Bob Ortiz asked:
The setup is quite simple. For my home server I use:
- A server with Pfsense 2.3.4-RELEASE (latest) as OS / firewall
- An OpenVPN setup (the integrated Pfsense version) as TCP tun (additionally in an useless attempt to solve the issue I added
reneg-sec 0;keepalive 10 120to the Custom options under Advanced settings under the OpenVPN menu, and restarted the OpenVPN service).
- FreeRADIUS as an authentication backend for the OpenVPN setup.
In FreeRADIUS I’ve setup MOTP. So I use an app on my phone with a pincode to generate a one time password (OTP) to login.
This all works fine, for about an hour. Then the connection starts to reset and obviously that will not succeed cause the OTP is expired.
I tried to remove the
persist-tun option from my local ovpn file. Since that fixed a similar issue for multiple people. This also didn’t work.
After checking out the logs carefully. I noticed that the client just shows:
Connection reset, restarting .
The server does show (and might explain why) the following. Just before the connection is reset the server registers messages for about 2 minutes, every second like this:
TLS Error: local/remote TLS keys are out of sync:
Inactivity timeout (--ping-restart), restarting
TCP connection established with
user '' could not authenticate.
WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
TLS Auth Error: Auth Username/Password verification failed for peer
Peer Connection Initiated with
Connection reset, restarting 
I understand why it cannot reconnect (see log number 3 and 5), the OTP obviously expired. The way I read this is that the problem is that the
TLS keys are out of sync and that might be where the problem starts before disconnecting and reconnecting with incorrect credentials. Now the question:
How do I fix this and where? Server-side in Pfsense, OpenVPN, FreeRADIUS or in the OVPN profiles client-side?
Additionally my ovp profile looks like this:
dev tun persist-tun persist-key cipher AES-256-CBC auth SHA1 tls-client client resolv-retry infinite remote [XXXXXX] 1194 tcp-client auth-user-pass ns-cert-type server <ca> -----BEGIN CERTIFICATE----- [XXXXXX] -----END CERTIFICATE----- </ca> setenv CLIENT_CERT 0 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- [XXXXXX] -----END OpenVPN Static key V1----- </tls-auth> key-direction 1
Check that the system clocks on both the client and server are correctly synced via your favorite NTP client. A difference of even a few seconds can cause this problem.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.