OpenVPN Access Server SAML Auth - Hourly Re-Auth/Disconnect

Got a problem with Viscosity or need help? Ask here!

Chankster

Posts: 3
Joined: Fri Aug 25, 2023 6:08 am

Post by Chankster » Tue Aug 29, 2023 2:34 am
Currently testing an OpenVPN Access Server setup using SAML auth via Azure for users. The initial login works perfectly fine in Viscosity but after 55-60min I get an authentication failure message from Viscosity that user/pass is incorrect along with SAML auth popup window. Clicking OK does nothing and after a few seconds the tunnel is disconnected.
Code: Select all
Aug 28 9:27:06 AM: State changed to Connected
Aug 28 10:23:01 AM: VERIFY OK: depth=1, CN=OpenVPN CA
Aug 28 10:23:01 AM: VERIFY KU OK
Aug 28 10:23:01 AM: Validating certificate extended key usage
Aug 28 10:23:01 AM: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug 28 10:23:01 AM: VERIFY EKU OK
Aug 28 10:23:01 AM: VERIFY OK: depth=0, CN=OpenVPN Server
Aug 28 10:23:01 AM: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1477', remote='link-mtu 1557'
Aug 28 10:23:01 AM: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1420', remote='tun-mtu 1500'
Aug 28 10:23:01 AM: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 28 10:23:01 AM: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 28 10:23:01 AM: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 384 bit EC, curve secp384r1, signature: ecdsa-with-SHA256
Aug 28 10:23:01 AM: State changed to Authenticating
Aug 28 10:23:01 AM: AUTH_PENDING received, extending handshake timeout from 60s to 180s
Aug 28 10:23:01 AM: URL authentication request received from server. Attempting to load URL...
Aug 28 10:23:01 AM: Info command was pushed by server ('OPEN_URL:https://vpn.domain.com/saml/redirect/?RelayState=vpnauth%7E%7EXX_XXXXXXXXXXXXXXXX')
Aug 28 10:23:02 AM: Authentication URL successfully loaded.
Aug 28 10:23:16 AM: AUTH: Received control message: AUTH_FAILED
Aug 28 10:23:49 AM: TCP/UDP: Closing socket
Aug 28 10:23:49 AM: Closing TUN/TAP interface
Aug 28 10:23:49 AM: TAP: DHCP address released
Aug 28 10:23:49 AM: SIGUSR1[soft,auth-failure] received, process restarting

Aaron

Posts: 32
Joined: Wed Nov 30, 2022 2:53 pm

Post by Aaron » Tue Aug 29, 2023 9:17 am
Hi,

By default OpenVPN will re-authenticate/negotiate a VPN connection every 60 minutes. For connections with two-factor this means you'll be prompted again for your two-factor credentials every 60 minutes. There are two ways around this:

1. Enable session tokens on the OpenVPN server. This is the recommended approach. For standard OpenVPN servers this can be done by adding the "auth-gen-token" to the server's configuration file. You can customise the time for how long a session is valid for etc.

You mention you use OpenVPN Access Server, which has session tokens enabled by default. I recommend checking your configuration to make sure the default timeouts haven't been changed or are too short. For more information you'll need to get in touch with OpenVPN AS's support staff, however it looks like they also have some docs at: https://openvpn.net/vpn-server-resource ... t-options/

2. Disable re-negotiation or extend the timeout. For a standard OpenVPN setup this can be done by specifying the "reneg-sec x" option on both the server and client (and they should match). A time of 0 seconds disables re-negotiations.

Regards,
Aaron
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Chankster

Posts: 3
Joined: Fri Aug 25, 2023 6:08 am

Post by Chankster » Tue Aug 29, 2023 11:35 pm
Aaron thanks for the response.

1) I've already checked that the "vpn.server.session_expire" and "vpn.tls_refresh.interval" settings are currently at their default of 24 hours and 6 hours respectively. I've been working with OpenVPN AS support and they pointed me to Viscosity support since the settings are at their default and the OpenVPN Connect client does not experience any issues. The issue seems to be that Viscosity doesn't actually properly re-auth. It either displays a completely blank auth window or shows the successful SAML auth but still fails. I can send images/logs if needed (the add file option here keeps giving me a HTTP error).

2) I'm aware I can disable security features to work around the issue but would prefer to make Viscosity work properly similar to how OpenVPN Connect client is currently working.

James

User avatar
Posts: 2361
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Aug 30, 2023 10:01 am
Hi Chankster,

Can you please send us the items listed in the following article and we can take a closer look for you. You may prefer to send these via email rather than posting them on a public forum (our support email address can be found at the bottom of our Support section).
https://www.sparklabs.com/support/kb/ar ... ort-staff/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Chankster

Posts: 3
Joined: Fri Aug 25, 2023 6:08 am

Post by Chankster » Wed Aug 30, 2023 11:50 am
Logs have been sent.
5 posts Page 1 of 1