Hi all, I have openvpn 2.2.1-8ubuntu1.4 setup using the default reneg-sec interval of 60 mins. Openvpn works perfectly however the 1-hour re-key is problematic so I would like to increase reneg-sec to 4 hours. Is this a bad idea?
We use one-time passcodes as well as client/server certs for authentication. I think what is happening is the re-key process is not able to re-use the OTP so it fails and the user has to re-connect every hour. I don't see a way around dropping the connection with my specific setup so increasing the reneg-sec setting seems like the next logical choice. The question I have is how much of a concern is session hijacking when increasing this parameter? I would guess this depends largely on cipher chosen and key-size, but I don't know for sure. Perhaps someone with a better knowledge than I can shed some light on this. My openvpn key-size is 2048 RSA with MD of sha256. server.conf: local xx.xx.xx.xx port 443 proto tcp dev tun ca myca.ca.crt cert myserver.crt dh dh2048.pem server xx.xx.xx.xx 255.255.255.0 ifconfig-pool-persist ipp.txt push "route xx.xx.xx.x 255.255.254.0" push "dhcp-option DNS xx.xx.xx.xx" push "dhcp-option DNS xx.xx.xx.xx" keepalive 15 120 tls-auth tls-auth.key 0 cipher AES-256-CBC comp-lzo persist-key persist-tun status openvpn-status.log verb 4 plugin /usr/lib/openvpn/openvpn-auth-ldap.so "auth-ldap.conf" username-as-common-name script-security 1 crl-verify /home/certadmin/crl/crl.pem reneg-sec 14400 ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
