<![CDATA[OpenVPN Renegotiation Time with MFA]]>Hello,

We recently deployed EntraID MFA with our OpenVPN deployment. It works great minus one drawback that we've come across. Currently we have reneg-sec set at the server and client as reneg-sec 36000; We're finding that clients that actually stay connected for the term are only staying persistent for 9 hours and not the full 10 hours. Short of deploying a longer renegotiation time to compensate, has anyone seen these settings not honor the full timeout amount?

Thanks!

]]>https://forum.netgate.com/topic/195907/openvpn-renegotiation-time-with-mfaRSS for NodeSun, 08 Mar 2026 23:26:55 GMTWed, 08 Jan 2025 21:24:09 GMT60<![CDATA[Reply to OpenVPN Renegotiation Time with MFA on Tue, 21 Jan 2025 12:58:04 GMT]]>@bozo-bogd

We tried setting reneg-sec on both sides to 0 but it caused the client to constant want the MFA prompt satisfied. The pings settings are already set to 0

Details from Azure. We have a CA policy that requires MFA when authenticating to the EntraID account. The Entra RADIUS VPN app is installed on our RADIUS box to interject the MFA prompt when authenticating to our local AD with the OpenVPN client. The MFA app has a limited config, with caching and renegotiation settings not being options.

]]>https://forum.netgate.com/post/1203402https://forum.netgate.com/post/1203402Tue, 21 Jan 2025 12:58:04 GMT<![CDATA[Reply to OpenVPN Renegotiation Time with MFA on Tue, 21 Jan 2025 09:35:05 GMT]]>@rebelscum said in OpenVPN Renegotiation Time with MFA:

deployed EntraID MFA with our Op

Dear friend,

Would you be so kind to share some details how you configured this, from azure, pfsense and openvpn server perspective ?

As for re-negotiation, we use reneg-sec 0 on both sides, + ping settings Inactive 0

Thank you.

]]>https://forum.netgate.com/post/1203383https://forum.netgate.com/post/1203383Tue, 21 Jan 2025 09:35:05 GMT