Enforce OpenVPN Inactivity Timeout

Got a problem with Viscosity or need help? Ask here!

dleesap

Posts: 2
Joined: Wed Aug 21, 2024 1:34 am

Post by dleesap » Wed Aug 21, 2024 2:17 am
I've been requested to configure an inactivity timeout on our OpenVPN servers and have been having some issues getting it working with the Viscosity client. I've added the the `push "inactive [sec] [bytes]"` line to the server config and can see it being pushed to the client through the connection logs. The issue I'm having is that Viscosity has an "Automatically reconnect if disconnected" option for the connections which defaults to true and doesn't allow the timeout to work as intended. When inactivity timeout has been triggered, the connection quickly switches to "Disconnected", then "Authenticating", and "Connected" and the inactivity timer resets. In the connection log the event looks like the following:
Code: Select all
2024-08-20 11:18:05: State changed to Connected
2024-08-20 11:20:02: Inactivity timeout (--inactive), exiting
2024-08-20 11:20:02: SIGTERM received, sending exit notification to peer
2024-08-20 11:20:03: /sbin/route delete -net 10.0.0.0 10.240.0.5 255.255.255.192
2024-08-20 11:20:03: /sbin/route delete -net 10.240.0.1 10.240.0.5 255.255.255.255
2024-08-20 11:20:03: Closing TUN/TAP interface
2024-08-20 11:20:04: SIGTERM[soft,exit-with-notification] received, process exiting
2024-08-20 11:20:04: State changed to Disconnected (Process Terminated)
2024-08-20 11:20:05: Viscosity Mac 1.10.2 (1592)
2024-08-20 11:20:05: Viscosity OpenVPN Engine Started
2024-08-20 11:20:05: Running on macOS 14.5.0
2024-08-20 11:20:05: ---------
2024-08-20 11:20:05: State changed to Connecting


I'm wondering if others have encountered this issue and how they've gone about enforcing the timeout despite the Viscosity client's attempt at reconnecting. I've tried the `explicit-exit-notify` option in the cleint config(which you can see in the above code block) and the `auth-nocache` option in the server config to prevent the reauthentication during the unwanted reconnect, neither of which have worked. When the "Automatically reconnect if disconnected" is disabled the inactivity timeout works as intended, but we don't have a way to enforce the options on the operator's local application.

Versions:
Viscosity 1.10.2 (1592)

OpenVPN 2.6.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] [FIDO]
library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10

Server Config:
Code: Select all
port 1194
proto udp
dev tun

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh none
tls-auth /etc/openvpn/keys/ta.key 0
tls-server
auth SHA256
prng SHA256
cipher AES-256-CBC
tls-version-min 1.2

tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

ecdh-curve secp521r1

server 10.240.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "dhcp-option DNS 10.0.0.2"
push "route 10.0.0.0 255.255.255.192"
push "dhcp-option DOMAIN <REDACTED>"
push "dhcp-option DOMAIN <REDACTED>"
push "dhcp-option DOMAIN <REDACTED>"
push "inactive 120 1000000"
auth-nocache
keepalive 5 30
compress stub-v2
push "compress stub-v2"
persist-key
persist-tun
user nobody
group nogroup

status status-openvpn_udp_1194.log
status-version 1
log-append /var/log/openvpn.log
verb 3

# Allow a single OpenVPN profile to be used by multiple users
duplicate-cn

# Set the username as the common name, so that logs show the username instead
# of the common name from the certificate
username-as-common-name

plugin /usr/share/openvpn/pam-u2f/auth-pam-u2f.so ovpn

# Generate a token to allow a client to renegotiate without going through the
# full reauthentication
auth-gen-token

Client config(explicit-exit-notify defined in viscosity client):
Code: Select all
client

tls-client
auth SHA256
cipher AES-256-CBC
remote-cert-tls server
tls-version-min 1.2

