Random OpenVPN Interruptions
My users started reporting frequent interuptions to their RDP/SSH sessions when running over OpenVPN to our building. This was of course caused by the massive uptick in WFH during COVID (and some expanding teams).
Runnung WireShark and PingPlotter revealed that the issue started on the server. Furhter investigation and correlation showed that every intitial login, and rekey would cause a brief traffic interruption.
To handle the re-keys (every hour or 3600s by default) you can add
reneg-sec 0 to both the client and server configuration. This will cause the server to never re-negotiate the connection. This is also a fix to getting a new smart card or MFA prompt every 60 minutes.
To properly resolve this though we want to know why it hangs, as the above does not resolve the issue at initial login. The root issue was found in #openvpn on frenode, OpenVPN is single threaded and if you use a script to authenticate users then the server has to wait for its execution.
Seen in this log, the network traffic stops between 14:22:55 and 14:23:22
Thu Mar 25 14:22:55 2021 us=791373 126.96.36.199:49341 peer info: IV_GUI_VER=OpenVPN_GUI_11 AUTH-PAM: BACKGROUND: received command code: 0 AUTH-PAM: BACKGROUND: USER: first.last AUTH-PAM: BACKGROUND: my_conv query='login:' style=2 AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME' AUTH-PAM: BACKGROUND: my_conv query='Password: ' style=1 AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' Thu Mar 25 14:23:22 2021 us=986516 188.8.131.52:49341 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
NOTE: When building on Debian/Ubuntu per this issue change line
For Debian you need to install
build-essential before running
make plugin while in the repo. Put the resultant file in
/usr/lib/openvpn/ with the auth-pam plugin. I set permissions to
644 root:root to match the auth-pam plugin as well.
No deference plugins are able to work with Auth-PAM instead you need to add
setenv deferred_auth_pam 1 to your config to use the deference native to the auth-pam plugin. This is much simpler than compiling a new plugin yourself but it requires openvpn server 2.5. See here