How to force OpenVPN clients from disconnecting after x minutes idle?



  • I'm running pfSense 2.3.3-Release. I would like to configure the clients so that after 30 mins of idle time, they disconnect, for security reasons – I don't want an unneeded connection staying up overnight.

    I saw this old thread (https://forum.pfsense.org/index.php?topic=42935.0) but couldn't make it work.

    Currently I have the server configured with push "inactive 1800" and the client configured with inactive 1800 but they still are connected well after an hour.

    I've noticed in the client log the line [VPN Server Cert] Inactivity timeout (–ping-restart), restarting. So something is causing the reconnect, but the client config does not have –ping-restart.

    This is the client config:

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote xxx.xxx.xxx.xxx 34447 udp
    verify-x509-name "VPN Server Cert" name
    auth-user-pass
    pkcs12 pfSense-udp-34447-vpnuser.p12
    tls-auth pfSense-udp-34447-vpnuser-tls.key 1
    ns-cert-type server
    inactive 1800

    Any suggestions?



  • Wow, no one has any input?



  • @jaypeetee:

    Wow, no one has any input?

    Are you sure there is REALLY no traffic?



  • Yes. From the logs you can see that the client disconnects due to no activity but automatically reconnects:

    [VPN Server Cert] Inactivity timeout (–ping-restart), restarting.

    So something is causing the reconnect, but the client config does not have –ping-restart.



  • I got it working with these options on the client side:

    auth-nocache
    inactive 900
    ping 10
    ping-exit 60

    Seems that auth-nocache is the key.

    After it times out it tries to connect but because the creds aren't cached, the dialog box appears asking for them again. Since no one is there to enter the password and click OK, it times out and loses the connection.

    It's not the best way to handle it but it seems the only way currently.