Idle disconnect client
-
Is there any option to disconnect open vpn clients if they are idle for some time (ex. 5min) ? I didn't find something obvious and I wonder if there is something to push at advanced configuration.
-
try this in the advanced options:
inactive 300For 5 minutes (60*5)
-
This works but client becomes yellow and reconnects after some seconds.
Pfsense disconnects the client and I can see the log entry:
openvpn[32711]: apant/xxx.xxx.xxx.xxx:33913 Inactivity timeout (–inactive), exiting
Now I should find a way to make client stop reconection.
-
Yeah if the client has "keepalive" in their config it will reconnect when the connection is dropped/lost.
-
There is no keepalive in my connection ???
This is my client configuration:
dev tun
persist-tun
persist-key
proto tcp-client
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1194
auth-user-pass
pkcs12 pfsense-TCP-1194.p12
tls-auth pfsense-TCP-1194-tls.key 1
comp-lzoI tried to remove
resolv-retry infinite
persist-tun
persist-keybut nothing. Reconnects continuously.
-
Try adding:
ping-restart 0 -
You could also use "ping-exit" to make the client quit when it gets disconnected.
-
When I use the ping-exit command client does not connect and I can see the following error at server logs:
openvpn[29870]: Options error: –keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives.
I do not use keepalive ???
-
Is the client a PC or another pfSense box?
pfSense adds the keepalive in there automatically.
You wouldn't want to use ping-exit for a site-to-site tunnel. You really don't even want to disconnect those. What are you trying to accomplish/avoid here?
Disconnecting idle remote access clients makes sense, disconnecting a site-to-site tunnel doesn't. Not the way OpenVPN operates.
-
In this situation there is no tunnel. A pfsense server with windows clients who works from their home and they forget the client open when they finish. I use 6 user restriction because of the limited bandwidth. If they forget to close the client other users cannot connect to synchronize their software. That's why I want this solution.
-
Then put ping-exit in the client config and make sure they have no keepalive or ping-restart in the client config.
The only thing you can do on the server side is specify the inactive parameter I showed earlier.
