Access Server 3.0 versions

This is a major release with a completely new web interface built from scratch. It is recommended to test this out in a test environment before deploying it on critical production environments. If any issues are encountered, the advice is to stay on version 2.14.3 and to please notify us so we can address the issue in subsequent releases.

Dropped support for Ubuntu 20.04 LTS operating system. This operating system reached end-of-life for standard support in May of 2025.

We switched from the MySQL client library to the MariaDB client library due to licensing conflicts. In theory and according to our tests, the external database connections should continue to work as before using the new library.

To provide a more secure default configuration, server-locked profiles will be disabled by default on new installations of Access Server. To maintain backward compatibility with existing configurations, server-locked profiles will remain enabled when updating. For those who want to use them, server-locked profiles can still be enabled.

The communication between nodes in a cluster setup is no longer done over a dedicated TCP API port (default on port TCP 945) but is instead done via the REST API on the admin UI web service. The special "admin_c" user, along with its corresponding certificate for API authentication, is now obsolete and will be removed automatically during the upgrade.

Removed automatic user VPN IP address-based group assignment functionality.

Removed the ability to manage server configuration profiles from the web interface.

Known issue: Logins to the Admin Web UI are logged under the WEB_CLIENT service and not the WEB_ADMIN service. This will be addressed in 3.0.1.

Known issue: The sacli cluster commands require that the “openvpn” user (or another admin user) is present. This will be addressed in 3.0.1.

Known issue: Setting the port in OpenVPN single-daemon on the web interface doesn’t work, but can still be set on the CLI. This will be addressed in 3.0.1.

Known issue: Usernames containing the % character cause an issue on the web interface. This will be addressed in a future release.

Known issue: The web UI custom logo branding isn't fully implemented yet. This will be addressed in a future release.

A completely new administrative web interface with several improvements.

Extended REST API to support the new Admin Web UI.

The login screen now presents SAML as the primary login option when it is the default.

Added new token-based authentication for web services.

Added the ability for the sacli command-line tool to generate web service tokens.

Added the ability to sign in to the Admin Web UI with SAML authentication.

Added controls for managing built-in MFA from the Admin Web UI.

Added built-in REST API documentation enabled via configuration settings.

Added experimental support for nftables via configuration settings.

Added configuration settings for Cross-Origin Resource Sharing headers.

Added ability to turn server-locked profile functionality on/off.

Added Subscription ID to activation screen to easily identify a subscription.

Added display of connections used by other servers on a subscription.

Added compression on sending webpage assets if the browser supports it.

Added a configuration editor and a support data gathering tool to the Admin Web UI.

Added warning-type messages to the sacli status output.

Switched from MySQL to MariaDB library due to licensing conflict.

Updated Twisted library to 24.11.0.

Updated OpenVPN2 core to 2.6.14as1.

Updated FastAPI to 0.115.8.

Updated Starlette to 0.44.0.

Updated Python3 IDNA package to address security issue CVE-2024-3651.

Fixed SAML relaystate javascript injection security issue CVE-2025-50055.

Fixed SAML reauthentication triggering when switching to another cluster node.

Fixed SAML IdP metadata parsing if multiple certificates are present.

Fixed certool's certificate revocation list functionality.

Fixed certificate revocation list functionality for external PKI mode.

Fixed messages in the log when using incorrect credentials for PAM, RADIUS, and LDAP.

Fixed the Admin Web UI not being aware of user_auth_type defined on __DEFAULT__ user.

Fixed an issue that could stop backend logging after certain login misbehavior.

Fixed connection duration sorting in the activity logs.

Fixed issues with user properties set on the CLI being deleted when using the web interface.

Fixed the possibility to bypass the EULA pop-up when using deep links.

Fixed the ability to display a website link on the login page when using post_auth scripts.

Fixed poor performance during database conversion on Ubuntu 24.04.

Fixed TLS Crypt v2 flag on new token URL profiles while control channel security is "none".

Fixed bug with TOTP replay protection during the TOTP enrollment phase.

Fixed a data channel error message that occurred when sending excessively long credentials during VPN authentication.

Fixed "task was destroyed" error messages in web service log output.

Fixed the sacli activeconfig command so that it displays all configuration values.

Fixed chown error message on licenses subfolder when executing ovpn-init.

Fixed authentication failure when a post_auth script tries to pass too many user properties.

Fixed incorrect length limit on username when using "override-username" OpenVPN directive.

Fixed custom HTTP headers not applying to some specific files/paths on web services.

EULA updated to include dependencies for the new web interface.