Access Server 2.12 versions
Notice
Release date: Nov 15, 2023
Fixed segfault crash issue introduced in OpenVPN core in Access Server 2.12.2.
Notice
Release date: Nov 9, 2023
Fixed security issues CVE-2023-46849 and CVE-2023-46850.
Access Server versions 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, and 2.12.1 are affected — see the security advisory for details.
Notice
Release date: Sep 7, 2023
Fixed a regression that prevented uploading certificates in the web interface.
Fixed a regression related to Fixed License verification and activation.
Fixed a regression that occurs when a cluster node is not configured for multi-daemon mode.
Improved service startup to occur after name resolution subsystem is ready.
Improved handling for IPv6 internet redirection.
Improved redaction of command line generated support logs.
Notice
Release Date: Jul 10, 2023
New Features
Added Data Channel Offload (DCO) support (beta). This can now be optionally installed and enabled.
Added option to specify group subnets per cluster node to allow routing to work in clustering.
Added ability for supporting clients to automatically retry when server is out of connections.
Added option to set interval for renewal of the CA certificate (default one year).
Added option to set lifetime of client certificates (default ten years).
Added option to set VPN MTU value in web interface, new installations default to 1420.
Added option to turn off audit and service logging.
Bug fixes and improvements
Added an improved sacli GenerateInstaller command for generating client installers.
Added a new sacli ActiveConfig command for listing configuration options.
Added total connections used on a subscription in the Admin Web UI.
Fixed potential authentication bypass issue when using custom PAS only in clustering mode.
Fixed potential authentication bypass issue when using EPKI with CN requirement turned off.
Fixed a regression where ucarp.extra_parms key value crashes failover system.
Fixed a regression where activation on command line could hang if server was unreachable.
Fixed a regression where SAML metadata file configuration via command line had a wrong port.
Fixed a regression where some XML-RPC calls were failing when in clustering mode.
Fixed a bug where ovpn-init on a secondary failover node would not wipe data.
Fixed a bug where sacli EnumClients could only list the first 100 entries.
Fixed a bug where local user could not change their password if local authentication was not the default.
Fixed a bug where the SAML SP URL displayed didn't always show the correct port.
Fixed a bug where a node didn't revert to its own local address when leaving a cluster.
Improved several items in the upgrade logic of Access Server.
Improved handling of client private keys by removing them when no longer needed.
Improved as.conf documentation by adding that config_db_local must be a local SQLite file.
Improved authcli output to include the authentication method used for the user.
Improved startup routine so time synchronisation can complete before Access Server starts.
Improved certificate serial number generation method from linear to random 64-bit method.
Improved default CA bit strength from RSA 2048 to secp384r1 for new installations.
Improved default DH key strength from 2048 bit to 4096 bit for new installations.
Improved HTTP POST request error handling so log messages are cleaner.
Improved handling of REST API calls that are invalid due to duplicate values (400 Bad Request).
Improved alignment of items on mobile view of the Client Web UI.
Removed option to enable compression setting in the Admin Web UI as it is not secure.
Removed ability of certool to generate passwordless certificate bundles.
Important Notes
Dropped support for operating system Ubuntu 18 due to it being end-of-life.
Access Server now supports Data Channel Offload (DCO) which unlocks better performance by handling data encryption and decryption in the kernel space. This is currently in beta. To use it the DCO kernel module must be installed and then enabled in Access Server. (instructions here)
The OpenVPN Connect v3 client is now the default client offered on the web interface. OpenVPN Connect v2 is a deprecated client and will be phased out in a future release.
If you have an Access Server in clustering mode and you use the PAS-only authentication system to replace Access Server's own internal authentication system with your own custom one, then you are advised to upgrade to 2.12.0 to resolve a potential authentication bypass issue.
If you have an Access Server with your own custom External PKI certificates and you also disable the common name username check on the certificate, then you are advised to upgrade to 2.12.0 to resolve a potential authentication bypass issue.