Access Server 2.14 versions
Access Server 2.14.2
Release date:
Jan 23, 2025
Added back support for non-Latin characters on the new Client Web UI.
Added EPKI generic autologin connection profile download and bundling option to new Client Web UI in external PKI mode.
Added auth-user-pass directive to EPKI generic profiles so open-source OpenVPN2 clients can connect more easily.
Added ability to import EPKI generic and EPKI autologin connection profiles directly in OpenVPN Connect.
Fixed a regression where the user permissions page was slow with a large amount of users.
Fixed a bug where the Log Reports section could stop recording new events.
Fixed a bug with handling interface aliases.
Fixed a bug where the same MFA code could be used for both enrollment and first login.
Fixed a (benign) syntax warning message when running ovpn-init.
Fixed a bug when building the DCO kernel module on Linux kernel 6.12.
Fixed a bug where site-to-site routing with DCO enabled can fail to route traffic.
Improved trigger to automatically reconnect users when prop_reroute_gw_override user property is changed.
Improved handling of TLS Crypt v2 setting in Client Web UI.
Improved sacli activeconfig command to hide specific advanced settings by default.
Improved logging of incoming web requests through OpenVPN port sharing to show the real IP of requests.
Improved MFA enrollment so that after successful enrollment, you don't have to sign out and back in again.
Improved error message when accessing SAML endpoint directly.
Removed dependency on sqlalchemy-migrate package, which solves syntax warnings in logs on Ubuntu 24.04.
Released bundled clients package v32 with OpenVPN Connect v3.6.0.4074 for Windows and OpenVPN Connect v3.6.0.5410 for macOS.
Released DCO kernel module v0.2.20241216.
Release date:
Sep 5, 2024
Added support for RADIUS Message-Authenticator attribute to address CVE-2024-3596.
Added support for metadata v2 on Amazon EC2 instances for the ovpn-init initial setup.
Added back support for custom MFA messages to the new Client Web UI.
Added back the /saml/metadata endpoint on the new Client Web UI.
Added EPKI generic connection profile download and bundling option to new Client Web UI in external PKI mode.
Updated OpenVPN to v2.6.12 to address CVE-2024-5594.
Updated FastAPI library to version v0.110.3.
Updated Access Server EULA to include licenses for new libraries used in new Client Web UI.
Fixed a regression where server agent performance would be significantly reduced on busy 2.14.0 servers.
Fixed a regression where OKTA MFA didn't appear on the new Client Web UI.
Fixed a regression where case-insensitive LDAP authentication before MFA enrollment phase was done could fail.
Fixed a regression on the Admin Web UI with downloading autologin profiles while lacking autologin privileges yourself.
Fixed a regression on the Admin Web UI's SAML and CWS Settings pages where the save settings button could reset settings.
Fixed a regression on the Admin Web UI's User Permissions page where user settings could inadvertently be removed.
Fixed a regression with missing client_ip_address in the authcred dictionary in post_auth.
Fixed a regression with missing request_superuser_privileges and log_service_name in the attributes dictionary in post_auth.
Fixed a regression where prop_deny_web would inadvertently also block VPN authentications.
Fixed a bug in confdba with setting the active configuration profile.
Fixed a bug where repeated successful SAML authentications could trigger an authentication lockout.
Fixed a bug where the MTU setting, as defined in the Access Server configuration, would not be applied to OpenVPN daemons.
Improved the new Client Web UI to hide the Connection Profiles page when Access Server is in External PKI mode.
Improved handling of client installer and connection profile download cases while the XML-RPC API is turned off.
Improved bundling of connection profiles into installers by automatically adding a comment on the server.
Improved the new Client Web UI and the new REST API endpoints to correct minor issues.
Released bundled clients package v31 with Connect v3.5.0.3818 for Windows.
Release date:
Jun 20, 2024
New features:
Introduced a new web framework for the client web service.
Added support for Ubuntu 24.04 LTS (Noble Numbat).
Bug fixes and improvements:
Updated Twisted library to 22.4.
Updated OpenVPN2 core to 2.6.10as1.
Fixed security issue CVE-2024-28882.
Removed bundled web CA for LDAP SSL verification, rely on system certificate store instead.
Removed deprecated Connect v2 client from the web interface. Connect v3 is recommended instead.
Enhanced the
sacli subscriptionstatus
output with additional subscription key details.Fixed an issue with reloading iptables ruleset after
sacli start
.Fixed a bug when building DCO kernel module on Red Hat 9.4.
Released DCO kernel module v0.2.20240712.
Important notes:
Dropped support for CentOS 7, Red Hat 7, and Debian 10 operating systems. These operating systems will reach end-of-life in June 2024. We also dropped support for Amazon Linux 2. We currently recommend using Ubuntu 22.04 LTS or 24.04 LTS, Debian 12, or Red Hat 9.
The client web interface no longer offers OpenVPN Connect v2, as this is a deprecated client. It now offers OpenVPN Connect v3, which is the recommended client program.
The client web interface has been reimplemented in a more modern web framework, but it still looks and works mostly the same. The admin UI will also receive an overhaul in an upcoming release.
A known issue is that users authenticated via RADIUS with MFA challenge (e.g., OKTA with RADIUS agent) can use only auto-push as a multi-factor login. Verification codes, SMS, and emails are not supported as a second factor. OKTA SAML authentication is not affected by this issue. This is resolved in 2.14.1.
A known issue is that accessing the profiles overview in the client web service in external PKI mode shows an error message, as that function is unavailable in external PKI mode. This is resolved in 2.14.1.
A known issue is that creating an autologin profile for another user on the Admin Web UI doesn't work if the admin user doesn't have autologin privileges. This is resolved in 2.14.1.
A known issue is that users of the Duo security post_auth script get a generic message asking for the MFA code instead of the custom message generated by the Duo post_auth script. This is resolved in 2.14.1.
A known issue is that users can't enroll in MFA if they sign in with a username with a different case than the one stored in Windows Active Directory when using LDAP or RADIUS for authentication. This is resolved in 2.14.1
A known issue in 2.14.0 and 2.14.1 is that downloading profiles for usernames with non-Latin characters in the new Client Web UI results in an error. This is resolved in 2.14.2.