'reneg-sec 0' is not a good idea, and is not necessary in OpenVPN >= 2.4

evgeny-gridasov / openvpn-otp

OpenVPN OTP token support plugin

GNU General Public License v3.0

279 stars 74 forks source link

'reneg-sec 0' is not a good idea, and is not necessary in OpenVPN >= 2.4 #39

Open wrossmann opened 3 years ago

wrossmann commented 3 years ago

Setting your tunnel to never renegotiate is a security problem for long-running tunnels, and OpenVPN added the auth-gen-token config parameter specifically for cases like OTP authentication. In short, after authentication OpenVPN will generate a token to be used for renegotiation in place of re-sending the username and password.

Please add a mention of auth-gen-token for OpenVPN >= 2.4 in the README.

evgeny-gridasov commented 3 years ago

Thanks Wade, Would you like to raise a PR to add that? I don’t want to take credit for other people’s contributions. Alternatively, I could make that change myself.