openvpn
openvpn copied to clipboard
OpenVPN
connection management: Implement session timeout parameter.
In multiple case it is important to limit user connection time. At the moment it is only possible by using management console and writing complicated script to follow connection status.
There is an easier way to do that now. "session" parameter allows to define timeout in seconds after which user will be disconnected. Session timeout can be declared globally or per user in ccd file. Session is started at the moment user connects to VPN and will be automatically terminated when timer reaches the zero.
This feature can be used together with Radiusplugin for OpenVPN in order to support Session-Timeout attribute.
Patch for Radiusplugin is coming as well.
sorry for being such slackers regarding patches. This is actually interesting work and might help me solve a problem I have at a customer site :-) - so, reviving this, and will look into it.
If you have time, rebasing the patch would be welcome, to ensure it still applies to latest master (options.c tends to change a lot, and quite often breaks patches adding new options)
No problem, I'll try to rebase my work. But to make it work, you need to install separate plugin for Radius authentication. I had to patch it as well.
Hi,
On Tue, Jun 07, 2016 at 02:33:36PM -0700, Dmitry Zelenkovsky wrote:
No problem, I'll try to rebase my work. But to make it work, you need to install separate plugin for Radius authentication. I had to patch it as well.
Shouldn't it work by passing the parameter from a ccd/ file or a client-connect script? Or by just setting it in the main config?
(All my users have the same rule, which is "nobody connects longer than 12h", so a global setting would be fine)
gert
USENET is not the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [email protected] fax: +49-89-35655025 [email protected]
Yes, it works in a following way:
- Radius plugin handles authentication and writes ccd file with parameters received from radius server.
- One of parameters is Session-Time out and it is written into ccd as well as others.
- After authentication is done OpenVPN reads ccd file and assigns parameters to the session.
- It was implemented that session time out is read from ccd and after this number of seconds OpenVPN disconnects.
- After connection is broken, Radius plugin deletes ccd file (optional)
So session timeout attribute can be assigned statically for the user by preparing ccd file. Then user will be always disconnected after pre-defined number of seconds. Or better option - to use Radius authentication plugin which will read the value from Radius server.
Any of the involved parties would like to revive this PR and rebase it against latest master?
Hi,
On Sat, Sep 17, 2022 at 12:38:54PM -0700, Antonio Quartulli wrote:
Moreover, any idea why the ping-timeout wouldn't be enough?
ping-timeout is active on inactivity. session-timeout is something like "you have paid for your VPN subscription until now + 3:20h, so we'll kick you out exactly at that point in time".
One could do this using renegotiation/reauth, or by kicking from the management interface, but if you want to have this integrated with radius servers telling you "this user needs to go in 3:20h", having something like that avoids having to have a management process around...
gert
-- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany @.***
I took the freedom to recreate the patch (codebase was a bit different) and send it to the ml.
The patch includes the change below
ok. Isn't
--session-timeouta better name than--session?
and gets rid of the _dowork() thing that is useless imho.
Closing this PR. Thanks!
@ordex Can you pls point me to the new patch? Will this be pushed to master? would love to see it in, it could be quite useful for some of our customers. thanks!
