TLS keys out of sync? Why does my VPN connection timeout after exactly an hour?

Bob Ortiz asked:

The setup is quite simple. For my home server I use:

  1. A server with Pfsense 2.3.4-RELEASE (latest) as OS / firewall
  2. An OpenVPN setup (the integrated Pfsense version) as TCP tun (additionally in an useless attempt to solve the issue I added reneg-sec 0;keepalive 10 120 to the Custom options under Advanced settings under the OpenVPN menu, and restarted the OpenVPN service).
  3. FreeRADIUS as an authentication backend for the OpenVPN setup.

In FreeRADIUS I’ve setup MOTP. So I use an app on my phone with a pincode to generate a one time password (OTP) to login.

This all works fine, for about an hour. Then the connection starts to reset and obviously that will not succeed cause the OTP is expired.

I tried to remove the persist-tun option from my local ovpn file. Since that fixed a similar issue for multiple people. This also didn’t work.

After checking out the logs carefully. I noticed that the client just shows:

Connection reset, restarting [0].

The server does show (and might explain why) the following. Just before the connection is reset the server registers messages for about 2 minutes, every second like this:

TLS Error: local/remote TLS keys are out of sync:


  1. Inactivity timeout (--ping-restart), restarting
  2. TCP connection established with
  3. user '' could not authenticate.
  4. WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
  5. TLS Auth Error: Auth Username/Password verification failed for peer
  6. Peer Connection Initiated with
  7. Connection reset, restarting [0]

I understand why it cannot reconnect (see log number 3 and 5), the OTP obviously expired. The way I read this is that the problem is that the TLS keys are out of sync and that might be where the problem starts before disconnecting and reconnecting with incorrect credentials. Now the question:

How do I fix this and where? Server-side in Pfsense, OpenVPN, FreeRADIUS or in the OVPN profiles client-side?

Additionally my ovp profile looks like this:

dev tun
cipher AES-256-CBC
auth SHA1
resolv-retry infinite
remote [XXXXXX] 1194 tcp-client
ns-cert-type server

setenv CLIENT_CERT 0
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
key-direction 1

My answer:

Check that the system clocks on both the client and server are correctly synced via your favorite NTP client. A difference of even a few seconds can cause this problem.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.