OpenVPN have reneg-sec on 3600?

Hi all,

When I use an OpenVPN connexion with OTP, I’m disconected after 1 hour (3600 seconds) because of a keys renegociation.
I think it comes from reneg-sec parameter that default value is 3600 on the server.
Is it possible to modify this parameter or better, add a possibility to change it on the OpenVPN config section ?


In the Web User Interface, if you go to Advanced Server Options you will find a checkbox Additional Configuration. If you check it and save, two files will be populated in /var/ipfire/ovpn/scripts for customization of the default OpenVPN IPFire installation. There, you can do whatever you want with the server, like any standard OpenVPN linux installation, including modifying any parameter like reneg-sec.

Here the details.


I checked the Additional Configuration checkbox and I placed the regen-sec 0 line in each of the files (client.conf.local and server.conf.local) located in /var/ipfire/ovpn/scripts. I restarted the OpenVPN server and replaced the configuration files on the client side. It seems to be working.
Is it necessary to place the regen-sec line 0 in both files?
Thanks for your help.

I originally searched on this topic but was not able to find a solution, unlike the excellent one from @cfusco .

What I did find when I was searching is that OpenVPN will use the lowest number if the entries in the client and the server are different.

Although 0 is technically smaller I believe that it is taken by the code as being larger than any other number entered. So if you had the server still with 3600 and the client with 0 OpenVPN would use 3600, so you need to change it in both.

1 Like

Just wanted to add a generic piece of info, unrelated to your specific problem. Besides the config file that will be applied to all the clients clients.conf.local, you can also have client-specific directives by creating configuration files inside /var/ipfire/ovpn/ccd referring to individual clients. The file has to be named with the CN (Common Name) present in the client’s certificate. You can find the CN with this command:

openssl x509 -subject -noout -in client.p12

Any directive you include in this named client file, will be applied only on that client. This is how you can create routing, assigning DNS servers, proxy servers, or firewall specific rules for different clients, as described here and here.