ClearFoundation

I have a client running and OpenVPN server on ClearOS 5.2 SP1. We have set up about 10-15 remote users with no issues at all up until now. Lately the users have been staying logged in for longer and longer sessions. We've recently discovered that everyone is being forced to renegotiate at exactly 60 minutes.

I did a little research and discovered that this is a default for OpenVPN (presumably to limit access to someone who has stolen your system, etc). They would like to extend the time between these forced renegotiations though. I found what appears to be the answer, adding:

would adjust that time to 2,880 seconds, or 8 hours. The problem is that there is no server.conf in /etc/openvpn and trying to adjust it on the client side doesn't seem to affect anything.

Have you tried putting it in /etc/openvpn/clients.conf where a lot (all?) of the configuration info is held. You may need to restart OpenVPN after editing the file.

Yes, I tried that already. I also tried making he change right in the client's .ovpn file with no results.

For it to be effective it looks like the option must be set at both ends at the same time. Did you try that?

I would, but I can't seem to find where the server.conf is. I would assume in the /etc/openvpn directory but it's not there. Could I just put one in there with that one entry?

I would try /etc/openvpn/clients.conf first. That is the configuration file being used by OpenVPN even on the server. Remember to restart OpenVPN.

I'll try again on Monday and report back here. Again, it didn't seem to make a difference the first time, but who knows. Is it a sure thing that Openvpn uses the clients.conf even for the server config on ClearOS?

If you are not worried about password authentication and just want to rely on certificates (so you won't see the renegotiation as it happens in the background), in clients.conf comment out the line:and in the .ovpn file comment out the lineLike this you can even start OpenVPN as a service so the user does not even know he is connecting.

Ok, here's the final verdict. You can just add



into the clients .ovpn file. Turns out the client I test with was automatically re-authenticating silently like it should so I couldn't reproduce the problem. After I told it to stop doing that I could force the re-authorization to happen whenever I wanted using the reneg-sec option.

My clients are using this client:

openvpn.net/index.php?option=com_content&id=357

and not checking the "Remember password for this session" box. With that box set it does seem to re-auth silently in the background. Just goes to show you that the user is usually the hardest problem to diagnose