- Newest
- Most votes
- Most comments
following. Hopefully his feature request gets priority as it is incurring added cost for many for no reason.
AWS, please fix this. Not having the ability to adjust this fundamental security setting is beyond frustrating. It rules out the use of the AWS client VPN as a solution for anyone with any level of PCI compliance obligations.
Hi,
I understand you want to set inactivity timeout of Client VPN, but unfortunately this feature/option is not available in Client VPN as of now.
I can see there is already a feature request for this in our internal system, but It is important to mention that we do not have an ETA as to when this service would be available, however, the new features/services which are about to get released are announced on the public documentation. You can always keep an eye on this link [1] for new releases.
As a workaround, If you want a shorter idle timeout, you need to implement a connection timeout option on your VPN Client side. For example: OpenVPN VPN Client can use the command: "-inactive" to configure the timeout. For more information, you can refer to the third party Configuration instructions for VPN Client [2] [3]. But again, clients can change these values and bypass this.
[1] AWS new releases - https://aws.amazon.com/new/
[2] https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
[3] https://forum.netgate.com/topic/111241/openvpn-idle-timeout/2
Second option for now can be utilising AWS API calls to terminate client sessions after lets say 4 hours ( but it wont check if it was inactive or active session, it will just terminate it after x hours)
What you can do write a python script/bash script/ Lambda that run after every lets say 10 minutes and do describe-client-vpn-connections API Call, this API Call returns Connection Establishment time and then you can call terminate-client-vpn-connections for any connection more than x hours of time.
https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-client-vpn-connections.html
https://docs.aws.amazon.com/cli/latest/reference/ec2/terminate-client-vpn-connections.html
I totally understand that these work arounds might not be a good option and add extra operational overhead, but as of now, these are two methods I can think of to achieve your goal until Client VPN product team launch any native feature to support it.
Regards,
MuhaAtAWS
While the VPN session maximum duration setting is better than nothing, it still does not address an idle timeout setting that a robust VPN should offer. This service is on the expensive side, and would love to see AWS roll out an idle timeout setting to save cost where we can.
Relevant content
- asked 4 years ago
AWS OFFICIALUpdated 8 months ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
Please confirm that this is now rolled out as VPN Session Duration which is configured at the VPN Endpoint. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-max-duration.html .. This still doesn't account for "idle session timeout".