~fkooman/vpn-documentation

ref: 9d22c514a9f893498f2c8bf8688d2e8a6c9adb4d vpn-documentation/EXPIRE_AT_NIGHT.md -rw-r--r-- 3.4 KiB
9d22c514François Kooman hopefully fix IPv6 when deploying on VM using RA 4 months ago

#Expire At Night

NOTE: there is currently a bug in "expiry at night"! Do NOT use!

NOTE: only enable this on NEW installations, and NEVER on existing ones!

Starting from vpn-user-portal >= 2.3.10 it is possible to expire VPN sessions at night instead of exactly after the duration specified in sessionExpiry. The goal is to prevent that the user will be disconnected from the VPN during working hours.

By VPN session expiry we mean the moment at which the VPN session won't work anymore without the user authenticating/authorizing again. The default after which a session expires is 90 days (P90D), but this can be modified by the administrator.

The sessionExpiry becomes the upper bound of when the session will expire. The new expiry is rolled back in time until the previous 04:00 is reached. This could be the same day, or the previous day if the time is currently between 00:00 and 04:00. The timezone to which the server is set is used to determine "when" 04:00 is. In the future we may allow the client to specify the local timezone and use that in the calcuation of when 04:00 is, locally for the user.

For example if it is currently Monday 10:00 and the sessionExpiry is set to P7D, i.e. 7 days, the session will expire at 04:00 on the Monday after and not at 10:00 as it might interfere with the VPN use during working hours.

NOTE: nightly expiry ONLY works when the sessionExpiry is P1D (1 day) or longer!

NOTE: the new expiry will only work form the next time the user authenticates to the portal (or authorizes the app), not for current VPN sessions!

#Server Configuration

Please set your server's timezone to the timezone where (most of) your users are located. That way, the nightly expiry makes the most sense.

To check the timezone your server is set to:

$ timedatectl 
               Local time: Mi 2021-04-14 21:27:24 CEST
           Universal time: Mi 2021-04-14 19:27:24 UTC
                 RTC time: Mi 2021-04-14 19:27:23
                Time zone: Europe/Berlin (CEST, +0200)
System clock synchronized: no
              NTP service: active
          RTC in local TZ: no

In the example above it is set to the Europe/Berlin timezone. It could be your local time zone, or UTC which is also fine.

Verify what PHP thinks of this:

$ php -r 'echo ini_get("date.timezone");'
$ php -r 'echo date_default_timezone_get();'
Europe/Berlin

All good!

#CentOS / Fedora

The system timezone is not picked up by PHP on Fedora/CentOS, you need to manually set it. The default is UTC otherwise, independent of what your system's timezone is. On CentOS it is even slightly worse, if you don't set the date.timezone field PHP will complain (because PHP is so old on CentOS). That's why the deploy_centos.sh script configures UTC for you by default in the file /etc/php.d/70-timezone.ini. You can modify this and set it to your local timezone. Use these values.

On Fedora you can directly edit /etc/php.ini and set the date.timezone field there.

Don't forget to restart php-fpm after making changes:

$ sudo systemctl restart php-fpm

#Portal Configuration

In the portal you can enable the expiry at night by setting the sessionExpireAtNight option in /etc/vpn-user-portal/config.php, e.g.:

'sessionExpireAtNight' => true,

The default is false.