When I use an OpenVPN connexion with OTP, I’m disconected after 1 hour (3600 seconds) because of a keys renegociation.
I think it comes from reneg-sec parameter that default value is 3600 on the server.
Is it possible to modify this parameter or better, add a possibility to change it on the OpenVPN config section ?
In the Web User Interface, if you go to
Advanced Server Options you will find a checkbox
Additional Configuration. If you check it and save, two files will be populated in
/var/ipfire/ovpn/scripts for customization of the default OpenVPN IPFire installation. There, you can do whatever you want with the server, like any standard OpenVPN linux installation, including modifying any parameter like reneg-sec.
Here the details.
I checked the
Additional Configuration checkbox and I placed the
regen-sec 0 line in each of the files (
server.conf.local) located in
/var/ipfire/ovpn/scripts. I restarted the OpenVPN server and replaced the configuration files on the client side. It seems to be working.
Is it necessary to place the
regen-sec line 0 in both files?
Thanks for your help.
I originally searched on this topic but was not able to find a solution, unlike the excellent one from @cfusco .
What I did find when I was searching is that OpenVPN will use the lowest number if the entries in the client and the server are different.
Although 0 is technically smaller I believe that it is taken by the code as being larger than any other number entered. So if you had the server still with 3600 and the client with 0 OpenVPN would use 3600, so you need to change it in both.
Just wanted to add a generic piece of info, unrelated to your specific problem. Besides the config file that will be applied to all the clients
clients.conf.local, you can also have client-specific directives by creating configuration files inside
/var/ipfire/ovpn/ccd referring to individual clients. The file has to be named with the CN (Common Name) present in the client’s certificate. You can find the CN with this command:
openssl x509 -subject -noout -in client.p12
Any directive you include in this named client file, will be applied only on that client. This is how you can create routing, assigning DNS servers, proxy servers, or firewall specific rules for different clients, as described here and here.