OPNsense Forum
English Forums => General Discussion => Topic started by: MrCCL on August 19, 2016, 12:21:45 pm
-
It had some problems with all my VPN clients disconnecting every one hour.
It seems the default is to forces a renegotiation every 3600 seconds.
This option control this: reneg-sec N
I assume this is especially a problem when using Timebased-One-Time-Password (e.g. Google Authenticator) as this renegotiation cannot be done automatically as a new TOTP pin-code needs to be applied.
It seems this option has to be set on both server and client, and it cannot be pushed by the server!
VPN Server:
Add this in the advance option box:
reneg-sec 36000;
VPN client:
Add this option to the config file:
reneg-sec 36000
This will force a renegotiation every 10 hour
-
In this case it would make more sense to add this to the standard GUI.
-
I do agree. IMO I believe 1 hour would be too short for the waste majority of TOTP users.
So one could argue that most TOTP users need to change this option.
I tried to use the Client Specific Overrides but when I did a client export the "reneg-sec 36000" was not included in the config file (I expected that to be the case?).....I could have made a mistake, but I did specify the right server ;-)
Not that I would use the Client Specific Overrides anyway (I would just edit the config-file directly)
-
I've just added reneg-sec to our openvpn-server gui and added an issue for it :
https://github.com/opnsense/core/issues/1147 (https://github.com/opnsense/core/issues/1147)
To test it on your end, run:
opnsense-patch 11bd0171ead2275ed5078d2c9c669e6fe8b5591b
opnsense-patch 459362eff47c38edb13822122bcd6a14202ca94a