How to Update and View Timeout Session in OpenVPN Access Server?
OpenVPN Access Server (AS) is a paid package based on OpenVPN Server which provides management of users, connections, even LDAP integration simplified through a web interface.
This helps in deployment of a VPN solution for multiple users in a matter of minutes.
But, OpenVPN AS by default comes with a 24-hour session time-out period. This can be taxing at times to reconnect to the OpenVPN Server and start the processes all over again.
The OpenVPN AS uses SQLite at backend to store its certificates, configuration, logs and user related data.
The data stored in SQLite is in encrypted format and to decrypt the data to text format OpenVPN AS provides a “sqlite3” script.
All the OpenVPN AS’s scripts are located in “/usr/local/openvpn_as/scripts” and all the related database is stored in “/usr/local/openvpn_as/etc/db“.
i) To view the current OpenVPN AS’s timeout session run this script:
[sourcecode language=”bash”]
/usr/local/openvpn_as/scripts/sqlite3 /usr/local/openvpn_as/etc/db/config.db .dump > /tmp/config.txt
[/sourcecode]
Now, view config.txt file and locate “vpn.server.session_expire” and its corresponding value in seconds.
In the above picture, session timeout is specified as 604800 seconds equivalent to 7 days.
To change the timeout period there is another script provided by OpenVPN AS, i.e. “sacli“.
ii) To set your own customized session timeout let’s say 30 days (2592000 seconds), use “sacli” script as follows:
[sourcecode language=”bash”]
/usr/local/openvpn_as/scripts/sacli –key vpn.server.session_expire –value 2592000 ConfigPut
[/sourcecode]
iii) To reload the configuration, follow the process below and don’t worry it will not stop your running server:
[sourcecode language=”bash”]
/usr/local/openvpn_as/scripts/sacli start
[/sourcecode]
The OpenVPN AS will now run smoothly without dropping any connections for a period of 30 days, it can be customized according your requirements.
Keep following and subscribe to our blogs to make your life simpler and boss happy. 🙂
With a site to site connection (pfSense client to AWS OpenVPN-AS), I never want the session to timeout. Can this be accomplished correctly by setting vpn.server.session_expire = 0; ??? I want to continue renegotiating the auth-token (I’m not comfortable with “reneg-sec 0” ) but I don’t ever want the connection to go down. Is this the right approach?
Hi Vaibhav,
I have gone through the steps from your article “How to Update and View Timeout Session in OpenVPN Access Server?
“.
I set the client timeout to 12hours and restarted the SA Daemon.
Its not working as expected. the clients are still connected to the vpn access server after 12hours.
Can you please help me to sort out the issue.
Regards,
Bharath