[eduVPN-deploy] Openvpn session time limit , disabling v6 , pool depletion
François Kooman
fkooman at tuxed.net
Tue Mar 17 11:19:08 CET 2020
On 3/17/20 11:01 AM, Peter Macfarlane wrote:
> Hi
Hello Peter,
> We are deploying eduVPN as a vpn service for internal network access ,
> I know that this probably not the design use case for it but assume it
> should still be safe for that use case , the experience so far as been
> excellent , thanks very much for the excellent work.
This actually *is* one, if not the most important use cases we optimize for!
> Is there way to set a session limit on openvpn ? Our security guy
> would like the session to only exist for not more than 8hrs.
Yes. You can modify sessionExpiry in /etc/vpn-user-portal/config.php and
set it to PT8H. From then on, all OAuth tokens and VPN certificates will
expire after 8 hours. Users will be forced to login again after that to
continue to use the VPN.
> Is there a way to disable IPv6 , for our internal usage it is not
> relevant , while happy eyeballs will ignore it some other apps might
> be slightly delayed by being assigned an address which goes nowhere ?
There's currently no way to disable IPv6. From the very start we built
the service to support native IPv4 and IPv6. That being said, you can
issue a "private" IPv6 address and drop all IPv6 traffic on the VPN
server...
> Probably being lazy and should test myself but the address pool is
> split across in the default case the udp and the tcp port , if the udp
> port runs out of address space would that trigger the client to try
> the tcp port or would it only do this in the event of unreachability.
Yes. If one process does not accept the client, the OpenVPN client will
try the next.
Regards,
François
More information about the eduVPN-deploy
mailing list