Inactive setting - Can't get it to work

rkgraves

Goal: automatically disconnect inactive VPN clients.

Setup: pfSense v2.4.5 with near-default IPv4 & IPv6 OpenVPN server configured. Windows 10 & macOS clients.

From the OpenVPN documentation and pfSense forums my best understanding is to use the "inactive" and/or "ping-exit" settings in the client config file. I can't get this to work. I've tried inactive values of both seconds and bytes and seconds + bytes, along with "ping-exit" without success. The client simply will not automatically disconnect.

What am I missing?

Thank You for Your Help!

Rico

May I ask why you even care about that? What is the problem with Idle users?

-Rico

Gertjan

@rkgraves said in Inactive setting - Can't get it to work:

The client simply will not automatically disconnect.

Oh, they will see the connection going down, but they also do what they should do : they will re establish the connection.
It's up to the using the device that uses the OpenVPN client to connect - and disconnect.

I guess, if there is something you can do, it should be done with the OpenVPN Client, that is : the opvn configuration file you exported to that client.
There is only one fast method to find out : read the OpenVPN manuals and see if such a possibility exists.

rkgraves

Rico,

There is a problem I have observed where a user establishes an OpenVPN connection on one device, forgets to close the connection, and then later moves to a different device and establishes a 2nd OpenVPN connection using the same account & credentials.

The 2nd VPN connection is problematic; inconsistencies in the user's ability to access resources. Closing the first connection solves the problem. I've observed this several time with my own account and perhaps should have documented it more thoroughly. I have since come to realize that when I see this behavior I go looking for a previously established idle connection.

Making progress in getting this working. Best Solution so-far is to add Push "Inactive xxxx" & Push "Ping-exit xx" on the server side. Working now to get better control over the amount of idle time/bytes before the connection is dropped. On the Users side they will see a dialog box showing the connection was dropped and not automatically re-established.

RKGraves

rkgraves

Community,

Just a note to follow-up on this: Using the OpenVPN Inactive settings to disconnect idle users. We did get this to work!

Adding to the client config: inactive 3600 1000000

or, adding to the client settings on the pfSense-OpenVPN server: push "inactive 3600 1000000"

is dropping idle connections after roughly 1 hour of inactivity. The way I interpret this is - if less than 1000000 of data crosses the wire within a 60 minute window of time, then the connection will be determined inactive and closed.

I.e. 3600 is a time out value given in seconds, 3600 = 60 minutes. 100000 is a value given in bytes and seems like a lot, but not really. We found that a typical idle connection produced +/- 500 KBytes an hour. An odd observation was that some idle connections would produce initially way more data than others, but would eventually settle down to the less than 1000000 bytes in 60 minutes and be terminated.

The learning-curve was that setting an inactive time value alone was not sufficient as even with even an idle sessions there ares still a notable amount of packets going back and forth across the wire.

Thank You to Those who offered input and to Netgate Support for their prompt and helpful information.

Best Regards,
Randy Graves
North Idaho College

jharrison

@Rico said in Inactive setting - Can't get it to work:

May I ask why you even care about that? What is the problem with Idle users?

-Rico

Just wanted to mention another reason you'd want/need to do this.
My company is going through steps to meet NIST requirements needed for certain government/military contract jobs. Auto disconnect on things like VPN, RDP and SSH are things that have to be done.

I've been having issues with this as well and found this post just now so I'm going to go try the things mentioned here.

jharrison

And it worked. Thank you @rkgraves
I did push "inactive 900 500000" for 15 minutes and less than roughly 500 kb
I can finally close out this NIST item on my action board.

rkgraves

jharrison,

You are Very Welcome and Thanks for contributing to this thread. Glad you got it working!

RKGraves

M0L50N

@rkgraves Can you please just explain me how to push it to mobile client from the server side?
I dont find anything in the OpenVPN server settings about how to push a parameter.

Thanks

rkgraves

@m0l50n
Hello,

In pfSense navigate to - VPN / OpenVPN / Servers and click on the "pencil" to Edit your Server.

In the Edit screen scroll all the way down (almost to the bottom) and find - Advanced Configuration. Under Advanced Configuration select Custom Options.

In Custom Options I have the below line entered
push "inactive 3600 1000000"

Hope this is Helpful! Really Great to have idle VPN connections automatically disconnect.

Best Regards,
R.K. Graves