openvpn/doc/man-sections/renegotiation.rst

Data Channel Renegotiation
--------------------------

When running OpenVPN in client/server mode, the data channel will use a
separate ephemeral encryption key which is rotated at regular intervals.

--reneg-bytes n
  Renegotiate data channel key after ``n`` bytes sent or received
  (disabled by default with an exception, see below). OpenVPN allows the
  lifetime of a key to be expressed as a number of bytes
  encrypted/decrypted, a number of packets, or a number of seconds. A key
  renegotiation will be forced if any of these three criteria are met by
  either peer.

  If using ciphers with cipher block sizes less than 128-bits,
  ``--reneg-bytes`` is set to 64MB by default, unless it is explicitly
  disabled by setting the value to :code:`0`, but this is
  **HIGHLY DISCOURAGED** as this is designed to add some protection against
  the SWEET32 attack vector. For more information see the ``--cipher``
  option.

--reneg-pkts n
  Renegotiate data channel key after **n** packets sent and received
  (disabled by default).

--reneg-sec args
  Renegotiate data channel key after at most ``max`` seconds
  (default :code:`3600`) and at least ``min`` seconds (default is 90% of
  ``max`` for servers, and equal to ``max`` for clients).
  ::

     reneg-sec max [min]

  The effective ``--reneg-sec`` value used is per session
  pseudo-uniform-randomized between ``min`` and ``max``.

  With the default value of :code:`3600` this results in an effective per
  session value in the range of :code:`3240` .. :code:`3600` seconds for
  servers, or just 3600 for clients.

  When using dual-factor authentication, note that this default value may
  cause the end user to be challenged to reauthorize once per hour.

  Also, keep in mind that this option can be used on both the client and
  server, and whichever uses the lower value will be the one to trigger
  the renegotiation. A common mistake is to set ``--reneg-sec`` to a
  higher value on either the client or server, while the other side of the
  connection is still using the default value of :code:`3600` seconds,
  meaning that the renegotiation will still occur once per :code:`3600`
  seconds. The solution is to increase --reneg-sec on both the client and
  server, or set it to :code:`0` on one side of the connection (to
  disable), and to your chosen value on the other side.
doc/man: convert openvpn.8 to split-up .rst files To avoid keeping around a full-size openvpn.rst file which is never needed but will take space in the repo forever, patches 01...04 of the big documentation overhaul projects were squashed togehter, keeping the individual commit logs and URL references below. Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is a combination of 4 commits. * This is the 1st commit message: doc/man: Add an .rst formatted version of the man page This is the first step to move away from a manually editing g/nroff encoded man page. Some modifications was needed to ensure formatting was consistent and rendered reasonably okay in GitHub and that the generated man page (using rst2man) is looking as a proper man page. Unsupported options has also been moved into its own section. HTML rendering directly using rst2html has also been used to validate the conversion. The rst2man and rst2html utilities comes from the python-docutils project: https://docutils.sourceforge.io/ Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-2-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063370/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #2: doc/man: Replace old man page with generated man page The doc/openvpn.8 and doc/openvpn.8.html files are now being removed from the git tree, as it will be generated from the doc/openvpn.8.rst file using python-docutils. An additional dist-hook is added so these files are generated automatically when source tarballs are generated for releases. This means users compiling directly from the source tarball will not need python-docutils installed. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-3-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063373/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #3: doc/man: Split up and reorganize main man page The openvpn.8.rst file is quite long and hard to edit, as it covers several hundred options. Some options were even documented multiple places. The example has also received some attention, cleaning up old and outdated infomration. In this commit the main man page is split up into multiple sections and options are sorted into each of the corresponding section. Inside each category, each option is for now sorted alphabetically. The main openvpn.8.rst file is currently kept unchanged and will be handled in the next commit. Many language improvements contributed by Richard Bonhomme has also been incorproated. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-4-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063376/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #4: doc/man: Complete openvpn.8.rst splitting This rebuilds the openvpn.8.rst content by using the text which was split out in the previous commit by using RST ..include statements. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-5-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063377/ Signed-off-by: Gert Doering <gert@greenie.muc.de> 2020-07-17 00:53:31 +02:00			`Data Channel Renegotiation`
			`--------------------------`

			`When running OpenVPN in client/server mode, the data channel will use a`
			`separate ephemeral encryption key which is rotated at regular intervals.`

