OpenVPN
Disable auto reconnecting
How openvpn client to disable auto reconnecting when another device connect with the same profile?
p/s: with openvpn version 2.x, I use the remap-usr1 optione to remap signal SIGUSR1 to SIGTERM and stop client reconnects.
Related openvpn3-linux issue: https://codeberg.org/OpenVPN/openvpn3-linux/issues/6
After pondering a bit on this specific case and discussing it in the team, it's clear that this feature is not available in the OpenVPN 3 Core Library.
Porting remap-usr1 to OpenVPN 3 makes little sense, since this library does not use Unix signals, like OpenVPN 2.x does. In addition, the remap-usr1 is intended for a different use case than yours. It could be said that using remap-usr1 in this context is working due to the side-effect of what this signal remapping does.
Your real issue is that you're connecting two devices containing the same client certificate. Which ends up in a re-connect game where client A which connected first gets kicked off when client B connects and then A reconnects, kicking off client B - in an endless loop. This reconnection behaviour is actually considered a feature in OpenVPN - and is the default behaviour in OpenVPN 2.x as well (without the remap-usr1).
The best solution for you is actually to not work around this, but to either issue different client certificates for each connecting device. Or to configure the server to use --duplicate-cn.
We have not concluded at the moment if a "disable reconnect" feature is really wanted in OpenVPN 3.
After pondering a bit on this specific case and discussing it in the team, it's clear that this feature is not available in the OpenVPN 3 Core Library.
Porting
remap-usr1to OpenVPN 3 makes little sense, since this library does not use Unix signals, like OpenVPN 2.x does. In addition, theremap-usr1is intended for a different use case than yours. It could be said that usingremap-usr1in this context is working due to the side-effect of what this signal remapping does.Your real issue is that you're connecting two devices containing the same client certificate. Which ends up in a re-connect game where client A which connected first gets kicked off when client B connects and then A reconnects, kicking off client B - in an endless loop. This reconnection behaviour is actually considered a feature in OpenVPN - and is the default behaviour in OpenVPN 2.x as well (without the
remap-usr1).The best solution for you is actually to not work around this, but to either issue different client certificates for each connecting device. Or to configure the server to use
--duplicate-cn.We have not concluded at the moment if a "disable reconnect" feature is really wanted in OpenVPN 3.
Hi guy, thanks so much for a clean answer. This answer covered my case well.
I know the remap_usr1 option is not intended for this case, but I don't want to use two profiles for each user, and also don't want to enable the --duplicate-cn option (for security).
Anyway, properly, I must choose another solution, such as creating more than one profile for users connecting to multiple devices at the same time.
We need a function to disable automatic reconnection in the version 3. We use 2FA. If there's a short connection interruption, the client will continually attempt to connect. If the user doesn't notice this, access will be blocked after x failed attempts. Therefore, a notification would be very helpful so that the user can insert the password and the 2FA on the mobilephone.
@aweite you are probably doing something very wacky/weird non-standard. Normally the client does NOT reconnect automatically after an auth failed. Or you using a very weird MFA implementation that does not use the normal MFA stuff and also broken AUTH_FAILED message. Please open a separate ticket that includes more details about your use instead of hijacking this ticket.
