Configure netifd to stop reconnecting

I have tuned OpenConnect client to connect via anyconnect protocol with VPN for a work.

VPN requires 2FA (Google authenticator) so I use Password2 field in LUCI to enter it.

When there are connection issues so OpenConnect can disconnect.

netifd endlessly retries to restore OpenConnect connection. But it uses old 2FA key so VPN rejects.

And as a result VPN can block my creds due to many unsuccessful attempts.

Pls help with question(s):

Is there any way to tell netifd:

• for this particular connection pls do not retry to reconnect?
• kind of timeout to restore OpenConnect?
• number of retires to restore OpenConnect?

Or in other words I'd like to netifd to stop reconnecting if OpenConnect connection is down.

Just in case I've read about reconnect-timeout parameter for OpenConnect. But the only idea comes to my head is to set as high value as possible. So if there is VPN connection issue I can turn off OpenConnect myself.

One more thing to give a picture. Below are logs when I unplug WAN cable. So netifd tries to restore OpenConnect forever:

...
Wed Feb  4 19:04:07 2026 user.notice openconnect: executing 'openconnect 'vpn.server.address' '-i' 'vpn-OpenConnect' '--non-inter' '--syslog' '--protocol' 'anyconnect' '--authgroup' 'VPN_AUTH_GROUP' '-u' 'user.name' '--passwd-on-stdin''
Wed Feb  4 19:04:07 2026 daemon.notice netifd: OpenConnect (5824): POST https://vpn.server.address/
Wed Feb  4 19:04:07 2026 daemon.notice netifd: OpenConnect (5824): Failed to connect to VPN_IP:VPN_PORT: Network unreachable
Wed Feb  4 19:04:07 2026 daemon.notice netifd: OpenConnect (5824): Failed to connect to host vpn.server.address
Wed Feb  4 19:04:07 2026 daemon.notice netifd: OpenConnect (5824): Failed to open HTTPS connection to vpn.server.address
Wed Feb  4 19:04:07 2026 daemon.notice netifd: OpenConnect (5824): Failed to complete authentication
Wed Feb  4 19:04:07 2026 user.notice openconnect: bringing down openconnect
Wed Feb  4 19:04:07 2026 daemon.notice netifd: Interface 'OpenConnect' is now down
Wed Feb  4 19:04:07 2026 daemon.notice netifd: Interface 'OpenConnect' is setting up now
Wed Feb  4 19:04:07 2026 user.notice openconnect: initializing...
Wed Feb  4 19:04:07 2026 user.notice openconnect: executing 'openconnect 'vpn.server.address' '-i' 'vpn-OpenConnect' '--non-inter' '--syslog' '--protocol' 'anyconnect' '--authgroup' 'VPN_AUTH_GROUP' '-u' 'user.name' '--passwd-on-stdin''
Wed Feb  4 19:04:07 2026 daemon.notice netifd: OpenConnect (5844): POST https://vpn.server.address/
Wed Feb  4 19:04:07 2026 daemon.notice netifd: OpenConnect (5844): Failed to connect to VPN_IP:VPN_PORT: Network unreachable
Wed Feb  4 19:04:07 2026 daemon.notice netifd: OpenConnect (5844): Failed to connect to host vpn.server.address
Wed Feb  4 19:04:07 2026 daemon.notice netifd: OpenConnect (5844): Failed to open HTTPS connection to vpn.server.address
Wed Feb  4 19:04:07 2026 daemon.notice netifd: OpenConnect (5844): Failed to complete authentication
Wed Feb  4 19:04:07 2026 user.notice openconnect: bringing down openconnect
Wed Feb  4 19:04:07 2026 daemon.notice netifd: Interface 'OpenConnect' is now down
Wed Feb  4 19:04:07 2026 daemon.notice netifd: Interface 'OpenConnect' is setting up now
Wed Feb  4 19:04:07 2026 user.notice openconnect: initializing...
...

even if I didn't install/configure "openconnect" I assume you created an interface you can use the "auto '0'" option

Try stopping automatic VPN retries like this:

1. Open /etc/config/network and find the OpenConnect interface.

2. Add option auto '0' (or option keepalive '0' if present).

3. Save and restart the network: /etc/init.d/network restart.

4. If the VPN drops, netifd will no longer try to reconnect automatically.

5. To bring it back up, run manually: ifup OpenConnect or use LUCI “Connect”.

You will then need to find a way (script) to pass the new passwords and manually reactivate the interface

This prevents your 2FA credentials from being blocked.

The VPN will not reconnect automatically until you intervene.

Many thanks

but as far as I can see option auto '0' is responsible for connecting interface during boot.

Just in case config looks like:

config interface 'OpenConnect'
	option proto 'openconnect'
	option auto '0'
	option vpn_protocol 'anyconnect'
	option uri 'vpn.server.address'
	option authgroup 'AUTH_GROUP'
	option username 'user.name'
	option password 'domain.pass'
	option password2 '2FA_FROM_GOOGLE'

I also added option keepalive '0' as recommended to config so it looks like:

config interface 'OpenConnect'
	option proto 'openconnect'
	option auto '0'
	option keepalive '0'
	option vpn_protocol 'anyconnect'
	option uri 'vpn.server.address'
	option authgroup 'AUTH_GROUP'
	option username 'user.name'
	option password 'domain.pass'
	option password2 '2FA_FROM_GOOGLE'

Restated network /etc/init.d/network restart
Used ifup OpenConnect to connect to VPN
Removed WAN socket from router and alas no luck.
Still infinity attempts from netifd to reconnect OpenConncet VPN.

The only idea I come for now is to hook up with directory /etc/hotplug.d/iface/.

I'd say scripts from the directory are run when virtual interfaces are up or down.

So I put script there with something like:

#!/bin/sh
[ "$ACTION" = "ifdown" -a "$INTERFACE" = "OpenConnect" ] && {
    logger "iface OPENCONNECT DOWN  detected..."
    /etc/init.d/network restart
}
exit 0

Seems like rude but it works. Will investigate further.

You could try this

theoretically it should work, but “option auto '0'“ should have worked too

( In my case, I have a wireguard interface where i set “option auto '0'“ so that it is turned off at startup and via scripts when I activate the wifi it activates the interface, vice versa when I deactivate the wifi )

pull down the "OpenConnect" interface when "wan" receives an ifdown ?

still in the /etc/hotplug.d/iface directory:

#!/bin/sh

if [ "$INTERFACE" = "wan" ] && [ "$ACTION" = "ifdown" ]; then
    logger "WAN down detected, bringing OpenConnect VPN down..."
    ifdown OpenConnect
fi

exit 0

I hope I'm not wasting your time