proto udp
remote <REDACTED> 1194
dev tun

resolv-retry 5
nobind
keepalive 5 30
persist-key
persist-tun
verb 3


route-method exe
route-delay 2

key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
<REDACTED>
</ca>

<tls-auth>
<REDACTED>
</tls-auth>

<cert>
<REDACTED>
</cert>

<key>
<REDACTED>
</key>

auth-user-pass
Connection log:
Code: Select all
2024-08-20 11:58:41: Viscosity Mac 1.10.2 (1592)
2024-08-20 11:58:41: Viscosity OpenVPN Engine Started
2024-08-20 11:58:41: Running on macOS 14.5.0
2024-08-20 11:58:41: ---------
2024-08-20 11:58:41: State changed to Connecting
2024-08-20 11:58:41: Valid existing endpoint found... x.x.x.x:1194:udp
2024-08-20 11:58:43: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-08-20 11:58:43: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-08-20 11:58:43: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
2024-08-20 11:58:43: Socket Buffers: R=[786896->786896] S=[9216->9216]
2024-08-20 11:58:43: UDP link local: (not bound)
2024-08-20 11:58:43: UDP link remote: [AF_INET]x.x.x.x:1194
2024-08-20 11:58:43: State changed to Authenticating
2024-08-20 11:58:43: TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=353dcddb c94c1c6a
2024-08-20 11:58:43: VERIFY OK: depth=1, CN=OpenVPN-CA-10.0.0.41
2024-08-20 11:58:43: VERIFY KU OK
2024-08-20 11:58:43: Validating certificate extended key usage
2024-08-20 11:58:43: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-08-20 11:58:43: VERIFY EKU OK
2024-08-20 11:58:43: VERIFY OK: depth=0, CN=OpenVPN-Server-10.0.0.41
2024-08-20 11:58:45: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2024-08-20 11:58:45: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2024-08-20 11:58:45: [OpenVPN-Server-10.0.0.41] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
2024-08-20 11:58:45: SENT CONTROL [OpenVPN-Server-10.0.0.41]: 'PUSH_REQUEST' (status=1)
2024-08-20 11:58:45: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.0.0.2,route 10.0.0.0 255.255.255.192,dhcp-option DOMAIN x.x.x.x,dhcp-option DOMAIN x.x.x.x,dhcp-option DOMAIN x.x.x.x,inactive 120 1000000,compress stub-v2,route 10.240.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.240.0.6 10.240.0.5,peer-id 1,auth-tokenSESS_ID,cipher AES-256-GCM'
2024-08-20 11:58:45: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-08-20 11:58:45: OPTIONS IMPORT: timers and/or timeouts modified
2024-08-20 11:58:45: OPTIONS IMPORT: compression parms modified
2024-08-20 11:58:45: OPTIONS IMPORT: --ifconfig/up options modified
2024-08-20 11:58:45: OPTIONS IMPORT: route options modified
2024-08-20 11:58:45: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-08-20 11:58:45: OPTIONS IMPORT: peer-id set
2024-08-20 11:58:45: OPTIONS IMPORT: adjusting link_mtu to 1624
2024-08-20 11:58:45: OPTIONS IMPORT: data channel crypto options modified
2024-08-20 11:58:45: Data Channel: using negotiated cipher 'AES-256-GCM'
2024-08-20 11:58:45: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-08-20 11:58:45: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-08-20 11:58:45: Opened utun device utun10
2024-08-20 11:58:45: /sbin/ifconfig utun10 delete
2024-08-20 11:58:45: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2024-08-20 11:58:45: /sbin/ifconfig utun10 10.240.0.6 10.240.0.5 mtu 1500 netmask 255.255.255.255 up
2024-08-20 11:58:48: /sbin/route add -net 10.0.0.0 10.240.0.5 255.255.255.192
2024-08-20 11:58:48: /sbin/route add -net 10.240.0.1 10.240.0.5 255.255.255.255
2024-08-20 11:58:48: Initialization Sequence Completed
2024-08-20 11:58:48: DNS mode set to Split
2024-08-20 11:58:48: DNS Server/s: 10.0.0.2
2024-08-20 11:58:48: DNS Domains/s: x.x.x.x, x.x.x.x, x.x.x.x
2024-08-20 11:58:48: State changed to Connected
2024-08-20 12:00:46: Inactivity timeout (--inactive), exiting
2024-08-20 12:00:46: SIGTERM received, sending exit notification to peer
2024-08-20 12:00:47: /sbin/route delete -net 10.0.0.0 10.240.0.5 255.255.255.192
2024-08-20 12:00:47: /sbin/route delete -net 10.240.0.1 10.240.0.5 255.255.255.255
2024-08-20 12:00:47: Closing TUN/TAP interface
2024-08-20 12:00:48: SIGTERM[soft,exit-with-notification] received, process exiting
2024-08-20 12:00:48: State changed to Disconnected (Process Terminated)
2024-08-20 12:00:49: Viscosity Mac 1.10.2 (1592)
