TLS keys out of sync? Why does my VPN connection timeout after exactly an hour?
After some struggling I found a workaround that solves the problem.
Setting reneg-sec 0; to the client OpenVPN config file, disables the TLS Renegotiation. Setting a number to the OpenVPN server too, for example reneg-sec 28800; allows the server to start renegotiating after 8 hours, (ending up killing the session because it's out-of-sync). Basically making it a session timeout. I recommend to set the client to unlimited and the server to a limited reneg-sec so you'll always be able to change the server config without actually changing all the client config files.
Such setting does bypass the TLS renegotiation which is basically a work-around for the real problem. The real problem is to find out why it's out of sync and fix that. I did not manage to find a solution for that yet. But this workaround is sufficient for me now.
Related videos on Youtube
16 : 07
03 : 40
02 : 59
01 : 39
![[SOLVED] How to Fix TLS Error Problem (100% Working)](https://i.ytimg.com/vi/8eo-fdMAG80/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBEOSFJoTnwm_lg5xvfZHXnoee0Wg)
07 : 00
![AnonyTun connection Failed and Reconnecting..[2/10]problem Solved //Anonytun full setting #anonytun](https://i.ytimg.com/vi/hYbxL-F06L0/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLCwrYNAIHed3cCP6vWvNqc_77-uLQ)
04 : 03
05 : 35
02 : 23
09 : 10
Comments
-
Bob Ortiz over 1 year
The setup is quite simple. For my home server I use:
- A server with Pfsense 2.3.4-RELEASE (latest) as OS / firewall
- An OpenVPN setup (the integrated Pfsense version) as TCP tun (additionally in an useless attempt to solve the issue I added
reneg-sec 0;keepalive 10 120to the Custom options under Advanced settings under the OpenVPN menu, and restarted the OpenVPN service). - FreeRADIUS as an authentication backend for the OpenVPN setup.
In FreeRADIUS I've setup MOTP. So I use an app on my phone with a pincode to generate a one time password (OTP) to login.
This all works fine, for about an hour. Then the connection starts to reset and obviously that will not succeed cause the OTP is expired.
I tried to remove the
persist-tunoption from my local ovpn file. Since that fixed a similar issue for multiple people. This also didn't work.After checking out the logs carefully. I noticed that the client just shows:
Connection reset, restarting [0].The server does show (and might explain why) the following. Just before the connection is reset the server registers messages for about 2 minutes, every second like this:
TLS Error: local/remote TLS keys are out of sync:Then:
Inactivity timeout (--ping-restart), restartingTCP connection established withuser '' could not authenticate.WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1TLS Auth Error: Auth Username/Password verification failed for peerPeer Connection Initiated withConnection reset, restarting [0]
I understand why it cannot reconnect (see log number 3 and 5), the OTP obviously expired. The way I read this is that the problem is that the
TLS keys are out of syncand that might be where the problem starts before disconnecting and reconnecting with incorrect credentials. Now the question:How do I fix this and where? Server-side in Pfsense, OpenVPN, FreeRADIUS or in the OVPN profiles client-side?
Additionally my ovp profile looks like this:
dev tun persist-tun persist-key cipher AES-256-CBC auth SHA1 tls-client client resolv-retry infinite remote [XXXXXX] 1194 tcp-client auth-user-pass ns-cert-type server <ca> -----BEGIN CERTIFICATE----- [XXXXXX] -----END CERTIFICATE----- </ca> setenv CLIENT_CERT 0 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- [XXXXXX] -----END OpenVPN Static key V1----- </tls-auth> key-direction 1