How to kill clients from the server side.
-
you could try to insert the following in your client configs (it might prevent credentials from being cached and might theoretically stop auto-reconnects)
auth-nocache -
OK, I found the solution, that was my lack of knowledge I suppose. What I did:
- edited server1.conf and removed "keepalive 10 30"
- pushed "ping-exit 10" to the clients
Now after 10 seconds from pressing "kill client connection" I can see "connection to XXX was terminated" on the user worksation.
-
- edited server1.conf and removed "keepalive 10 30"
Don't do that. It'll be overwritten, and that part is unnecessary for the ping-exit.
- pushed "ping-exit 10" to the clients
Now after 10 seconds from pressing "kill client connection" I can see "connection to XXX was terminated" on the user worksation.
That works, though it'll potentially be an annoyance for users in that it won't reconnect on its own if there is a temporary loss of connectivity. Not a big deal if the clients are behind reliable Internet connections, but could be very annoying if some of those users are at a hotel or coffee shop or something where connectivity may be a bit spotty from time to time.
-
What do you mean by "overwritten"? I just added it back and client is restarting connection on it's own as before. I've tried ping-exit on its own first place but it wasn't working. So I created this thread. As for second part we have 2 servers one for mobile users with 30+ concurrent connections.
-
The conf file is created by the webgui php scripts whenever you make changes to the OpenVPN server. So if you edit the conf file directly any changes you make to it will be lost the next time you make a change via the webgui.
Try to use the advanced settings box in the webgui to make any changes that aren't directly covered. Though I'm unsure quite how you might make this particular change if it's already included.Steve
-
So is there no way to permanently remove 'keepalive' from the server side? I rarely make changes to OpenVPN settings, I would have to remember to hash that line every time, it's not perfect but doable.
-
/etc/inc/openvpn.inc
-
I guess I could just add # to "$conf .= "keepalive 10 60\n";" to minimize risk of breaking it. Thanks doktornotor ;)
-
You'd better use //
-
I was thinking about something like that:
$conf .= "#keepalive 10 60\n";
So it would be "delivered" to config in offline state?
-
No… Please read how to produce comments in PHP!
http://php.net/manual/en/language.basic-syntax.comments.php
-
Hmm, I could be mistaken, I'm no coder, but that looks right if he wants to produce a conf file with that line commented out.
Steve
-
So, you want
... #user nobody #group nobody script-security 3 daemon #keepalive 10 60 ping-timer-rem ...in serverX.conf ? Yeah that'd work, just don't see the point.
-
Maybe just for the future reference for somebody who will take over from me, would be easier to for him to spot hash in temp config file. That is basically same thing we can do in 2 different ways. I can't really say which one is better ;)
Thanks to everybody in a thread , that is what I was looking for!
I edited one thing I changed 'ping-exit' from 10 (seconds) to 25 as it will actually disconnect the client if he is slow with typing username/password. But 25 seconds should be plenty to do that.
-
Came across this looking after finding that the VPN client (OPENVPN ios) stayed connected after I disconnected the user connection from status>OpenVPN by hitting the X next to their connection. I expected the behavior the original post was describing and was puzzled why it not only showed on the client that it was still connected, but also why after attempting to access a resource located behind the VPN connection that it connected back up and worked. Rather than disabling account or trying to change the timeout/reconnect options, I found the best way to have this control to disconnect a session is to set up authentication to another directory (Ldap) and filter approval based upon group membership (memberOf). This way one can remove the account from the LDAP group, then click the X to close the client vpn session from the server side. The client then tries to (automatically) reconnect and fails based on authentication. I found that this is the only clean way to have administrative control over the client vpn session apart from disabling the entire user account or disabling the VPN server itself.
Thanks,
Brian
