Idle disconnect client



  • Is there any option to disconnect open vpn clients if they are idle for some time (ex. 5min) ? I didn't find something obvious and I wonder if there is something to push at advanced configuration.


  • Rebel Alliance Developer Netgate

    try this in the advanced options:

    inactive 300
    

    For 5 minutes (60*5)



  • This works but client becomes yellow and reconnects after some seconds.

    Pfsense disconnects the client and I can see the log entry:

    openvpn[32711]: apant/xxx.xxx.xxx.xxx:33913 Inactivity timeout (–inactive), exiting

    Now I should find a way to make client stop reconection.


  • Rebel Alliance Developer Netgate

    Yeah if the client has "keepalive" in their config it will reconnect when the connection is dropped/lost.



  • There is no keepalive in my connection  ???

    This is my client configuration:

    dev tun
    persist-tun
    persist-key
    proto tcp-client
    cipher BF-CBC
    tls-client
    client
    resolv-retry infinite
    remote xxx.xxx.xxx.xxx 1194
    auth-user-pass
    pkcs12 pfsense-TCP-1194.p12
    tls-auth pfsense-TCP-1194-tls.key 1
    comp-lzo

    I tried to remove

    resolv-retry infinite
    persist-tun
    persist-key

    but nothing. Reconnects continuously.


  • Rebel Alliance Developer Netgate

    Try adding:

    ping-restart 0
    

  • Rebel Alliance Developer Netgate

    You could also use "ping-exit" to make the client quit when it gets disconnected.



  • When I use the ping-exit command client does not connect and I can see the following error at server logs:

    openvpn[29870]: Options error: –keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives.

    I do not use keepalive  ???


  • Rebel Alliance Developer Netgate

    Is the client a PC or another pfSense box?

    pfSense adds the keepalive in there automatically.

    You wouldn't want to use ping-exit for a site-to-site tunnel. You really don't even want to disconnect those. What are you trying to accomplish/avoid here?

    Disconnecting idle remote access clients makes sense, disconnecting a site-to-site tunnel doesn't. Not the way OpenVPN operates.



  • In this situation there is no tunnel. A pfsense server with windows clients who works from their home and they forget the client open when they finish. I use 6 user restriction because of the limited bandwidth. If they forget to close the client other users cannot connect to synchronize their software. That's why I want this solution.


  • Rebel Alliance Developer Netgate

    Then put ping-exit in the client config and make sure they have no keepalive or ping-restart in the client config.

    The only thing you can do on the server side is specify the inactive parameter I showed earlier.


Log in to reply