Hi, On Wed, Apr 05, 2017 at 07:00:54PM +0100, debbie10t wrote: > > Optional option does not mean that it is disabled by default. If you > > don't the randomness you would need to do: > > > > reneg-sec 3600 3600 > > > > the optional argument also allows it to fine tune it to your needs. > > As the reason for --reneg-sec is to specify how long a key should exist, > I don't see any further need to make the "random window" be specifically > configurable .. The reneg-sec period will remain as specified (def 3600) > except for the first run, where --reneg-sec is started from a random > time between now and then. There after returning to "normal" with full > randomisation of all connected clients --reneg-sec being spread over the > *entire* period of --reneg-sec nn and not some unnecessary window.
Setups with 2FA will have to re-enter auth credentials on reneg. Having
OpenVPN all of a sudden default to "it could be asking 5 minutes after
connection for the credentials again" is massive annoyance - and brings
no real benefit anyway.
It makes sense to jitter reneg-sec somewhat (like, 10%-ish), but changing
behaviour too much is not bringing much benefit - you don't need to
spread the reneg over the whole period anyway, as different clients
connect and disconnect at different times anyway. Just if all of them
connect at the same time, the identically-timed renegs are a problem.
I like Arne's and David's suggestion - the existing option "as is" will
enable X% jitter, while a second parameter can specify a more specific
range. Following Arne's argument about users and percent math, it might
indeed be better to have "min max" here ("3500 3600"), because that is
really easy to understand and explain.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
