Enforce Inactivity Timeout
-
Simply trying to disconnect users and force them to re-authenticate after a period of time.
Is this an option that can be pushed via the server config under Advanced Configuration > Custom Options eg. (push "auth-nocache" and push "inactive 3600").
Sidebar... what options can actually be pushed to connecting clients? I've tried a few options and I don't see them in config file on the client side once they connect. Is this something I should be able to see in that file?
Any help is appreciated.
-
@patd said in Enforce Inactivity Timeout:
Simply trying to disconnect users and force them to re-authenticate after a period of time.
That
s not possible, it
s up to the client.Sidebar... what options can actually be pushed to connecting clients? I've tried a few options and I don't see them in config file on the client side once they connect. Is this something I should be able to see in that file?
Any help is appreciated.
See --push option in manual 2.4:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage -
I see "Inactivity timeout (--ping-restart), restarting" in the openvpn logs on the pfsense.
User doesn't actually get disconnected though.
So something to the effect of an Idle Timeout isn't possible unless it's specified in the config file on the client side?
-
--ping, --ping-restart and --keep-alive are for checking if the connection is still alive.
@patd said in Enforce Inactivity Timeout:
Simply trying to disconnect users and force them to re-authenticate after a period of time.
I explained this as you disconnect a user and tell it to connect again after x time. I guess i misunderstand.
Is this an option that can be pushed via the server config under Advanced Configuration > Custom Options eg. (push "auth-nocache" and push "inactive 3600").
Looks like that is what you want, only --auth-nocache is not pushable according to the manual.
-
ahh ya sorry about that, i did word that kind of oddly.
ya so for security reasons, i don't want users to remain connected indefinitely.
i'm just trying to shore that up.
-
looks like a simple push "inactive 3600" in the advanced configuration did the trick.
client is successfully disconnected after an hour of inactivity.
-
Glad you got it working.
As to your last question:Sidebar… what options can actually be pushed to connecting clients? I’ve tried a few options and I don’t see them in config file on the client side once they connect. Is this something I should be able to see in that file?
All options pushed by the server can be seen in the log files of client and server.
For instance on client side:SENT CONTROL [Server]: 'PUSH_REQUEST' (status=1) PUSH: Received control message: 'PUSH_REPLY, sndbuf 524288,rcvbuf 524288,route-gateway 192.168.168.1, topology subnet,ping 30,ping-restart 60, route 192.168.51.0 255.255.255.0,route 192.168.178.0 255.255.255.0, route 192.168.2.0 255.255.255.0,route 192.168.25.0 255.255.255.0, route 172.18.18.0 255.255.255.0,dhcp-option DNS 192.168.168.1, dhcp-option NTP 192.168.168.1,redirect-gateway def1, ifconfig 192.168.168.2 255.255.255.0'
On server side:
PUSH: Received control message: 'PUSH_REQUEST' admin/80.61.32.114:45244 send_push_reply(): safe_cap=940 admin/80.61.32.114:45244 SENT CONTROL [admin]: 'PUSH_REPLY,sndbuf 524288,rcvbuf 524288, route-gateway 192.168.168.1,topology subnet,ping 30,ping-restart 60, route 192.168.51.0 255.255.255.0,route 192.168.178.0 255.255.255.0, route 192.168.2.0 255.255.255.0,route 192.168.25.0 255.255.255.0, route 172.18.18.0 255.255.255.0,dhcp-option DNS 192.168.168.1,dhcp-option NTP 192.168.168.1, redirect-gateway def1,ifconfig 192.168.168.2 255.255.255.0' (status=1)
Depending on configuration some options are pushed by default.
In my example that would be:route-gateway 192.168.168.1 topology subnet ping 30 ping-restart 60
-
Thanks Pippin, so it appears as though it's not disconnecting after an hour...
I've narrowed it down to the keepalive values in the server config.
They are set to 10 and 60. I found this in the server.conf file under /var/etc
I'd like to modify this line (keepalive 10 60) value, or remove it all together, but I don't want to create instability.
Is it safe to do this via the shell or is there somewhere in the GUI I can do this?