[HOW-TO] Using TOTP? Forced renegotiation every hour (disconnect)

[MrCCL]

It had some problems with all my VPN clients disconnecting every one hour.
It seems the default is to forces a renegotiation every 3600 seconds.
This option control this: reneg-sec N
I assume this is especially a problem when using Timebased-One-Time-Password (e.g. Google Authenticator) as this renegotiation cannot be done automatically as a new TOTP pin-code needs to be applied.

It seems this option has to be set on both server and client, and it cannot be pushed by the server!

VPN Server:
Add this in the advance option box:

Code: [Select]

reneg-sec 36000;
VPN client:
Add this option to the config file:

Code: [Select]

reneg-sec 36000
This will force a renegotiation  every 10 hour

[fabian]

In this case it would make more sense to add this to the standard GUI.

[MrCCL]

I do agree. IMO I believe 1 hour would be too short for the waste majority of TOTP users.
So one could argue that most TOTP users need to change this option.

I tried to use the Client Specific Overrides but when I did a client export the "reneg-sec 36000" was not included in the config file (I expected that to be the case?).....I could have made a mistake,  but I did specify the right server ;-)

Not that I would use the Client Specific Overrides anyway (I would just edit the config-file directly)

[AdSchellevis]

I've just added reneg-sec to our openvpn-server gui and added an issue for it :
https://github.com/opnsense/core/issues/1147

To test it on your end, run:

Code: [Select]

opnsense-patch 11bd0171ead2275ed5078d2c9c669e6fe8b5591b
opnsense-patch 459362eff47c38edb13822122bcd6a14202ca94a