Acked-by: Gert Doering <>

This is a useful addition for situations with external constraints
("this VPN access may only be used between 10:00 and 18:00", so you
can ensure the session ends at 17:59:59 without having extra managmeent
logic around).  Whether it's overly useful in "global server context"
or on the client side stands to be debated - but this needs no extra
code, so "it's just there and someone might find use for it".

I have tested client-side (works), server-side/global (will terminate
each instance <n> seconds after connecting, but not itself) and
server-side/ccd (per-instance kill switch with per-instance timer).

Unfortunately, the man page addition about explicit-exit-notify is
wrong - on the server side, it never sends notifies, it just kills
the client TLS instance...

2022-10-07 18:05:13 us=256095 cron2-freebsd-tc-amd64/ 
Session timeout, exiting
2022-10-07 18:05:13 us=256170 cron2-freebsd-tc-amd64/ 
SIGTERM[soft,session-timeout] received, client-instance exiting

.. without telling the client, so that one needs to run into --ping timeout

2022-10-07 18:05:42 [server] Inactivity timeout (--ping-restart), restarting

.. 30 seconds later, which is not really satisfying...

Can we do better?

I have, for the time being, removed the offending man page section about
--explicit-exit-notify and merged the rest (no code change).

Your patch has been applied to the master branch.

commit f96290ff901f62717fdb4c1adef72142f359e992
Author: Dmitry Zelenkovsky
Date:   Thu Oct 6 22:37:31 2022 +0200

     implement --session-timeout

     Signed-off-by: Dmitry Zelenkovsky <>
     Acked-by: Gert Doering <>
     Message-Id: <>
     Signed-off-by: Gert Doering <>

kind regards,

Gert Doering

Openvpn-devel mailing list

Reply via email to