https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-10-18T09:24:03ZpfSense bugtrackerpfSense - Feature #12466: Option to Disable Renegotiation timer in OpenVPN Serverhttps://redmine.pfsense.org/issues/12466?journal_id=568262021-10-18T09:24:03ZJim Pingle
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li><li><strong>Subject</strong> changed from <i>Add Option to Disable Renegotiation in OpenVPN Server for User with OTP</i> to <i>Option to Disable Renegotiation timer in OpenVPN Server</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Very Low</i></li><li><strong>Affected Architecture</strong> deleted (<del><i>All</i></del>)</li></ul> pfSense - Feature #12466: Option to Disable Renegotiation timer in OpenVPN Serverhttps://redmine.pfsense.org/issues/12466?journal_id=574912021-11-20T23:40:38ZViktor Gurov
<ul></ul><p>openvpn(8):<br /><pre>
--reneg-sec args
Renegotiate data channel key after at most max seconds (default 3600) and at least min seconds (default is 90% of max
for servers, and equal to max for clients).
reneg-sec max [min]
The effective --reneg-sec value used is per session pseudo-uniform-randomized between min and max.
With the default value of 3600 this results in an effective per session value in the range of 3240 .. 3600 seconds
for servers, or just 3600 for clients.
When using dual-factor authentication, note that this default value may cause the end user to be challenged to reau‐
thorize once per hour.
Also, keep in mind that this option can be used on both the client and server, and whichever uses the lower value
will be the one to trigger the renegotiation. A common mistake is to set --reneg-sec to a higher value on either the
client or server, while the other side of the connection is still using the default value of 3600 seconds, meaning
that the renegotiation will still occur once per 3600 seconds. The solution is to increase --reneg-sec on both the
client and server, or set it to 0 on one side of the connection (to disable), and to your chosen value on the other
side.
</pre></p> pfSense - Feature #12466: Option to Disable Renegotiation timer in OpenVPN Serverhttps://redmine.pfsense.org/issues/12466?journal_id=575432021-11-27T17:28:32ZKris Phillips
<ul></ul><p>Viktor Gurov wrote in <a href="#note-2">#note-2</a>:</p>
<blockquote>
<p>openvpn(8):<br />[...]</p>
</blockquote>
<p>Since the option needs to be on both client and server, we probably should automatically include this in the export tool when it's enabled on the server.</p> pfSense - Feature #12466: Option to Disable Renegotiation timer in OpenVPN Serverhttps://redmine.pfsense.org/issues/12466?journal_id=577812021-12-11T17:13:39ZKris Phillips
<ul></ul><p>Kris Phillips wrote in <a href="#note-3">#note-3</a>:</p>
<blockquote>
<p>Viktor Gurov wrote in <a href="#note-2">#note-2</a>:</p>
<blockquote>
<p>openvpn(8):<br />[...]</p>
</blockquote>
<p>Since the option needs to be on both client and server, we probably should automatically include this in the export tool when it's enabled on the server.</p>
</blockquote>
<p>This is correct. We probably should add the option to the OpenVPN server itself and then have the setting automatically be added to the export tool.</p>
<p>We could have a field for "Renegotiation interval" and then have a note in the description below it and in the docs that states setting it to 0 disables this feature or have a checkbox to turn it off. Either way this should still automatically populate in the export tool.</p> pfSense - Feature #12466: Option to Disable Renegotiation timer in OpenVPN Serverhttps://redmine.pfsense.org/issues/12466?journal_id=618482022-06-19T17:52:49ZMarcos M
<ul></ul><p>It's better to implement <code>--auth-gen-token [lifetime]</code></p>
<blockquote>
<p>--auth-gen-token [lifetime]<br />After successful user/password authentication, the OpenVPN server will with this option generate a temporary authentication token and push that to client. On the following renegotiations, the OpenVPN client will pass this token instead of the users password. On the server side the server will do the token authentication internally and it will NOT do any additional authentications against configured external user/password authentication mechanisms.The lifetime argument defines how long the generated token is valid. The lifetime is defined in seconds. If lifetime is not set or it is set to 0, the token will never expire.<br />This feature is useful for environments which is configured to use One Time Passwords (OTP) as part of the user/password authentications and that authentication mechanism does not implement any auth-token support.</p>
</blockquote>
<p><a class="external" href="https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/">https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/</a></p> pfSense - Feature #12466: Option to Disable Renegotiation timer in OpenVPN Serverhttps://redmine.pfsense.org/issues/12466?journal_id=618562022-06-20T07:46:50ZJim Pingle
