Enforcing an OpenVPN timeout
-
I have searched everywhere for this, but cannot seem to find an answer.
Does anyone know how to force inactive openvpn clients off? It is becoming taxing on the server to have so many open tunnels that are simply open because users fail to disconnect. The fix can be either server or client side, as I don't expect my users to be able to figure out how to change their local settings.
I know the default behaviour of Openvpn is to keep a persistent connection unless the user selects 'disconnect', but I would like to set a timeout value so I don't have to upgrade the hardware in my firewall to maintain 'idle' vpn tunnels, not to mention the log spam of reconnecting VPN tunnels every few seconds.
Thanks for any help… again, this could be either client or server side, I do not care which...
-
You didn't try the official openVPN documentation ;)
http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.htmlLook at the ping-exit option.
-
Ahh, thank you.. I do confess that I looked through that document rather quickly, hoping someone had implemented it and would know straight away =)
it appears that both peers need to have the option set, and I think I might have to toy with the other ping- commands to find a combination of them that doesn't disconnect people too too soon, but also doesn't keep open connections open for hours and days.
Thank you for the tip; I will report back here on how it goes when I try it…
-
You would only want that on the client I believe, it could otherwise cause the server to shut down. May be able to push that option, I'm not entirely sure offhand. Never tried that option before.
Though I do question if it's really necessary. Unless you have a very large number of simultaneous clients, and very slow hardware (less than 500 MHz), the load if they aren't doing anything is inconsequential. The load with VPN is primarily when you're pushing traffic and it has to do crypto on that.