The culprit seems to be your authentication configuration. You are using plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login which would require the client to supply a valid username/password combination to connect. Apparently, this is also required upon rekeying and your OpenVPN client seems unable to request the user name from stdin (ERROR: could not read Auth username from stdin).
As for the reason why raising reneg-sec in your server configuration does not help matters, this is because the parameter has to be specified in both – the server’s and the client’s config to be effectively raised above the default of 3600 seconds (which happens to cause the one hour – disconnect you are seeing).
So your options would be to
- use an authentication method which does not require user input (certificates spring to mind)
- troubleshoot why your client is unable to prompt for the user name / password combination after connection establishment
- raise the rekeying period or disable rekeying entirely (which weakens your connection’s security, so it surely is only an inferior workaround to your problem)