stop using uuid always

[vpn-setup] / vpn-server-setup

diff --git a/vpn-server-setup b/vpn-server-setup
index c901970ce613346cd54bfdd984b0dce4f0043821..dec98e91385a3cd9619ba218ff8580fa388822b0 100755 (executable)
--- a/vpn-server-setup
+++ b/vpn-server-setup
@@ -79,6 +79,18 @@ cat >>/etc/openvpn/server.conf <<'EOF'
 cipher aes-256-cbc
 # just sets up the ability to have client specific configs
 client-config-dir /etc/openvpn/client-config
+# 30 days. default is 3600, 1 hour. we momentarily disconnect
+# after this time, and get a new tls key. The idea is that
+# if someone is working very hard to break our encryption,
+# they have less time to do it, and less time in the past
+# for it to be broken. online sources say that there is no
+# good objective idea about what a good value is here, since
+# we don't expect our encryption to be breakable, but 1 hour
+# seems very conservative. Since I want to support hosting
+# a server over the tunnel, having the server break up to once
+# an hour is very tough. I've seen a vpn service that seems
+# very on top of things set this to 5 days.
+reneg-sec 2592000
 EOF
 mkdir -p /etc/openvpn/client-config