Tutorial: Set the Threshold to Disconnect Inactive Clients
This tutorial describes how to adjust Access Server's threshold for disconnecting inactive clients.
Overview
This tutorial shows how to adjust Access Server's threshold for disconnecting inactive clients.
Access Server can send a command to a connected OpenVPN client, instructing it to gracefully disconnect when the connection is in a low-use state (idling). This is determined by a threshold of the number of bytes transferred within a specified time frame. When the OpenVPN tunnel is not being actively used, the OpenVPN client automatically disconnects itself.
An installed Access Server.
Console access and the ability to get root access.
You can set the disconnect threshold at the global, group, or user level. Determine which level you want to adjust your threshold settings and use the appropriate value:
To set the threshold globally, use __DEFAULT__ as the <USER_OR_GROUP> in the commands in step 2.
To set the threshold at a group level, use the group's name as the <USER_OR_GROUP> in the commands in step 2.
To set the threshold at a user level, use the user's name as the <USER_OR_GROUP> in the commands in step 2.
Tip
To get an idea of normal background bandwidth use:
Sign in to the Admin Web UI.
Click Current Users.
Take note of the bytes sent by active VPN connections.
The data is added up for both transmit/receive, so if you upload 10 kilobytes and download 20 kilobytes, the total is 30 kilobytes of traffic. For example, if the connection is not actively used and you see 50 kilobytes over a five-minute period, consider setting the threshold to 100 kilobytes over the same five-minute period. Then, the connection will be dropped automatically if it transfers less than 100 kilobytes in a five-minute period. You will obviously need to experiment with this to suit your specific situation.
Sign in to the console.
Switch to the scripts directory:
cd /usr/local/openvpn_as/
Set the disconnect threshold:
./sacli --user <USER_OR_GROUP>1 --key "prop_isec" --value <VALUE>2 UserPropPut ./sacli --user <USER_OR_GROUP> --key "prop_ibytes" --value <VALUE>3 UserPropPut ./sacli start
<USER_OR_GROUP>: Use the value from step 1 for your preferred level (global, group, or user).
prop_isec: Set the value to the number of seconds over which to send bytes in/out.
prop_ibytes: Set the value to the minimum number of bytes over prop_isec to allow the connection to continue.
For example, suppose you want to disconnect users in the admin group (admin-group) when the transmit/receive is below 100000 bytes over a period of five minutes. You would run this command:
./sacli --user "admin-group" --key "prop_isec" --value 300 UserPropPut ./sacli --user "admin-group" --key "prop_ibytes" --value 100000 UserPropPut ./sacli start
Important
This setting doesn't override session token expiration. The overall session timeout takes priority over this activity threshold. Furthermore, it is up to the VPN client to respect the disconnect—it may be ignored. If you redirect all client internet traffic through the VPN, it will be harder to define the exact threshold to disconnect a user compared to simply using a split-tunnel setup where only specific traffic goes through the OpenVPN tunnel.