Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Enforce Inactivity Timeout

    OpenVPN
    2
    8
    502
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      patd last edited by patd

      Simply trying to disconnect users and force them to re-authenticate after a period of time.

      Is this an option that can be pushed via the server config under Advanced Configuration > Custom Options eg. (push "auth-nocache" and push "inactive 3600").

      Sidebar... what options can actually be pushed to connecting clients? I've tried a few options and I don't see them in config file on the client side once they connect. Is this something I should be able to see in that file?

      Any help is appreciated.

      Pippin 1 Reply Last reply Reply Quote 0
      • Pippin
        Pippin @patd last edited by

        @patd said in Enforce Inactivity Timeout:

        Simply trying to disconnect users and force them to re-authenticate after a period of time.

        Thats not possible, its up to the client.

        Sidebar... what options can actually be pushed to connecting clients? I've tried a few options and I don't see them in config file on the client side once they connect. Is this something I should be able to see in that file?

        Any help is appreciated.

        See --push option in manual 2.4:
        https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        1 Reply Last reply Reply Quote 0
        • P
          patd last edited by

          I see "Inactivity timeout (--ping-restart), restarting" in the openvpn logs on the pfsense.

          User doesn't actually get disconnected though.

          So something to the effect of an Idle Timeout isn't possible unless it's specified in the config file on the client side?

          1 Reply Last reply Reply Quote 0
          • Pippin
            Pippin last edited by

            --ping, --ping-restart and --keep-alive are for checking if the connection is still alive.

            @patd said in Enforce Inactivity Timeout:

            Simply trying to disconnect users and force them to re-authenticate after a period of time.

            I explained this as you disconnect a user and tell it to connect again after x time. I guess i misunderstand.

            Is this an option that can be pushed via the server config under Advanced Configuration > Custom Options eg. (push "auth-nocache" and push "inactive 3600").

            Looks like that is what you want, only --auth-nocache is not pushable according to the manual.

            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
            Halton Arp

            1 Reply Last reply Reply Quote 0
            • P
              patd last edited by

              ahh ya sorry about that, i did word that kind of oddly.

              ya so for security reasons, i don't want users to remain connected indefinitely.

              i'm just trying to shore that up.

              1 Reply Last reply Reply Quote 0
              • P
                patd last edited by

                looks like a simple push "inactive 3600" in the advanced configuration did the trick.

                client is successfully disconnected after an hour of inactivity.

                1 Reply Last reply Reply Quote 0
                • Pippin
                  Pippin last edited by Pippin

                  Glad you got it working.
                  As to your last question:

                  Sidebar… what options can actually be pushed to connecting clients? I’ve tried a few options and I don’t see them in config file on the client side once they connect. Is this something I should be able to see in that file?

                  All options pushed by the server can be seen in the log files of client and server.
                  For instance on client side:

                  SENT CONTROL [Server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,
sndbuf 524288,rcvbuf 524288,route-gateway 192.168.168.1,
topology subnet,ping 30,ping-restart 60,
route 192.168.51.0 255.255.255.0,route 192.168.178.0 255.255.255.0,
route 192.168.2.0 255.255.255.0,route 192.168.25.0 255.255.255.0,
route 172.18.18.0 255.255.255.0,dhcp-option DNS 192.168.168.1,
dhcp-option NTP 192.168.168.1,redirect-gateway def1,
ifconfig 192.168.168.2 255.255.255.0'

                  On server side:

                  PUSH: Received control message: 'PUSH_REQUEST'
admin/80.61.32.114:45244 send_push_reply(): safe_cap=940
admin/80.61.32.114:45244 SENT CONTROL [admin]: 'PUSH_REPLY,sndbuf 524288,rcvbuf 524288,
route-gateway 192.168.168.1,topology subnet,ping 30,ping-restart 60,
route 192.168.51.0 255.255.255.0,route 192.168.178.0 255.255.255.0,
route 192.168.2.0 255.255.255.0,route 192.168.25.0 255.255.255.0,
route 172.18.18.0 255.255.255.0,dhcp-option DNS 192.168.168.1,dhcp-option NTP 192.168.168.1,
redirect-gateway def1,ifconfig 192.168.168.2 255.255.255.0' (status=1)

                  Depending on configuration some options are pushed by default.
                  In my example that would be:

                  route-gateway 192.168.168.1
topology subnet
ping 30
ping-restart 60

                  I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                  Halton Arp

                  1 Reply Last reply Reply Quote 0
                  • P
                    patd last edited by

                    Thanks Pippin, so it appears as though it's not disconnecting after an hour...

                    I've narrowed it down to the keepalive values in the server config.

                    They are set to 10 and 60. I found this in the server.conf file under /var/etc

                    I'd like to modify this line (keepalive 10 60) value, or remove it all together, but I don't want to create instability.

                    Is it safe to do this via the shell or is there somewhere in the GUI I can do this?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy