Disconnect inactive clients after 2 hours
-
Hello,
Where I work, we have a pfSense VM deployed just for OpenVPN connectivity (because I got tired of Windows updates breaking the client VPN functionality of our Meraki MX appliance). It works great, but due to customer requirements and the fact that we are working on our SOC2 Type II certification, we need to make sure clients disconnect after two hours of not using the VPN. Not a problem, I configured that, or so I thought. Windows, however, has other ideas. It is always active over the VPN, so it doesn't let the clients disconnect. Is there a way to configure OpenVPN on pfSense to differentiate between active client usage and passive client usage?
Some examples of active client usage for us are
- Connecting to lab phone and voicemail systems
- Checking code in and out
- Connecting via RDP to systems in the datacenter
- Connecting to the web interface of systems in the datacenter
- Browsing the internet over the VPN
Passive client usage for us would be
- End user locks their computer for the night, or more than two hours
** Windows starts downloading update files to pre-cache them
** Teams and Outlook are running
** Anything else
I am really at a loss and getting tired of random notification emails in the middle of the night, saying they got locked out by Duo (or MFA provider). Or even worse, a Teams message at 5 am (before I'm even up) from a developer saying they can't connect to the VPN because they left their laptop connected to the VPN overnight against policy (which says turn your laptop off at the end of the day, but we all know no one listens to that). I would even take a config option in the file I install on everyone's laptop that won't automatically try to reconnect to the VPN endlessly if they get disconnected, but my Googlefu hasn't found that either.
-
@shaunmccloud You've tried the inactive switch on their client .ovpn configs?
