From 45b747be876918d04c2013b9ba519a2770b61cd0 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Tue, 21 Feb 2017 00:48:41 -0800 Subject: [PATCH] mostly avoid momentary disconnections --- vpn-mk-client-cert | 4 ++++ vpn-server-setup | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert index 4e41bac..bd946dd 100755 --- a/vpn-mk-client-cert +++ b/vpn-mk-client-cert @@ -105,4 +105,8 @@ remote-cert-tls server # more resilient when running as nonroot persist-key + +# see comments in server side configuration. +# the minimum of the 2 is used. +reneg-sec 2592000 EOF diff --git a/vpn-server-setup b/vpn-server-setup index c901970..dec98e9 100755 --- a/vpn-server-setup +++ b/vpn-server-setup @@ -79,6 +79,18 @@ cat >>/etc/openvpn/server.conf <<'EOF' cipher aes-256-cbc # just sets up the ability to have client specific configs client-config-dir /etc/openvpn/client-config +# 30 days. default is 3600, 1 hour. we momentarily disconnect +# after this time, and get a new tls key. The idea is that +# if someone is working very hard to break our encryption, +# they have less time to do it, and less time in the past +# for it to be broken. online sources say that there is no +# good objective idea about what a good value is here, since +# we don't expect our encryption to be breakable, but 1 hour +# seems very conservative. Since I want to support hosting +# a server over the tunnel, having the server break up to once +# an hour is very tough. I've seen a vpn service that seems +# very on top of things set this to 5 days. +reneg-sec 2592000 EOF mkdir -p /etc/openvpn/client-config -- 2.30.2