Greetings everyone,
I'm doing some testing with moving our current OpenVPN solution to 2.4 to
utilize the benefits of the `auth-gen-token` parameter that was recently
introduced. I'm a little confused about how it works in relation to the
`reneg-sec` variable. We're using the free Authy OpenVPN plugin (
https://github.com/authy/authy-openvpn) for 2FA.
Our authentication follows the following chain:
1. User must present valid client certificate (duplicate-cn in our case)
2. User must present valid Authy token from their mobile device / browser
3. User must present valid login credentials that are validated against our
LDAP backend
Authy's documentation specifically says to set `reneg-sec` equal to '0' so
that renegotiation never happens; however, this was written with OpenVPN
2.3 in mind. My questions are:
1. Since `auth-gen-token X` generates a token valid for X seconds, does
this mean I can turn renegotiation back on? From initial testing (OpenVPN
2.4 on Windows 10), I set `reneg-sec` to something low (30 seconds) to see
what happened. The user is again presented with a password prompt, which
shouldn't happen.
2. Does having `auth-nocache` on the client side conflict with
`auth-gen-token` ? Do I need to remove `auth-nocache` from the client side
to utilize the benefits of `auth-gen-token` ?
Thank you all!
--
Scott Crooks (王虎)
LinkedIn: http://www.linkedin.com/in/jshcrooks
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
