Jump to content
Not connected, Your IP: 18.118.32.7
Sweden78

How to set lower time for rekeying? (Perfect Forward Secrecy)

Recommended Posts

Hi,

 

In the AirVPN description it’s written:

 

”Perfect Forward Secrecy - Through Diffie-Hellman key exchange DHE. After the initial key negotiation, re-keying is performed every 60 minutes (this value can be lowered unilaterally by the client)”

 

I see in the OpenVPN logs that this is happening every 60 minutes.

But how can I lower this to maybe every 30 or 15 minuetes? Which parameter in the OpenVPN config file needs to be added or changed?

Share this post


Link to post

Hi,

 

In the AirVPN description it’s written:

 

”Perfect Forward Secrecy - Through Diffie-Hellman key exchange DHE. After the initial key negotiation, re-keying is performed every 60 minutes (this value can be lowered unilaterally by the client)”

 

I see in the OpenVPN logs that this is happening every 60 minutes.

But how can I lower this to maybe every 30 or 15 minuetes? Which parameter in the OpenVPN config file needs to be added or changed?

reneg-sec 1800 (30 minutes)

reneg-sec 900 (15 minutes)

 

Sent via Tapatalk. Means, I don't have a computer available now.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Hi,

But how can I lower this to maybe every 30 or 15 minuetes? Which parameter in the OpenVPN config file needs to be added or changed?

 

It adds a non-trivial server load to re-negotiate the keys. Don't set it too frequently. Why do you feel you need to shorten the key renegotiation time?

Share this post


Link to post

Hi,

 

How do I actually amend the config file? Nothing on my Andriod phone will open the file.

 

Also, is there anyway to check that my connection is actually encrypted?

 

Thanks

Share this post


Link to post

Any file explorer should open a random file on Android. Such as ES Explorer, Amaze, etc.

It's not recommended to change the defaults, they are secure by default.

This is why there is no need for you to "verify" if the connection is encrypted, since there is no

other way for it to go unencrypted. Just check the exit IP, and if it's of AirVPN, you are all set.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post
Guest

@Staff & @zhang888 I just downloaded new configs for iOS and reneg_sec is not in any of them.  Is there a coding error in the config generator or is it being pushed from server side?

Share this post


Link to post

@Staff & @zhang888 I just downloaded new configs for iOS and reneg_sec is not in any of them.  Is there a coding error in the config generator or is it being pushed from server side?

 

The config generator on all platforms does not set any advanced params except the minimum required for successful, secure connectivity. All the rest is defined server side.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

@Staff & @zhang888 I just downloaded new configs for iOS and reneg_sec is not in any of them.  Is there a coding error in the config generator or is it being pushed from server side?

 

The manpage for OpenVPN says that reneg_sec defaults to 3600 unless the user sets it otherwise. If it's not in the config file the client will assume 3600.

 

Air say they use 3600. They probably just don't specify it in their server config and get the default.

 

Client and server exchange values at connection startup and both will select the lowest of the client's or the server's preferred values. i.e. If you set 1800 then the chosen value will be 1800. If you ask for 7200 then you'll still get 3600 because it's not possible for one end of the connection to unilaterally increase the renegotiation times and the servers' (smaller) 3600 will be chosen.

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...