Skip to main content

Tutorial: Set the Threshold to Disconnect Inactive Clients

Abstract

This tutorial describes adjusting Access Server's threshold for disconnecting inactive clients.

Overview

This tutorial shows how to adjust Access Server's threshold for disconnecting inactive clients.

Access Server can push a command to a connected OpenVPN client with the instruction to gracefully disconnect when the connection is in a very low-use state (idling). This is determined by a threshold of the number of bytes transferred over a span of time. When the OpenVPN tunnel is not being actively used, the OpenVPN client automatically disconnects itself.

Prerequisites

  • An installed Access Server.

  • Console access and the ability to get root access.

Step 1: Determine the level for the threshold setting

You can set the disconnect threshold at the global, group, or user level. Determine which level you want to adjust your threshold settings and use the appropriate value:

  1. To set the threshold globally, use __DEFAULT__ as the <USER_OR_GROUP> in the commands in step 2.

  2. To set the threshold at a group level, use the group's name as the <USER_OR_GROUP> in the commands in step 2.

  3. To set the threshold at a user level, use the user's name as the <USER_OR_GROUP> in the commands in step 2.

Tip

To get an idea of normal background bandwidth use:

  1. Sign in to the Admin Web UI.

  2. Click Current Users.

  3. Take note of the bytes sent by active VPN connections.

The data is added up for both transmit/receive, so if you upload 10 kilobytes and download 20 kilobytes, the total is 30 kilobytes of traffic. For example, if the connection is not actively used, and you see 50 kilobytes over five minutes, then consider setting the threshold to 100 kilobytes over five minutes. Then, the connection will be dropped automatically if the connection is transferring less than 100 kilobytes in a five-minute period. You will obviously need to experiment with this a bit to suit your situation.

Step 2: Set the thresholds

  1. Sign in to the console.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/

  3. Set the disconnect threshold:

    ./sacli --user <USER_OR_GROUP>1 --key "prop_isec" --value <VALUE>2 UserPropPut
./sacli --user <USER_OR_GROUP> --key "prop_ibytes" --value <VALUE>3 UserPropPut
./sacli start

    1

    <USER_OR_GROUP>: Use the value from step 1 for your preferred level (global, group, or user).

    2

    prop_isec: Set the value to the number of seconds over which to send bytes in/out.

    3

    prop_ibytes: Set the value to the minimum number of bytes over prop_isec to allow the connection to continue.

    • For example, suppose you want to disconnect users in the admin group (admin-group) when the transmit/receive is below 100000 bytes over a period of five minutes. You would run this command:

      ./sacli --user "admin-group" --key "prop_isec" --value 300 UserPropPut
./sacli --user "admin-group" --key "prop_ibytes" --value 100000 UserPropPut
./sacli start

Important

This setting doesn't override session token expiration. The overall session timeout takes priority over this activity threshold. Furthermore, it is up to the VPN client to respect the disconnect—it may be ignored. If you redirect all client internet traffic through the VPN, it will be harder to define the exact threshold to disconnect a user compared to simply using a split-tunnel setup where only specific traffic goes through the OpenVPN tunnel.

In this section:
See also: