OpenVPN idle timeout

  • Hey guys,

    Due to some compliance issues, I've been asked to set up an idle timeout for all VPN accounts. I've been searching everywhere through the documentation but I can't really find anything.

    I see two options that could help here, –inactive and --ping-exit. Is the --inactive option supported? and how would I go around setting it in the web management interface?

  • The following is set by default on OpenVPN:

    inactive 0

    –inactive n [bytes]
    Causes OpenVPN to exit after n seconds of inactivity on the TUN/TAP device. The time length of inactivity is measured since the last incoming or outgoing tunnel packet. The default value is 0 seconds, which disables this feature.
    If the optional bytes parameter is included, exit if less than bytes of combined in/out traffic are produced on the tun/tap device in n seconds.

    In any case, OpenVPN's internal ping packets (which are just keepalives) and TLS control packets are not considered "activity", nor are they counted as traffic, as they are used internally by OpenVPN and are not an indication of actual user activity.

    So if you wanted to disconnect clients after an hour you could set:

    inactive 3600

    Alternatively you can actually specify the amount of bytes transferred before a timeout is triggered.

    You can specify the options by directly adding the option in the client certs or by trying this in the custom options of the VPN Server:

    push "inactive 3600"

    to dynamically push the option to connecting clients. However, I am not sure if the push method would work, but give it a go!

    Ultra Horizon Consultancy

  • Thank you! I'll definitely try it.

Log in to reply