			`--reneg-bytes n`
			Renegotiate data channel key after ``n`` bytes sent or received
			`(disabled by default with an exception, see below). OpenVPN allows the`
			`lifetime of a key to be expressed as a number of bytes`
			`encrypted/decrypted, a number of packets, or a number of seconds. A key`
			`renegotiation will be forced if any of these three criteria are met by`
			`either peer.`

			`If using ciphers with cipher block sizes less than 128-bits,`
			``--reneg-bytes`` is set to 64MB by default, unless it is explicitly
			disabled by setting the value to :code:`0`, but this is
			`HIGHLY DISCOURAGED as this is designed to add some protection against`
			the SWEET32 attack vector. For more information see the ``--cipher``
			`option.`

			`--reneg-pkts n`
			`Renegotiate data channel key after n packets sent and received`
			`(disabled by default).`

			`--reneg-sec args`
			Renegotiate data channel key after at most ``max`` seconds
			(default :code:`3600`) and at least ``min`` seconds (default is 90% of
			``max`` for servers, and equal to ``max`` for clients).
			`::`

			`reneg-sec max [min]`

			The effective ``--reneg-sec`` value used is per session
			pseudo-uniform-randomized between ``min`` and ``max``.

			With the default value of :code:`3600` this results in an effective per
Man page sections corrections Signed-off-by: Richard Bonhomme <tincanteksup@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20210119215617.116886-1-tincanteksup@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21451.html Signed-off-by: Gert Doering <gert@greenie.muc.de> 2021-01-19 22:56:17 +01:00			session value in the range of :code:`3240` .. :code:`3600` seconds for
doc/man: convert openvpn.8 to split-up .rst files To avoid keeping around a full-size openvpn.rst file which is never needed but will take space in the repo forever, patches 01...04 of the big documentation overhaul projects were squashed togehter, keeping the individual commit logs and URL references below. Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is a combination of 4 commits. * This is the 1st commit message: doc/man: Add an .rst formatted version of the man page This is the first step to move away from a manually editing g/nroff encoded man page. Some modifications was needed to ensure formatting was consistent and rendered reasonably okay in GitHub and that the generated man page (using rst2man) is looking as a proper man page. Unsupported options has also been moved into its own section. HTML rendering directly using rst2html has also been used to validate the conversion. The rst2man and rst2html utilities comes from the python-docutils project: https://docutils.sourceforge.io/ Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-2-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063370/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #2: doc/man: Replace old man page with generated man page The doc/openvpn.8 and doc/openvpn.8.html files are now being removed from the git tree, as it will be generated from the doc/openvpn.8.rst file using python-docutils. An additional dist-hook is added so these files are generated automatically when source tarballs are generated for releases. This means users compiling directly from the source tarball will not need python-docutils installed. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-3-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063373/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #3: doc/man: Split up and reorganize main man page The openvpn.8.rst file is quite long and hard to edit, as it covers several hundred options. Some options were even documented multiple places. The example has also received some attention, cleaning up old and outdated infomration. In this commit the main man page is split up into multiple sections and options are sorted into each of the corresponding section. Inside each category, each option is for now sorted alphabetically. The main openvpn.8.rst file is currently kept unchanged and will be handled in the next commit. Many language improvements contributed by Richard Bonhomme has also been incorproated. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-4-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063376/ Signed-off-by: Gert Doering <gert@greenie.muc.de> * This is the commit message #4: doc/man: Complete openvpn.8.rst splitting This rebuilds the openvpn.8.rst content by using the text which was split out in the previous commit by using RST ..include statements. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20200716225338.611-5-davids@openvpn.net> URL: https://sourceforge.net/p/openvpn/mailman/message/37063377/ Signed-off-by: Gert Doering <gert@greenie.muc.de> 2020-07-17 00:53:31 +02:00			`servers, or just 3600 for clients.`

			`When using dual-factor authentication, note that this default value may`
			`cause the end user to be challenged to reauthorize once per hour.`

			`Also, keep in mind that this option can be used on both the client and`
			`server, and whichever uses the lower value will be the one to trigger`
			the renegotiation. A common mistake is to set ``--reneg-sec`` to a
			`higher value on either the client or server, while the other side of the`
			connection is still using the default value of :code:`3600` seconds,
			meaning that the renegotiation will still occur once per :code:`3600`
			`seconds. The solution is to increase --reneg-sec on both the client and`
			server, or set it to :code:`0` on one side of the connection (to
			`disable), and to your chosen value on the other side.`