Home / server / Questions / 284718
Accepted
Ricardo Marimon
Asked: 2011-06-28 17:11:30 +0800 CST

Configure OpenVPN client to continue trying after authorization fails

  • 772

I just managed to cut my OpenVPN connection to some 20 servers tonight. I was experimenting with the client-connect scripts, and at some point one of the scripts returned a non zero response. This non zero response triggered an AUTH: Received AUTH_FAILED control message in the syslog which eventually resulted in a SIGTERM[soft,auth-failure] received, process exiting exit from the OpenVPN client. Is there a way to protect myself from this? Any configuration on the server or client side?

openvpn

2 Answers

  1. Best Answer

    The easiest way to protect yourself from this is to wrap the openvpn client in a while loop that restarts it. Looking at the openvpn discussion list it appears this was a design decision made because auth failures likely require manual intervention and having the client retry repeatedly would in many cases lock out the user (according to SOX/PCI compatible security precautions). It isn't clear what your OS config is, in OS X the launchd would take care of respawning this.

    • 2

  2. I've been seeing the same problem intermittently. polynomial's answer seems to be correct - I'm sure in my cause it's a network/connection error and not authentication.

    Starting OpenVPN with the following script has fixed it for me, although you might need to adjust it for your local setup:

    #!/bin/bash

maxAttempts=10
waitTime=5
device=tap0

attempts=1
while true; do
    /etc/init.d/openvpn restart
    sleep $waitTime

    vpnIp=$( ip addr show dev $device | grep 'inet ' | cut -d ' ' -f 6 | cut -d '/' -f 1 )

    if [ ! -x $vpnIp ]; then
        break
    fi

    attempts=$((attempts+1))
    if [ $attempts -gt $maxAttempts ]; then
        break
    fi
done
    • 0