mostly avoid momentary disconnections

diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index 4e41bacf8297ba31f032d70c5e31ecafbec1e444..bd946dd88341a8ba8197f056bf2f26a767bd02ca 100755 (executable)
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -105,4 +105,8 @@ remote-cert-tls server
 
 # more resilient when running as nonroot
 persist-key
+
+# see comments in server side configuration.
+# the minimum of the 2 is used.
+reneg-sec 2592000
 EOF

diff --git a/vpn-server-setup b/vpn-server-setup
index c901970ce613346cd54bfdd984b0dce4f0043821..dec98e91385a3cd9619ba218ff8580fa388822b0 100755 (executable)
--- a/vpn-server-setup
+++ b/vpn-server-setup
@@ -79,6 +79,18 @@ cat >>/etc/openvpn/server.conf <<'EOF'
 cipher aes-256-cbc
 # just sets up the ability to have client specific configs
 client-config-dir /etc/openvpn/client-config
+# 30 days. default is 3600, 1 hour. we momentarily disconnect
+# after this time, and get a new tls key. The idea is that
+# if someone is working very hard to break our encryption,
+# they have less time to do it, and less time in the past
+# for it to be broken. online sources say that there is no
+# good objective idea about what a good value is here, since
+# we don't expect our encryption to be breakable, but 1 hour
+# seems very conservative. Since I want to support hosting
+# a server over the tunnel, having the server break up to once
+# an hour is very tough. I've seen a vpn service that seems
+# very on top of things set this to 5 days.
+reneg-sec 2592000
 EOF
 mkdir -p /etc/openvpn/client-config