Last active
November 14, 2019 05:51
-
-
Save vertigra/739382d74a024d0cf02b112f79d1ed3a to your computer and use it in GitHub Desktop.
OpenVPN и tls_process: killed expiring key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Канал OpenVPN до одного из серверов в LA постоянно падал и поднимался. Это проявлялось в кратковременных тупняках, при любом виде конекта, будь то http или ssh. В логах клиента было следующее: | |
TLS: tls_process: killed expiring key | |
Нагуглилось: | |
https://duo.com/docs/openvpn | |
This option will determine how often OpenVPN forces a renegotiation, thereby requiring the user to re-authenticate with Duo. This setting defaults to 3600 seconds, which means your users must re-authenticate every hour. If your user's VPN client saves the password and automatically re-authenticates with it, this may cause issues with the user receiving unexpected push notifications or their client replaying a one-time passcode. Therefore, we recommend disabling reneg-sec by setting it to 0 in your server configuration file: | |
reneg-sec 0 | |
If you specified the reneg-sec option in the server configuration above, be sure to also include it in your client configuration file: | |
reneg-sec 0 | |
Так же важно: | |
Old versions of OpenVPN may fail to connect with reneg-sec set to 0. If your OpenVPN version is below 2.2, then you should instead set reneg-sec to a very large value. | |
Вообще, тут пишут (точнее в мануале) что это нормально "By default, the TLS key for the encrypted session is renegotiated every hour. This is a normal message.". И канал до других клиентов при смене ключа не падает. Если дело вообще в этом. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment