Skip to main content

Access Server 3.0 Release Notes and Version Updates

Access Server 3.0.1

Release date:

Sep 18, 2025

  • Added additional output to sacli support command to include IP information and CPU core count.

  • Added support for AWS regions Asia Pacific Taipei, Malaysia, Thailand, and Mexico for the AWS Tiered licensing model.

  • Added support for passphrase for private key to check-private-key REST API endpoint.

  • Added back WEB_ADMIN to authentication handling and logging to differentiate admin-level logins.

  • Added token handling to sacli so API calls between cluster nodes don't require an admin-level account.

  • Added validation to stop admin users from blocking themselves by blocking the group they're in.

  • Added certificate issuer information to the API and the web server certificate page.

  • Added validation to ensure a certificate authority name is unique on the VPN server certificate page.

  • Added a new password field for locally authenticated users back to the user settings page.

  • Added a warning icon when enabling local MFA on a SAML user; MFA should be handled on the SAML IdP instead.

  • Fixed Message-Authenticator digest not being verified when the RADIUS server is a hostname instead of an IP.

  • Fixed regression for prop_reroute_gw_override not applying to group permissions.

  • Fixed DCO enable setting in cluster mode to be a cluster-wide setting instead of per-node.

  • Fixed SAML authentication failure message for blocked accounts not being logged.

  • Fixed SAML authentication failure when the 'server override' option is used in Connect v3.

  • Fixed SAML authentication failure when the base64 SAML assertion contained a + symbol.

  • Fixed SAML invalid relaystate when it was left empty on IdP-initiated logins.

  • Fixed SAML service provider URL not allowing the specification of custom web service ports.

  • Fixed SAML settings not being cleared when a new metadata XML file was loaded.

  • Fixed the save button being always active even when there are no changes on the SAML configuration page.

  • Fixed internal server error on password change REST API endpoint when username was left empty.

  • Fixed returning too many items on configurationprofile list REST API endpoint when querying RADIUS settings.

  • Fixed Token URL not containing custom web service port.

  • Fixed searching for VPN client certificates by their serial number.

  • Fixed the count of users assigned to the default group in the groups overview.

  • Fixed showing the real IP address of the user authenticating via SAML in Activity Logs.

  • Fixed cluster nodes requiring a command-line level restart when the web certificates are replaced.

  • Fixed issue with Fixed License Key that expires today (and thus still valid) not showing in the overview.

  • Fixed the error message showing in the log file when the log DB for Activity Logs is disabled.

  • Fixed data-ciphers-fallback not being set in server config when vpn.server.enable_cipher_fallback is true.

  • Fixed sacli disconnectclient not working with --cn or --filter_by user/cn.

  • Fixed the EULA not displaying as expected when the CLIENTS_PKG_VERSION file is missing.

  • Fixed the confdba-ulf tool issue where it was unable to read the configuration dump back to the default configuration profile.

  • Fixed Proto(col) value not showing in Activity Logs.

  • Fixed handling of special characters in database credentials when converting SQLite to MySQL.

  • Fixed AWS Tiered licensing issue where only 2 out of 4 licensing servers were reachable.

  • Fixed issue with access control rules not showing when there are more than 1000 users, on Red Hat 8 OS.

  • Fixed post-auth script not receiving RADIUS reply data to enact user property adjustments.

  • Fixed group IPv4 subnet not being deleted when a group IPv6 subnet is present, on userprop REST API endpoint.

  • Fixed issue with site-to-site routing when the VPN client gateway has a static IP and DCO is used.

  • Fixed issue with re-enabling offering Connect v3 for macOS and Windows on the client web server.

  • Fixed the mismatch warning between the hostname setting and the web certificate on the web certificate page.

  • Fixed CA bundle upload being marked as ok even when no CA bundle was uploaded.

  • Fixed 'key and certificate' mismatch error not clearing on the web server certificate page.

  • Fixed the missing web certificate expiration message on the web server certificate page.

  • Fixed self-signed web certificates that were uploaded erroneously, not displaying as a user-provided certificate.

  • Fixed the static IP address pool setting, which was erroneously visible in cluster mode.

  • Fixed the interclient communication setting, which was erroneously visible in cluster mode.

  • Fixed an incorrect warning message about losing local user configurations when creating a cluster.

  • Fixed broken 'learn more here' link on the OpenVPN client certificate requirements setting.

  • Fixed the OpenVPN client certificate requirements setting, which was erroneously visible in External PKI mode.

  • Fixed Internet Access and DNS tab erroneously being visible in bridge mode.

  • Fixed broken search by user name functionality on the VPN client certificates page.

  • Fixed some missing indicators that certain settings are per-node settings in cluster mode.

  • Fixed the invalid date issue on the VPN client certificate page.

  • Fixed erroneously displayed option to download non-TLS Crypt v2 profile when only TLS Crypt v2 is allowed.

  • Fixed not being able to clear LDAP settings when LDAP authentication method is disabled.

  • Fixed custom HTTP header value not displaying correctly on the web interface when the value contains a colon.

  • Fixed port setting not saving when using only TCP or only UDP for VPN server settings.

  • Fixed incorrect source being displayed for values shown from the cluster configuration database.

  • Fixed erroneously not showing the default domain suffix setting when pushing the DNS server is disabled.

  • Fixed 'session expired' message popping upon opening the web interface with an expired token.

  • Fixed handling of user names that contain the percent (%) symbol on the web interface.

  • Fixed the inability to delete the last subnet for a group in group settings.

  • Fixed the Activity Logs page not showing any results when certain encoded characters are in the logs.

  • Improved various filtering and sorting in various areas of the web interface.

  • Improved error handling and validation in various areas of the Access Server.

  • Improved Diffie-Hellman settings by no longer defaulting to finite field parameters.

  • Improved detection of available CPU cores.

  • Improved error message shown when the wrong password is entered during password change on the client web server.

  • Improved message shown when deleting a group that contains users.

  • Improved displaying two-way interconnectivity rules as a single item instead of two separate items.

  • Improved behavior by disallowing the selection of an authentication system with errors for a new user or group.

  • Improved web session timeout behavior by refreshing the session token more frequently.

  • Improved activation flow on the web interface.

  • Improved MFA authentication page by automatically putting input focus on the MFA input field.

  • Removed now unused sa.session_expire configuration key support.

Access Server 3.0.0

Release date:

Jul 10, 2025

Important notes:

  • This is a major release with a completely new web interface built from scratch. It is recommended to test this out in a test environment before deploying it on critical production environments. If any issues are encountered, please stay on version 2.14.3 and notify us so we can address the issue in subsequent releases.

  • Dropped support for the Ubuntu 20.04 LTS operating system. This operating system reached end-of-life for standard support in May of 2025.

  • We switched from the MySQL client library to the MariaDB client library due to licensing conflicts. In theory and according to our tests, the external database connections should continue to work as before using the new library.

  • To provide a more secure default configuration, server-locked profiles will be disabled by default on new installations of Access Server. To maintain backward compatibility with existing configurations, server-locked profiles will remain enabled when updating. For those who want to use them, server-locked profiles can still be enabled.

  • The communication between nodes in a cluster setup is no longer done over a dedicated TCP API port (default on port TCP 945) but is instead done via the REST API on the admin UI web service. The special "admin_c" user, along with its corresponding certificate for API authentication, is now obsolete and will be removed automatically during the upgrade.

  • Removed automatic user VPN IP address-based group assignment functionality.

  • Removed the ability to manage server configuration profiles from the web interface.

  • A known issue in 3.0.0 is that logins to the Admin Web UI are logged under the WEB_CLIENT service and not the WEB_ADMIN service. This is resolved in 3.0.1.

  • A known issue in 3.0.0 is that sacli cluster commands require that the "openvpn" user (or another admin user) is used. This is resolved in 3.0.1.

  • A known issue in 3.0.0 is that if a % symbol in the user name occurs, the web interface doesn't work properly. This is resolved in 3.0.1.

  • Known issue: The web UI custom logo branding isn't fully implemented yet. This will be addressed in a future release.

  • A known issue since 3.0.0 is that unescaped special characters in the database connection string in as.conf aren't supported anymore. See solution details.

  • A known issue in 3.0.0 is that if a + character is present in the base64 SAML assertion, the SAML authentication will fail. This is resolved in 3.0.1.

New features:

  • A completely new administrative web interface with several improvements.

  • Extended REST API to support the new Admin Web UI.

  • The login screen now presents SAML as the primary login option when it is the default.

  • Added new token-based authentication for web services.

  • Added the ability for the sacli command-line tool to generate web service tokens.

  • Added the ability to sign in to the Admin Web UI with SAML authentication.

  • Added controls for managing built-in MFA from the Admin Web UI.

  • Added built-in REST API documentation enabled via configuration settings.

  • Added experimental support for nftables via configuration settings.

  • Added configuration settings for Cross-Origin Resource Sharing headers.

  • Added ability to turn server-locked profile functionality on/off.

  • Added Subscription ID to activation screen to easily identify a subscription.

  • Added display of connections used by other servers on a subscription.

  • Added compression on sending webpage assets if the browser supports it.

  • Added a configuration editor and a support data gathering tool to the Admin Web UI.

  • Added warning-type messages to the sacli status output.

Bug fixes and improvements:

  • Switched from MySQL to MariaDB library due to licensing conflict.

  • Updated Twisted library to 24.11.0.

  • Updated OpenVPN2 core to 2.6.14as1.

  • Updated FastAPI to 0.115.8.

  • Updated Starlette to 0.44.0.

  • Updated Python3 IDNA package to address security issue CVE-2024-3651.

  • Fixed SAML relaystate javascript injection security issue CVE-2025-50055.

  • Fixed SAML reauthentication triggering when switching to another cluster node.

  • Fixed SAML IdP metadata parsing if multiple certificates are present.

  • Fixed certool's certificate revocation list functionality.

  • Fixed certificate revocation list functionality for external PKI mode.

  • Fixed messages in the log when using incorrect credentials for PAM, RADIUS, and LDAP.

  • Fixed the Admin Web UI not being aware of user_auth_type defined on __DEFAULT__ user.

  • Fixed an issue that could stop backend logging after certain login misbehavior.

  • Fixed connection duration sorting in the activity logs.

  • Fixed issues with user properties set on the CLI being deleted when using the web interface.

  • Fixed the possibility to bypass the EULA pop-up when using deep links.

  • Fixed the ability to display a website link on the login page when using post_auth scripts.

  • Fixed poor performance during database conversion on Ubuntu 24.04.

  • Fixed TLS Crypt v2 flag on new token URL profiles while control channel security is "none".

  • Fixed bug with TOTP replay protection during the TOTP enrollment phase.

  • Fixed a data channel error message that occurred when sending excessively long credentials during VPN authentication.

  • Fixed "task was destroyed" error messages in web service log output.

  • Fixed the sacli activeconfig command so that it displays all configuration values.

  • Fixed chown error message on licenses subfolder when executing ovpn-init.

  • Fixed authentication failure when a post_auth script tries to pass too many user properties.

  • Fixed incorrect length limit on username when using "override-username" OpenVPN directive.

  • Fixed custom HTTP headers not applying to some specific files/paths on web services.

  • EULA updated to include dependencies for the new web interface.

In this section: