> Hi,
>
> On Wed, Apr 05, 2017 at 07:00:54PM +0100, debbie10t wrote:
>> > Optional option does not mean that it is disabled by default. If you
>> > don't the randomness you would need to do:
>> >
>> > reneg-sec 3600 3600
>> >
>> > the optional argument also allows it to fine tune it to your needs.
>>
>> As the reason for --reneg-sec is to specify how long a key should exist,
>> I don't see any further need to make the "random window" be specifically
>> configurable .. The reneg-sec period will remain as specified (def 3600)
>> except for the first run, where --reneg-sec is started from a random
>> time between now and then. There after returning to "normal" with full
>> randomisation of all connected clients --reneg-sec being spread over the
>> *entire* period of --reneg-sec nn and not some unnecessary window.
>
> Setups with 2FA will have to re-enter auth credentials on reneg. Having
> OpenVPN all of a sudden default to "it could be asking 5 minutes after
> connection for the credentials again" is massive annoyance - and brings
> no real benefit anyway.
>
> It makes sense to jitter reneg-sec somewhat (like, 10%-ish), but changing
> behaviour too much is not bringing much benefit - you don't need to
> spread the reneg over the whole period anyway, as different clients
> connect and disconnect at different times anyway. Just if all of them
> connect at the same time, the identically-timed renegs are a problem.
That's exactly what happens in the event of an OpenVPN restart on the
central server. Our router clients may all restart for updates at the same
time and our desktop clients are automatically started in the morning most
of them at the same time.
> I like Arne's and David's suggestion - the existing option "as is" will
> enable X% jitter, while a second parameter can specify a more specific
> range. Following Arne's argument about users and percent math, it might
> indeed be better to have "min max" here ("3500 3600"), because that is
> really easy to understand and explain.
After all the discussion I prefer the simple solution. I've changed my
systems to the reduced 10% jitter and I'm wondering if it has to be made
more complicated than this? I works very well and after some hours the
renegs have spread very well. If you ask me it's perfectly fine that way
as long as the docs clearly state that a pseudo random 10% us deducted
from reneg-sec automatically to spread renegs.
Simon
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
