How to Forcefully Disconnect a Specific Client Connection in OpenVPN 2.3.10 on Ubuntu 16.04


2 views

Before disconnecting a client, you'll need to identify its connection information. OpenVPN maintains this data in two key locations:

# View active connections
cat /etc/openvpn/openvpn-status.log

# Check assigned IPs
cat /etc/openvpn/ipp.txt

The most effective way to disconnect a single client is through OpenVPN's management interface. First, enable it in your server configuration:

# Add to your server.conf
management 127.0.0.1 7505
management-hold
management-log-cache 100

After restarting OpenVPN, you can interact with the management console:

telnet 127.0.0.1 7505
> status
> kill <common_name>

For systems without direct management interface access, you can terminate the specific client process:

# Find the process ID
ps aux | grep openvpn | grep <client_IP>

# Kill the process
kill -9 <PID>

For repeated operations, create a bash script:

#!/bin/bash
CLIENT_IP="192.168.1.100"
PORT="1194"

# Find and kill the connection
CONNECTION=$(netstat -np | grep $CLIENT_IP | grep $PORT | awk '{print $7}' | cut -d/ -f1)
if [ ! -z "$CONNECTION" ]; then
    kill -9 $CONNECTION
    echo "Disconnected client $CLIENT_IP"
else
    echo "Client not found"
fi

To block future connections from the same client:

# Add to ccd/<client_name> file
ifconfig-pool-persist /etc/openvpn/ipp.txt 0

Before disconnecting a client, you need to verify their connection status. OpenVPN maintains real-time session data in:

cat /etc/openvpn/openvpn-status.log

Sample output showing client details:

OpenVPN CLIENT LIST
Updated,Thu Sep 15 10:45:21 2022
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
client1,192.168.1.100:1194,1245678,987654,Thu Sep 15 09:30:12 2022
client2,192.168.1.101:1194,567890,123456,Thu Sep 15 10:15:33 2022

OpenVPN's management interface provides direct control over connections. First enable it in your server config:

management 127.0.0.1 7505 /etc/openvpn/management-password

Restart OpenVPN, then connect using telnet/netcat:

nc 127.0.0.1 7505
ENTER PASSWORD: your_password
kill client1    # Disconnects client with Common Name "client1"

For automated disconnections, create a script named /usr/local/bin/ovpn-killclient:

#!/bin/bash
CLIENT_NAME=$1
echo "kill $CLIENT_NAME" | nc -q 1 127.0.0.1 7505

Make it executable and run:

chmod +x /usr/local/bin/ovpn-killclient
ovpn-killclient client2

To prevent immediate reconnection, add client certificate to CRL:

openssl ca -config /etc/openvpn/easy-rsa/openssl-1.0.0.cnf \
  -revoke /etc/openvpn/easy-rsa/keys/client1.crt
openssl ca -gencrl -config /etc/openvpn/easy-rsa/openssl-1.0.0.cnf \
  -out /etc/openvpn/crl.pem

Then add to server config:

crl-verify /etc/openvpn/crl.pem