automatically add reneg-sec 0 to client and server configs when otp is being used to avoid connection resetting every hour. Edit docs to make clear that a more secure cipher needs to be selected to use with otp to avoid the connection being reset every 64 MB of data

Author: Luke

bin/ovpn_genconfig

@@ -161,6 +161,7 @@ OVPN_EXTRA_CONFIG=''
 
 # Parse arguments
 while getopts ":a:e:C:T:r:s:du:cp:n:DNmf:tz2" opt; do
+    echo $opt
     case $opt in
         a)
             OVPN_AUTH="$OPTARG"
@@ -329,6 +330,7 @@ cat $TMP_PUSH_CONFIGFILE >> "$conf"
 if [ -n "${OVPN_OTP_AUTH:-}" ]; then
     echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf"
     echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf"
+    echo "reneg-sec 0" >> "$conf"
 fi
 
 echo -e "\n### Extra Configurations Below" >> "$conf"

bin/ovpn_getclient

@@ -94,6 +94,10 @@ $OVPN_ADDITIONAL_CLIENT_CONFIG
     if [ -n "$OVPN_COMP_LZO" ]; then
         echo "comp-lzo"
     fi
+
+    if [ "$OVPN_OTP_AUTH" = "1" ]; then
+	echo reneg-sec 0
+    fi
 }
 
 dir="$OPENVPN/clients/$cn"

docs/otp.md

@@ -11,7 +11,9 @@ and use this image to generate user configuration.
 
 In order to enable two factor authentication the following steps are required.
 
-* Generate server configuration with `-2` option
+* Choose a more secure [cipher](https://community.openvpn.net/openvpn/wiki/SWEET32) to use because since [OpenVPN 2.3.13](https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13) the default openvpn cipher BF-CBC will cause a renegotiated connection every 64 MB of data
+
+* Generate server configuration with `-2` and `-C $CIPHER` options
 
         docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2