Idle disconnect client

  • Is there any option to disconnect open vpn clients if they are idle for some time (ex. 5min) ? I didn't find something obvious and I wonder if there is something to push at advanced configuration.

  • Rebel Alliance Developer Netgate

    try this in the advanced options:

    inactive 300

    For 5 minutes (60*5)

  • This works but client becomes yellow and reconnects after some seconds.

    Pfsense disconnects the client and I can see the log entry:

    openvpn[32711]: apant/ Inactivity timeout (–inactive), exiting

    Now I should find a way to make client stop reconection.

  • Rebel Alliance Developer Netgate

    Yeah if the client has "keepalive" in their config it will reconnect when the connection is dropped/lost.

  • There is no keepalive in my connection  ???

    This is my client configuration:

    dev tun
    proto tcp-client
    cipher BF-CBC
    resolv-retry infinite
    remote 1194
    pkcs12 pfsense-TCP-1194.p12
    tls-auth pfsense-TCP-1194-tls.key 1

    I tried to remove

    resolv-retry infinite

    but nothing. Reconnects continuously.

  • Rebel Alliance Developer Netgate

    Try adding:

    ping-restart 0

  • Rebel Alliance Developer Netgate

    You could also use "ping-exit" to make the client quit when it gets disconnected.

  • When I use the ping-exit command client does not connect and I can see the following error at server logs:

    openvpn[29870]: Options error: –keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives.

    I do not use keepalive  ???

  • Rebel Alliance Developer Netgate

    Is the client a PC or another pfSense box?

    pfSense adds the keepalive in there automatically.

    You wouldn't want to use ping-exit for a site-to-site tunnel. You really don't even want to disconnect those. What are you trying to accomplish/avoid here?

    Disconnecting idle remote access clients makes sense, disconnecting a site-to-site tunnel doesn't. Not the way OpenVPN operates.

  • In this situation there is no tunnel. A pfsense server with windows clients who works from their home and they forget the client open when they finish. I use 6 user restriction because of the limited bandwidth. If they forget to close the client other users cannot connect to synchronize their software. That's why I want this solution.

  • Rebel Alliance Developer Netgate

    Then put ping-exit in the client config and make sure they have no keepalive or ping-restart in the client config.

    The only thing you can do on the server side is specify the inactive parameter I showed earlier.

Log in to reply