OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

What is the lockout policy on Access Server?


A lockout policy is a method of preventing people from brute-forcing the password. Brute-forcing is simply endlessly guessing passwords until you hit the right one. Obviously you don't want an Internet-facing system to be susceptible to this. It's important to note that the superuser account openvpn is not subject to the lockout policy. In our security recommendations after installation we therefore specifically advise to create your own standard administrative account, and to disable the openvpn superuser account until it is needed (during initial configuration and for problem solving). All other accounts are subject to the lockout policy.

In short, the policy is that after 3 failed login attempts on a user account, that user account will be blocked from being able to log in for 15 minutes. After that it is released again. This is fully adjustable to whatever specifications you want. It cannot be disabled in the sense that there's an on/off switch or setting in Access Server, but you can effectively disable it by setting ridiculously high value like 1 million wrong passwords before locking the user out for 1 second, for example. It can only be configured using the command line tools. For more details about changing the default settings, see this command line documentation page regarding the lockout policy.