 for Windows.