The VPN server has the concept of "Session Expiry". This configures the interval with which users have to again perform application authorization, when using the eduVPN/Let's Connect! apps, or have to go back to the portal to download a new configuration file.
This will mean that the users have to authenticate as well as part of this authorization, and possibly provide their 2FA credentials/token as well.
The default is 90 days.
The default of 90 days, but you may want to deviate from this. Either by setting it to a (much) shorter interval, for example if you want your users to authenticate every day, or possibly much longer.
Generally it is not recommended to lower this value too much if you have VPN users that can't use the eduVPN / Let's Connect! applications. This can lead to frustration by the users and possibly lead to creative solutions by them to work around the VPN and thus decreasing security.
On the other hand, setting this too high, requires discipline to disable the users that are no longer eligible to use the VPN from the portal.
It is a bit of a judgment call. We know of organizations that set it to 12 hours, and also organizations that set it to 3 years.
NOTE: if you choose to for example 1 day, this will mean that if a user authenticates at 09:30, the next day at 09:30 their session will expire, meaning the may have to authorize/authenticate during a video call. Not great.
NOTE: in a future server (or client) version we aim to implement a mechanism that either expires the VPN session at night, or update the client to warn the session is about to expire during working hours and offer to renew it instead of silently dropping the VPN connection.
You can change the session expiry by modifying
/etc/vpn-user-portal/config.php and set
sessionExpiry to the value you
wish. Some examples:
NOTE: if you modify this value, it will only take effect the next time the user is forced to authenticate/authorize.
It is highly recommended to choose your
sessionExpiry and then "reset" the
server in order to make sure that all VPN users/clients will use the same
session expiry from then on. NOTE: this will delete all data, including
local user accounts, but not the configuration. It will force everyone to
reauthorize the VPN apps and/or download a new configuration through the
$ sudo vpn-maint-reset-system