Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Enforce Inactivity Timeout

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      patd
      last edited by patd

      Simply trying to disconnect users and force them to re-authenticate after a period of time.

      Is this an option that can be pushed via the server config under Advanced Configuration > Custom Options eg. (push "auth-nocache" and push "inactive 3600").

      Sidebar... what options can actually be pushed to connecting clients? I've tried a few options and I don't see them in config file on the client side once they connect. Is this something I should be able to see in that file?

      Any help is appreciated.

      PippinP 1 Reply Last reply Reply Quote 0
      • PippinP
        Pippin @patd
        last edited by

        @patd said in Enforce Inactivity Timeout:

        Simply trying to disconnect users and force them to re-authenticate after a period of time.

        Thats not possible, its up to the client.

        Sidebar... what options can actually be pushed to connecting clients? I've tried a few options and I don't see them in config file on the client side once they connect. Is this something I should be able to see in that file?

        Any help is appreciated.

        See --push option in manual 2.4:
        https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        1 Reply Last reply Reply Quote 0
        • P
          patd
          last edited by

          I see "Inactivity timeout (--ping-restart), restarting" in the openvpn logs on the pfsense.

          User doesn't actually get disconnected though.

          So something to the effect of an Idle Timeout isn't possible unless it's specified in the config file on the client side?

          1 Reply Last reply Reply Quote 0
          • PippinP
            Pippin
            last edited by

            --ping, --ping-restart and --keep-alive are for checking if the connection is still alive.

            @patd said in Enforce Inactivity Timeout:

            Simply trying to disconnect users and force them to re-authenticate after a period of time.

            I explained this as you disconnect a user and tell it to connect again after x time. I guess i misunderstand.

            Is this an option that can be pushed via the server config under Advanced Configuration > Custom Options eg. (push "auth-nocache" and push "inactive 3600").

            Looks like that is what you want, only --auth-nocache is not pushable according to the manual.

            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
            Halton Arp

            1 Reply Last reply Reply Quote 0
            • P
              patd
              last edited by

              ahh ya sorry about that, i did word that kind of oddly.

              ya so for security reasons, i don't want users to remain connected indefinitely.

              i'm just trying to shore that up.

              1 Reply Last reply Reply Quote 0
              • P
                patd
                last edited by

                looks like a simple push "inactive 3600" in the advanced configuration did the trick.

                client is successfully disconnected after an hour of inactivity.

                1 Reply Last reply Reply Quote 0
                • PippinP
                  Pippin
                  last edited by Pippin

                  Glad you got it working.
                  As to your last question:

                  Sidebar… what options can actually be pushed to connecting clients? I’ve tried a few options and I don’t see them in config file on the client side once they connect. Is this something I should be able to see in that file?

                  All options pushed by the server can be seen in the log files of client and server.
                  For instance on client side:

                  SENT CONTROL [Server]: 'PUSH_REQUEST' (status=1)
                  PUSH: Received control message: 'PUSH_REPLY,
                  sndbuf 524288,rcvbuf 524288,route-gateway 192.168.168.1,
                  topology subnet,ping 30,ping-restart 60,
                  route 192.168.51.0 255.255.255.0,route 192.168.178.0 255.255.255.0,
                  route 192.168.2.0 255.255.255.0,route 192.168.25.0 255.255.255.0,
                  route 172.18.18.0 255.255.255.0,dhcp-option DNS 192.168.168.1,
                  dhcp-option NTP 192.168.168.1,redirect-gateway def1,
                  ifconfig 192.168.168.2 255.255.255.0'
                  

                  On server side:

                  PUSH: Received control message: 'PUSH_REQUEST'
                  admin/80.61.32.114:45244 send_push_reply(): safe_cap=940
                  admin/80.61.32.114:45244 SENT CONTROL [admin]: 'PUSH_REPLY,sndbuf 524288,rcvbuf 524288,
                  route-gateway 192.168.168.1,topology subnet,ping 30,ping-restart 60,
                  route 192.168.51.0 255.255.255.0,route 192.168.178.0 255.255.255.0,
                  route 192.168.2.0 255.255.255.0,route 192.168.25.0 255.255.255.0,
                  route 172.18.18.0 255.255.255.0,dhcp-option DNS 192.168.168.1,dhcp-option NTP 192.168.168.1,
                  redirect-gateway def1,ifconfig 192.168.168.2 255.255.255.0' (status=1)
                  

                  Depending on configuration some options are pushed by default.
                  In my example that would be:

                  route-gateway 192.168.168.1
                  topology subnet
                  ping 30
                  ping-restart 60
                  

                  I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                  Halton Arp

                  1 Reply Last reply Reply Quote 0
                  • P
                    patd
                    last edited by

                    Thanks Pippin, so it appears as though it's not disconnecting after an hour...

                    I've narrowed it down to the keepalive values in the server config.

                    They are set to 10 and 60. I found this in the server.conf file under /var/etc

                    I'd like to modify this line (keepalive 10 60) value, or remove it all together, but I don't want to create instability.

                    Is it safe to do this via the shell or is there somewhere in the GUI I can do this?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.