OpenVPN Access Methods and Licensing Models

Using a subscription

To use a subscription the OpenVPN Access Server requires direct access to the subscription server at asb.sts.openvpn.net on port TCP 443. Direct access means that the connection can’t route through an HTTP proxy server, and intercepting and terminating the connection prevents your Access Server from functioning. Should the connection between your Access Server and the subscription server work initially but later experience an interruption, your Access Server will still function. Temporary connectivity issues to the subscription server are generally acceptable. We designed the subscription licensing model to be robust, with the intention of replacing fixed licenses.

Once your Access Server has successfully activated a subscription, it remembers the last response received and continues functioning with that information, which even persists across reboots. If your Access Server experiences an extended connection interruption communicating with our subscription server, it automatically enters into a grace period. During this time it functions normally and accepts new VPN connections as long as the number doesn’t exceed the subscription limit. The grace period is dynamically controlled by OpenVPN and as such can vary per situation. But you can count on at minimum 2 days. This means that a loss of connection of 2 days between your Access Server and our subscription server is no problem at all. In most situations this grace period will even be significantly longer, in the order of weeks even. Eventually though your Access Server does need to successfully reconnect to the subscription server and refresh the subscription license state. Your Access Server automatically retries the connection at regular intervals. However, if the grace period expires and it’s not possible to restore connectivity, your Access Server reverts to only allowing two simultaneous connections.

The software subscription model is flexible; it allows multiple activations, lets you share a single subscription across multiple Access Servers, and you can change the allowed number of connections up or down as needed.

Using a fixed license

OpenVPN also offers the fixed license model, which requires one-time direct access for activation and renewals to licensing.openvpn.net on port TCP 443. The fixed license model comes with some drawbacks: It is single-activation only, it can’t be shared across multiple Access Server nodes, and has a fixed number of connections that can’t be changed after purchase. If you want to increase the number of allowed connections, you can purchase additional fixed licenses and activate them on your Access Server.

Using an AWS tiered instance

On the Amazon AWS Marketplace, you can purchase tiered instances for an EC2 with OpenVPN Access Server deployed with set connections. This type of connection is automatically licensed by reading specific metadata from the EC2 instance when launched directly from the AWS Marketplace. The tiered instances are designated with “(xx connected devices)” in the offering title on the AWS Marketplace. The instances are licensed for the stated number of connections automatically through Amazon AWS services, and require access to awspc1.openvpn.net on port TCP 443. Also, there are three backup licensing servers that can be used to get automatic licensing from Amazon AWS (awspc2.openvpn.net, awspc3.openvpn.net, and awspc4.openvpn.net). As long as the instance is running, the billing for this type of instance occurs automatically in Amazon’s system.

Offline activation

If your Access Server is located in an environment where Internet access isn’t possible or allowed, then you can manually download and install the Access Server package following an offline activation process. The fixed license model is the only model that supports offline activation. OpenVPN can perform the offline activation on your behalf, or you can use another Access Server that has Internet access for the activation phase. You either need to provide us with the necessary hardware activation file to do the offline activation for you, or you can use the hardware activation file with a second Access Server that has Internet access. The resulting activated key file can be manually transferred and stored on the offline Access Server’s file system.

Related resources

For more information about the pricing for OpenVPN Access Server software fixed licenses and subscriptions, refer to the Access Server pricing page.

For more information and technical details about connection requirements, refer to the troubleshooting software licensing page.