would probably be a good idea to enable that. > As I understand it client and server have 60 min. by default. Whatever is > configured, the smaller value wins. That means, bad clients can set their > reneg-sec to very low values and trash the server on the other end. From > the server side this looks more or less like a DDOS. > > In our environment we have set reneg-sec=0 on all clients because we want > the server to have control over it. That's fine because we have only > trusted clients. Making it pushable could be a solution to overwrite bad > settings in clients. A more radical solution was to just remove the option > on the client side. At its heart OpenVPN is still p2p instead of client of server, (Actually client is p2p mode). So removing a client setting removes it also for p2p.
I would also say have a 5% random component by default (makes 3 minutes for the 1h default) but let the user specify it as explicit range when then second (optional) parameter is present. Either reneg-sec 3600 3500 for 3500s-3600s (absolute) or reneg-sec 3600 100 for 3500s-3600s (relative) I think percent based for user inputs are always creating confusion. Arne ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