2024-08-20 12:00:49: Viscosity OpenVPN Engine Started
2024-08-20 12:00:49: Running on macOS 14.5.0
2024-08-20 12:00:49: ---------
2024-08-20 12:00:49: State changed to Connecting
2024-08-20 12:00:49: Checking reachability status of connection...
2024-08-20 12:00:49: Connection is reachable. Starting connection attempt.
2024-08-20 12:00:49: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2024-08-20 12:00:49: OpenVPN 2.5.5 arm-apple-darwin20.1.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Mar 16 2022
2024-08-20 12:00:49: library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2024-08-20 12:00:49: Valid existing endpoint found... x.x.x.x:1194:udp
2024-08-20 12:00:49: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-08-20 12:00:49: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-08-20 12:00:49: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
2024-08-20 12:00:49: Socket Buffers: R=[786896->786896] S=[9216->9216]
2024-08-20 12:00:49: UDP link local: (not bound)
2024-08-20 12:00:49: UDP link remote: [AF_INET]x.x.x.x:1194
2024-08-20 12:00:49: State changed to Authenticating
2024-08-20 12:00:49: TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=6b61adde a18f2a0f
2024-08-20 12:00:49: VERIFY OK: depth=1, CN=OpenVPN-CA-10.0.0.41
2024-08-20 12:00:49: VERIFY KU OK
2024-08-20 12:00:49: Validating certificate extended key usage
2024-08-20 12:00:49: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-08-20 12:00:49: VERIFY EKU OK
2024-08-20 12:00:49: VERIFY OK: depth=0, CN=OpenVPN-Server-10.0.0.41
2024-08-20 12:00:49: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2024-08-20 12:00:49: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2024-08-20 12:00:49: [OpenVPN-Server-10.0.0.41] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
2024-08-20 12:00:49: SENT CONTROL [OpenVPN-Server-10.0.0.41]: 'PUSH_REQUEST' (status=1)
2024-08-20 12:00:49: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.0.0.2,route 10.0.0.0 255.255.255.192,dhcp-option DOMAIN x.x.x.x,dhcp-option DOMAIN x.x.x.x,dhcp-option DOMAIN x.x.x.x,inactive 120 1000000,compress stub-v2,route 10.240.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.240.0.6 10.240.0.5,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
2024-08-20 12:00:49: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-08-20 12:00:49: OPTIONS IMPORT: timers and/or timeouts modified
2024-08-20 12:00:49: OPTIONS IMPORT: compression parms modified
2024-08-20 12:00:49: OPTIONS IMPORT: --ifconfig/up options modified
2024-08-20 12:00:49: OPTIONS IMPORT: route options modified
2024-08-20 12:00:49: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-08-20 12:00:49: OPTIONS IMPORT: peer-id set
2024-08-20 12:00:49: OPTIONS IMPORT: adjusting link_mtu to 1624
2024-08-20 12:00:49: OPTIONS IMPORT: data channel crypto options modified
2024-08-20 12:00:49: Data Channel: using negotiated cipher 'AES-256-GCM'
2024-08-20 12:00:49: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-08-20 12:00:49: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-08-20 12:00:49: Opened utun device utun10
2024-08-20 12:00:49: /sbin/ifconfig utun10 delete
2024-08-20 12:00:49: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2024-08-20 12:00:49: /sbin/ifconfig utun10 10.240.0.6 10.240.0.5 mtu 1500 netmask 255.255.255.255 up
2024-08-20 12:00:51: /sbin/route add -net 10.0.0.0 10.240.0.5 255.255.255.192
2024-08-20 12:00:51: /sbin/route add -net 10.240.0.1 10.240.0.5 255.255.255.255
2024-08-20 12:00:51: Initialization Sequence Completed

James

User avatar
Posts: 2371
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Aug 22, 2024 7:44 am
Hi dleesap,

You can add the following command to your configuration file if you'd prefer Viscosity to not automatically reconnect the VPN connection when it is disconnected:
#viscosity autoreconnect false

Use of Viscosity's "Disconnect connections after X minutes on inactivity" feature also shouldn't trigger a reconnect:
https://www.sparklabs.com/support/kb/ar ... y/#general

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

dleesap

Posts: 2
Joined: Wed Aug 21, 2024 1:34 am

Post by dleesap » Tue Aug 27, 2024 3:01 am
Appreciate the help James!
3 posts Page 1 of 1