How to set lower time for rekeying? (Perfect Forward Secrecy)

[Sweden78 4]

Hi,

 

In the AirVPN description it’s written:

 

”Perfect Forward Secrecy - Through Diffie-Hellman key exchange DHE. After the initial key negotiation, re-keying is performed every 60 minutes (this value can be lowered unilaterally by the client)”

 

I see in the OpenVPN logs that this is happening every 60 minutes.

But how can I lower this to maybe every 30 or 15 minuetes? Which parameter in the OpenVPN config file needs to be added or changed?

[OpenSourcerer 1360]

Hi,

 

In the AirVPN description it’s written:

 

”Perfect Forward Secrecy - Through Diffie-Hellman key exchange DHE. After the initial key negotiation, re-keying is performed every 60 minutes (this value can be lowered unilaterally by the client)”

 

I see in the OpenVPN logs that this is happening every 60 minutes.

But how can I lower this to maybe every 30 or 15 minuetes? Which parameter in the OpenVPN config file needs to be added or changed?

reneg-sec 1800 (30 minutes)

reneg-sec 900 (15 minutes)

 

Sent via Tapatalk. Means, I don't have a computer available now.

[sir_trackmenot 4]

Hi,

But how can I lower this to maybe every 30 or 15 minuetes? Which parameter in the OpenVPN config file needs to be added or changed?

 

It adds a non-trivial server load to re-negotiate the keys. Don't set it too frequently. Why do you feel you need to shorten the key renegotiation time?

[BhamTT 0]

Hi,

 

How do I actually amend the config file? Nothing on my Andriod phone will open the file.

 

Also, is there anyway to check that my connection is actually encrypted?

 

Thanks

[zhang888 1065]

Any file explorer should open a random file on Android. Such as ES Explorer, Amaze, etc.

It's not recommended to change the defaults, they are secure by default.

This is why there is no need for you to "verify" if the connection is encrypted, since there is no

other way for it to go unencrypted. Just check the exit IP, and if it's of AirVPN, you are all set.

[Guest]

@Staff & @zhang888 I just downloaded new configs for iOS and reneg_sec is not in any of them.  Is there a coding error in the config generator or is it being pushed from server side?

[zhang888 1065]

@Staff & @zhang888 I just downloaded new configs for iOS and reneg_sec is not in any of them.  Is there a coding error in the config generator or is it being pushed from server side?

 

The config generator on all platforms does not set any advanced params except the minimum required for successful, secure connectivity. All the rest is defined server side.

[sir_trackmenot 4]

@Staff & @zhang888 I just downloaded new configs for iOS and reneg_sec is not in any of them.  Is there a coding error in the config generator or is it being pushed from server side?

 

The manpage for OpenVPN says that reneg_sec defaults to 3600 unless the user sets it otherwise. If it's not in the config file the client will assume 3600.

 

Air say they use 3600. They probably just don't specify it in their server config and get the default.

 

Client and server exchange values at connection startup and both will select the lowest of the client's or the server's preferred values. i.e. If you set 1800 then the chosen value will be 1800. If you ask for 7200 then you'll still get 3600 because it's not possible for one end of the connection to unilaterally increase the renegotiation times and the servers' (smaller) 3600 will be chosen.