Frequently Asked Question
OpenVPN client automatically reconnects after the connection drops for some reason. If DUO 2FA is enabled and the user's phone is not available at the moment, the user account will be locked by DUO. How to prevent this from happening?
Last Updated 5 years ago
OpenVPN client's default settings are as follows: If the connection drops, the client will attempts to reconnect every 5 seconds initially, progressively increasing the period up to 300 seconds. The client will attempt to reconnect indefinitely.
In case two factor authentication is enabled, upon reconnection, a push request will be attempted to the DUO mobile app. If this request repeatedly fails for some reason, the user's DUO account will be locked for security reasons and may require the DUO admin's action to reactivate the user's account.
There are two approaches to deal with such a situation: The first is to adjust the OpenVPN client's behavior and make the client give up after a small number of tries, and the second is to adjust the DUO Lockout and Fraud policy settings.
The default is to lockout the user after 10 attempts and revert after 90 minutes. There is no way to disable this feature. You can only adjust the number of failed attempts to a higher number and maybe lower the time after which the user's status is reverted to 'Active' again.
In case two factor authentication is enabled, upon reconnection, a push request will be attempted to the DUO mobile app. If this request repeatedly fails for some reason, the user's DUO account will be locked for security reasons and may require the DUO admin's action to reactivate the user's account.
There are two approaches to deal with such a situation: The first is to adjust the OpenVPN client's behavior and make the client give up after a small number of tries, and the second is to adjust the DUO Lockout and Fraud policy settings.
OpenVPN client reconnection settings
There are two main settings that can be tuned, in order to adjust the way the OpenVPN client attempts to reconnect after a disconnection:- connect-retry-max n
- n specifies the number of times each --remote or entry is tried. Specifying n as one would try each entry exactly once. A successful connection resets the counter. (default=unlimited).
connect-retry-max 1This will abort the connection after only one retry, thus preventing the DUO security measure of account locking to trigger, but the OpenVPN client will remain disconnected until manually connecting again.
DUO Lockout and Fraud setting
Log in to DUO's administrative panel. In "Settings :: Lockout and Fraud" there are 2 settings that control DUO's behavior in the above event of repeated failed attempts:The default is to lockout the user after 10 attempts and revert after 90 minutes. There is no way to disable this feature. You can only adjust the number of failed attempts to a higher number and maybe lower the time after which the user's status is reverted to 'Active' again.