Inactive setting - Can't get it to work



  • Goal: automatically disconnect inactive VPN clients.

    Setup: pfSense v2.4.5 with near-default IPv4 & IPv6 OpenVPN server configured. Windows 10 & macOS clients.

    From the OpenVPN documentation and pfSense forums my best understanding is to use the "inactive" and/or "ping-exit" settings in the client config file. I can't get this to work. I've tried inactive values of both seconds and bytes and seconds + bytes, along with "ping-exit" without success. The client simply will not automatically disconnect.

    What am I missing?

    Thank You for Your Help!


  • LAYER 8 Rebel Alliance

    May I ask why you even care about that? What is the problem with Idle users?

    -Rico



  • @rkgraves said in Inactive setting - Can't get it to work:

    The client simply will not automatically disconnect.

    Oh, they will see the connection going down, but they also do what they should do : they will re establish the connection.
    It's up to the using the device that uses the OpenVPN client to connect - and disconnect.

    I guess, if there is something you can do, it should be done with the OpenVPN Client, that is : the opvn configuration file you exported to that client.
    There is only one fast method to find out : read the OpenVPN manuals and see if such a possibility exists.



  • Rico,

    There is a problem I have observed where a user establishes an OpenVPN connection on one device, forgets to close the connection, and then later moves to a different device and establishes a 2nd OpenVPN connection using the same account & credentials.

    The 2nd VPN connection is problematic; inconsistencies in the user's ability to access resources. Closing the first connection solves the problem. I've observed this several time with my own account and perhaps should have documented it more thoroughly. I have since come to realize that when I see this behavior I go looking for a previously established idle connection.

    Making progress in getting this working. Best Solution so-far is to add Push "Inactive xxxx" & Push "Ping-exit xx" on the server side. Working now to get better control over the amount of idle time/bytes before the connection is dropped. On the Users side they will see a dialog box showing the connection was dropped and not automatically re-established.

    RKGraves



  • Community,

    Just a note to follow-up on this: Using the OpenVPN Inactive settings to disconnect idle users. We did get this to work!

    Adding to the client config: inactive 3600 1000000

    or, adding to the client settings on the pfSense-OpenVPN server: push "inactive 3600 1000000"

    is dropping idle connections after roughly 1 hour of inactivity. The way I interpret this is - if less than 1000000 of data crosses the wire within a 60 minute window of time, then the connection will be determined inactive and closed.

    I.e. 3600 is a time out value given in seconds, 3600 = 60 minutes. 100000 is a value given in bytes and seems like a lot, but not really. We found that a typical idle connection produced +/- 500 KBytes an hour. An odd observation was that some idle connections would produce initially way more data than others, but would eventually settle down to the less than 1000000 bytes in 60 minutes and be terminated.

    The learning-curve was that setting an inactive time value alone was not sufficient as even with even an idle sessions there ares still a notable amount of packets going back and forth across the wire.

    Thank You to Those who offered input and to Netgate Support for their prompt and helpful information.

    Best Regards,
    Randy Graves
    North Idaho College


Log in to reply