Access Server 3.2 Release Notes and Version Updates

For new installations, TLS 1.3 is now the default for both the web interface and VPN connections. Most modern web browsers and OpenVPN clients support TLS 1.3 without issue. However, if you need to support legacy systems, you can lower the minimum TLS version using the command-line configuration keys cs.tls_version_min and vpn.server.tls_version_min.

OpenVPN core was updated to version 2.7.2, which addresses security issues CVE-2026-40215 and CVE-2026-35058.

The new OpenVPN core also switches to the new DCO kernel module code, based on the upstreamed Linux kernel 6.16+ DCO code. This means it can use DCO if your Linux kernel is version 6.16 or newer and includes the DCO code. It is also offered as an installable module to support DCO on older Linux kernels and to access the latest features and updates. If you rely on DCO, verify after upgrading your Access Server that DCO support is working correctly.

Updated licensing code by adding more unique machine hardware identifier fields. This change can alter the Agent ID or Server ID of your Access Server. This change should have no effect on your Access Server’s licensed state or licensing behavior.

Connection profile signatures are now turned off by default. This feature has been deprecated for years and should no longer be used. Should you experience any problems with this, please contact our support team and let us know. As a workaround profile.sign.enable can still be set to "true" to enable the deprecated behavior.

The new Access Server Link feature lets you quickly register a subdomain on openvpn.com to your Access Server. It acts as a secure proxy for the web interface, eliminating the need to configure DNS, SSL certificates, or SSH access during initial setup. VPN traffic continues to connect directly to your server, while only the web interface is proxied.

Added "Import via QR code" feature to the web interface. This allows for a much more convenient way to get the connection profile to a mobile device.

The backend ACME client supports IP-based certificates, such as those issued by Let’s Encrypt. Where possible, our standalone cloud offerings will be provided with this enabled by default, so that untrusted certificate warnings can be avoided.

Updated Python multipart library to v0.0.26 to address CVE-2026-40347.

Updated Python requests library to v2.33.0 to address CVE-2026-25645.

Updated Python cryptography library to v46.0.6 to address CVE-2026-34073.

Updated Python pyasn1 library to v0.6.3 to address CVE-2026-30922.

Updated Python pyopenssl library to v26.0.0 to address CVE-2026-27448 and CVE-2026-27459.

Updated Python acme library to v5.3.1.

Updated default timeout value for cluster communications from 30 to 60 seconds, and made the timeout configurable.

Updated ovpn-init text to remove outdated reference to setting initial password using PAM. This is done using local authentication instead.

Removed the Python python-arrow library from Access Server.

Removed deprecated OpenVPN directives --persist-key and --fast-io from Access Server.

Removed deprecated vpn.client.trust_group configuration key and related functionality from Access Server. 

Removed deprecated cs.host.name configuration key and related functionality from Access Server.

Removed dead LicenseRenewer code for Fixed License Keys; these can only be renewed manually.

Added functionality for external IP detection (used for Access Server Link) that lets Access Server detect its own public IP address.

Added a --filter parameter to sacli activeconfig to filter based on categories of configuration keys.

Added support to ovpn-init for reading an administrative password hash instead of a plaintext password from cloud metadata.

Added a proper error message when attempting to activate a subscription on the command line before Access Server is ready.

Added a proper error message when VPN daemon subnets are too small.

Added optional config key cluster.proxy.http_timeout to allow configuring the timeout for cluster communication.

Added optional config keys admin_ui.url and cs.url to tell Access Server where the web interfaces should primarily be found.

Added optional config key vpn.host.name to tell Access Server where clients should make VPN connections without affecting other settings.

Added "Connect a Device" link to the main menu of the Admin Web UI to highlight where to find device connection instructions.

Added “Go To Issue” link, when suitable, to the status warning messages on the Status Overview page on the Admin Web UI.

Added certificate needed for AWS Tiered instances for the region ap-southeast-6.

Added the ability to provide a comment to connection profiles generated via the Token URL method.

