Project

General

Profile

Actions

Feature #12466

open

Option to Disable Renegotiation timer in OpenVPN Server

Added by Kris Phillips about 2 months ago. Updated 4 days ago.

Status:
New
Priority:
Very Low
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

We should add an option to the OpenVPN server webConfigurator so that we can disable renegotiation in OpenVPN. This toggle should turn on the server option for "reneg-sec 0" and also add the option to the OpenVPN Client Export as well for the end user config.

This is useful for situations where the customer is using RADIUS or LDAP with a 2FA authentication. When OpenVPN goes to renegotiate the password has changed because the login password is usually [password][OTP] mashed together. When it goes to renegotiate after 60 minutes the client will get booted due to failure of negotiation. The customer can add this option manually to both the client and server, but it would be nice to make this more automated.

Actions #1

Updated by Jim Pingle about 1 month ago

  • Tracker changed from Bug to Feature
  • Subject changed from Add Option to Disable Renegotiation in OpenVPN Server for User with OTP to Option to Disable Renegotiation timer in OpenVPN Server
  • Priority changed from Normal to Very Low
  • Affected Architecture deleted (All)
Actions #2

Updated by Viktor Gurov 11 days ago

openvpn(8):


       --reneg-sec args
              Renegotiate data channel key after at most max seconds (default 3600) and at least min seconds (default is 90% of max
              for servers, and equal to max for clients).

                 reneg-sec max [min]

              The effective --reneg-sec value used is per session pseudo-uniform-randomized between min and max.

              With the default value of 3600 this results in an effective per session value in the range of 3240  ..  3600  seconds
              for servers, or just 3600 for clients.

              When  using dual-factor authentication, note that this default value may cause the end user to be challenged to reau‐
              thorize once per hour.

              Also, keep in mind that this option can be used on both the client and server, and whichever  uses  the  lower  value
              will  be the one to trigger the renegotiation. A common mistake is to set --reneg-sec to a higher value on either the
              client or server, while the other side of the connection is still using the default value of  3600  seconds,  meaning
              that  the  renegotiation  will still occur once per 3600 seconds. The solution is to increase --reneg-sec on both the
              client and server, or set it to 0 on one side of the connection (to disable), and to your chosen value on  the  other
              side.

Actions #3

Updated by Kris Phillips 4 days ago

Viktor Gurov wrote in #note-2:

openvpn(8):
[...]

Since the option needs to be on both client and server, we probably should automatically include this in the export tool when it's enabled on the server.

Actions

Also available in: Atom PDF