How to force OpenVPN clients from disconnecting after x minutes idle?
-
I'm running pfSense 2.3.3-Release. I would like to configure the clients so that after 30 mins of idle time, they disconnect, for security reasons – I don't want an unneeded connection staying up overnight.
I saw this old thread (https://forum.pfsense.org/index.php?topic=42935.0) but couldn't make it work.
Currently I have the server configured with push "inactive 1800" and the client configured with inactive 1800 but they still are connected well after an hour.
I've noticed in the client log the line [VPN Server Cert] Inactivity timeout (–ping-restart), restarting. So something is causing the reconnect, but the client config does not have –ping-restart.
This is the client config:
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 34447 udp
verify-x509-name "VPN Server Cert" name
auth-user-pass
pkcs12 pfSense-udp-34447-vpnuser.p12
tls-auth pfSense-udp-34447-vpnuser-tls.key 1
ns-cert-type server
inactive 1800Any suggestions?
-
Wow, no one has any input?
-
-
Yes. From the logs you can see that the client disconnects due to no activity but automatically reconnects:
[VPN Server Cert] Inactivity timeout (–ping-restart), restarting.
So something is causing the reconnect, but the client config does not have –ping-restart.
-
I got it working with these options on the client side:
auth-nocache
inactive 900
ping 10
ping-exit 60Seems that auth-nocache is the key.
After it times out it tries to connect but because the creds aren't cached, the dialog box appears asking for them again. Since no one is there to enter the password and click OK, it times out and loses the connection.
It's not the best way to handle it but it seems the only way currently.