<ul></ul><p>Both <code>auth-gen-token</code> and <code>reneg-sec</code> are useful in different ways, we should expose and (optionally) use both. Though they aren't so alike they should be in the same feature request, we should make a separate feature request just for <code>auth-gen-token</code>.</p> pfSense - Feature #12466: Option to Disable Renegotiation timer in OpenVPN Serverhttps://redmine.pfsense.org/issues/12466?journal_id=618692022-06-21T14:37:33ZMarcos M
<ul></ul><p>I created <a class="external" href="https://redmine.pfsense.org/issues/13293">https://redmine.pfsense.org/issues/13293</a> for that. Given that <code>auth-gen-token</code> handles the issue with frequent reauth when using MFA, what benefit would changing <code>reneg-sec</code> have?</p> pfSense - Feature #12466: Option to Disable Renegotiation timer in OpenVPN Serverhttps://redmine.pfsense.org/issues/12466?journal_id=618702022-06-21T14:39:37ZMarcos M
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-1 priority-4 priority-default" href="/issues/13293">Feature #13293</a>: Option to set auth-gen-token in OpenVPN GUI</i> added</li></ul> pfSense - Feature #12466: Option to Disable Renegotiation timer in OpenVPN Serverhttps://redmine.pfsense.org/issues/12466?journal_id=618832022-06-24T07:16:55ZJim Pingle
<ul></ul><p>Marcos Mendoza wrote in <a href="#note-7">#note-7</a>:</p>
<blockquote>
<p>I created <a class="external" href="https://redmine.pfsense.org/issues/13293">https://redmine.pfsense.org/issues/13293</a> for that. Given that <code>auth-gen-token</code> handles the issue with frequent reauth when using MFA, what benefit would changing <code>reneg-sec</code> have?</p>
</blockquote>
<p><code>reneg-sec</code> is about periodically renegotiating the data channel key, which is beneficial for security, and isn't necessarily tied to authentication. <code>auth-gen-token</code> is purely about authentication. Someone may want to refresh the key more/less often but use certs only so they don't care about the auth token/MFA bits as much as how often the data channel key gets updated.</p> pfSense - Feature #12466: Option to Disable Renegotiation timer in OpenVPN Serverhttps://redmine.pfsense.org/issues/12466?journal_id=619022022-06-25T17:03:00ZKris Phillips
<ul></ul><p>Jim Pingle wrote in <a href="#note-9">#note-9</a>:</p>
<blockquote>
<p>Marcos Mendoza wrote in <a href="#note-7">#note-7</a>:</p>
<blockquote>
<p>I created <a class="external" href="https://redmine.pfsense.org/issues/13293">https://redmine.pfsense.org/issues/13293</a> for that. Given that <code>auth-gen-token</code> handles the issue with frequent reauth when using MFA, what benefit would changing <code>reneg-sec</code> have?</p>
</blockquote>
<p><code>reneg-sec</code> is about periodically renegotiating the data channel key, which is beneficial for security, and isn't necessarily tied to authentication. <code>auth-gen-token</code> is purely about authentication. Someone may want to refresh the key more/less often but use certs only so they don't care about the auth token/MFA bits as much as how often the data channel key gets updated.</p>
</blockquote>
<p>Hello Jim,</p>
<p>The problem is that renegotiating the data channel key, in the default operation in pfSense, will resent username and password credentials. The auth-gen-token config flag substitutes password for a generated token that is negotiated at first auth and is used for renegotiating with the username, rather than with a password.</p>
<p>Having both of these options exposed would be prudent, I think, in the webConfigurator.</p> pfSense - Feature #12466: Option to Disable Renegotiation timer in OpenVPN Serverhttps://redmine.pfsense.org/issues/12466?journal_id=619212022-06-27T07:22:07ZJim Pingle
<ul></ul><p>Kris Phillips wrote in <a href="#note-10">#note-10</a>:</p>
<blockquote>
<p>The problem is that renegotiating the data channel key, in the default operation in pfSense, will resent username and password credentials. The auth-gen-token config flag substitutes password for a generated token that is negotiated at first auth and is used for renegotiating with the username, rather than with a password.</p>
<p>Having both of these options exposed would be prudent, I think, in the webConfigurator.</p>
</blockquote>
<p>That's what I already said above. See notes 6 and 9.</p> pfSense - Feature #12466: Option to Disable Renegotiation timer in OpenVPN Serverhttps://redmine.pfsense.org/issues/12466?journal_id=704302023-10-26T21:40:35ZKris Phillips
<ul></ul><p>Created additional redmine for auth-gen-token to be added here: <a class="external" href="https://redmine.pfsense.org/issues/14924">https://redmine.pfsense.org/issues/14924</a></p>