X-Git-Url: https://iankelling.org/git/?p=vpn-setup;a=blobdiff_plain;f=vpn-server-setup;h=dec98e91385a3cd9619ba218ff8580fa388822b0;hp=c901970ce613346cd54bfdd984b0dce4f0043821;hb=dfbfe58ae8f9e2a80fde7279fc1608ef6e32c6fa;hpb=09079aab55c72708a3b5963557a144b3911b9f11

diff --git a/vpn-server-setup b/vpn-server-setup
index c901970..dec98e9 100755
--- a/vpn-server-setup
+++ b/vpn-server-setup
@@ -79,6 +79,18 @@ cat >>/etc/openvpn/server.conf <<'EOF'
 cipher aes-256-cbc
 # just sets up the ability to have client specific configs
 client-config-dir /etc/openvpn/client-config
+# 30 days. default is 3600, 1 hour. we momentarily disconnect
+# after this time, and get a new tls key. The idea is that
+# if someone is working very hard to break our encryption,
+# they have less time to do it, and less time in the past
+# for it to be broken. online sources say that there is no
+# good objective idea about what a good value is here, since
+# we don't expect our encryption to be breakable, but 1 hour
+# seems very conservative. Since I want to support hosting
+# a server over the tunnel, having the server break up to once
+# an hour is very tough. I've seen a vpn service that seems
+# very on top of things set this to 5 days.
+reneg-sec 2592000
 EOF
 mkdir -p /etc/openvpn/client-config