Added information about disk space utilization to the sacli support command's output to help identify disk space issues.

Fixed bug where text would be cut off on the Client Web UI if a colon was present in the output of a post-auth script.

Fixed bug where incorrect HTTP request header handling could allow HTTP request smuggling when a proxy is present, reported by James Kettle.

Fixed bug specifically on RHEL8-based operating systems, where assigning more than 999 users to a single group would cause a crash.

Fixed bug in 3.1.0 specifically on Ubuntu 22.04 LTS, where the domain routing DNS proxy could fail when DNS lookups timed out.

Fixed bug in 3.1.0 where if DNS pushing and full-tunnel are both disabled, the database backend is MySQL, and multiple nodes use the same backend, then upgrading from an older version succeeded only on the first node and failed on the second.

Fixed bug in 3.1.0 when 40 or more OpenVPN daemons are configured in total, which caused an issue with the domain routing DNS proxy port.

Fixed bug where domain routing DENY rules would not work (this functionality can only be configured on the command line).

Fixed bug where ovpn-init --oracle would crash on the Oracle platform.

Fixed bug with connection profile filename if it contained non-ASCII characters.

Fixed bug where wildcard TLDs with only 2 characters could not be set on the Admin Web UI.

Fixed bug where connections in use for other nodes could incorrectly report -1 connections on the Admin Web UI.

Fixed bug where usernames with a leading space could be created on Admin Web UI.

Fixed bug where filter was not remembered after adding an access rule in the Admin Web UI.

Fixed bug where "Reachable via" sort ordering was not working on the Access Controls page.

Fixed bug where the 404 page wasn't working on the Admin Web UI.

Fixed bug where clicking some tooltip question marks would unintentionally operate the nearby setting.

Fixed bug where wildcard web certificates were incorrectly marked as not matching the configured hostname.

Fixed bug where the server-locked profile download option was incorrectly shown as still available when the server-locked option was disabled.

Fixed bug where an incorrect port value was shown (always TCP 443 instead of the actual configuration) for the web interface port sharing setting.

Fixed bug where unintended empty group assignment could be done on the Admin Web UI.

Fixed bug where pressing enter would not submit the form on the “Add new user” screen.

Fixed bug where the scrollbar would disappear after viewing available nodes in cluster mode.

Fixed bug where tracebacks were shown in the logs when a too-long username was used during authentication.

Fixed bug where the reason for successful RADIUS logins wasn’t logged in openvpnas.log.

Fixed various bugs with the ACME client implementation.

Improved file naming of connection profiles downloaded from the Client Web UI; it now includes type and username.

Improved visibility of notification on the Status Overview page when DCO is enabled but not able to activate.

Improved handling of the filename of the offline activation machine file download.

Improved handling of configuration keys that have multiple subvalues.

Improved handling of password manager misbehavior in Admin Web UI by adding hints to password fields to prevent unintended autofill.

Improved handling of invalid requests to the API to create a user or group with an empty name.

Improved validation of fields during CA certificate creation on the Admin Web UI.

Improved wording on the tooltips for "Bytes Received" and "Bytes Sent" on the Admin Web UI.

Improved "Activity Report" export screen on the Admin Web UI.

Improved validation and handling of "DNS Resolution Zones" input field on the Admin Web UI.

Improved validation of subnet masks on the Admin Web UI.

Improved display of the local subscription limit tooltip on the Activation page on the Admin Web UI.

Improved handling in the Admin Web UI when making a cluster node leave the cluster.

Improved display of tooltip information on the Add New CA screen.

Improved consistency of page size order, so they are all from large to small.

Improved handling of local user password change handling — no restart required for that action.

Improved display of the “Real IP” on the Active Connections page — widened the column slightly so it doesn’t get cut off.

Improved consistency of naming of authentication methods (capitalization) on the Admin Web UI.

Improved consistency between Client Web UI and Admin Web UI for the connection profile creation screens.