diff -Naur openvpn-2.4.1.orig/doc/openvpn.8 openvpn-2.4.1/doc/openvpn.8
--- openvpn-2.4.1.orig/doc/openvpn.8	2017-03-22 16:34:21.000000000 +0100
+++ openvpn-2.4.1/doc/openvpn.8	2017-04-04 17:43:18.000000000 +0200
@@ -34,7 +34,7 @@
 .\" .ft -- normal face
 .\" .in +|-{n} -- indent
 .\"
-.TH openvpn 8 "25 August 2016"
+.TH openvpn 8 "04 April 2017"
 .\"*********************************************************
 .SH NAME
 openvpn \- secure IP tunnel daemon.
@@ -4924,6 +4924,15 @@
 .B n
 seconds (default=3600).
 
+Note that the effective value used here is a per session pseudo-randomized
+.B 25%
+of
+.B n
+deducted from
+.B n\fR.
+With the default value of 3600 this results in an effective per session
+value in the range of 2701 ... 3600 seconds.
+
 When using dual-factor authentication, note that this default value may
 cause the end user to be challenged to reauthorize once per hour.
 
diff -Naur openvpn-2.4.1.orig/src/openvpn/init.c openvpn-2.4.1/src/openvpn/init.c
--- openvpn-2.4.1.orig/src/openvpn/init.c	2017-03-22 16:34:24.000000000 +0100
+++ openvpn-2.4.1/src/openvpn/init.c	2017-04-04 17:43:18.000000000 +0200
@@ -2591,7 +2591,8 @@
     to.packet_timeout = options->tls_timeout;
     to.renegotiate_bytes = options->renegotiate_bytes;
     to.renegotiate_packets = options->renegotiate_packets;
-    to.renegotiate_seconds = options->renegotiate_seconds;
+    to.renegotiate_seconds = options->renegotiate_seconds -
+        (get_random() % max_int(options->renegotiate_seconds / (100 / 25), 1));
     to.single_session = options->single_session;
     to.mode = options->mode;
     to.pull = options->pull;
diff -Naur openvpn-2.4.1.orig/src/openvpn/options.c openvpn-2.4.1/src/openvpn/options.c
--- openvpn-2.4.1.orig/src/openvpn/options.c	2017-03-22 16:34:24.000000000 +0100
+++ openvpn-2.4.1/src/openvpn/options.c	2017-04-04 17:43:18.000000000 +0200
@@ -604,6 +604,10 @@
     "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
     "--reneg-pkts n  : Renegotiate data chan. key after n packets sent and recvd.\n"
     "--reneg-sec n   : Renegotiate data chan. key after n seconds (default=%d).\n"
+    "                  The effective value used here is a per session\n"
+    "                  pseudo-randomized 25%% of n deducted from n. With the\n"
+    "                  default value of 3600 this results in an effective per\n"
+    "                  session value in the range of 2701 ... 3600 seconds.\n"
     "--hand-window n : Data channel key exchange must finalize within n seconds\n"
     "                  of handshake initiation by any peer (default=%d).\n"
     "--tran-window n : Transition window -- old key can live this many seconds\n"
diff -Naur openvpn-2.4.1.orig/src/openvpn/ssl.c openvpn-2.4.1/src/openvpn/ssl.c
--- openvpn-2.4.1.orig/src/openvpn/ssl.c	2017-03-22 16:34:24.000000000 +0100
+++ openvpn-2.4.1/src/openvpn/ssl.c	2017-04-04 17:43:18.000000000 +0200
@@ -2719,8 +2719,8 @@
             || (packet_id_close_to_wrapping(&ks->crypto_options.packet_id.send))))
     {
         msg(D_TLS_DEBUG_LOW,
-            "TLS: soft reset sec=%d bytes=" counter_format "/%d pkts=" counter_format "/%d",
-            (int)(ks->established + session->opt->renegotiate_seconds - now),
+            "TLS: soft reset sec=%d/%d bytes=" counter_format "/%d pkts=" counter_format "/%d",
+            (int)(now - ks->established), (int)session->opt->renegotiate_seconds,
             ks->n_bytes, session->opt->renegotiate_bytes,
             ks->n_packets, session->opt->renegotiate_packets);
         key_state_soft_reset(session);