HOWTO Virtual Platforms

Access Server release notes for 2.5.2 (changes made since 2.5)

* A problem with VRRP/UCARP LAN-based failover mode in version 2.5 that affected some configurations was resolved.

* Made switching off that type of failover mode easier and better, solving some problems with disabling it.

* Updated OpenVPN Connect Client for Windows version to version

* Updated OpenVPN Connect Client for mac OS version to version

* OpenVPN Connect Client mbedTLS incompatibility with PKI created by OpenSSL 1.1 fixed.

* OpenVPN Connect Client support for ECDSA added.

* Library mbedTLS in OpenVPN Connect Client updated to resolve CVE-2018-0487 vulnerability.

* Problem with excessively long server DNS host name that caused 'no VPN servers' message is resolved.

* Issue with TLS key refresh causing a connection failure and reconnect in OpenVPN Connect Client is fixed.

* Fixed and improved client version and platform reporting to server in OpenVPN Connect Client.

* Fixed launch issue on some older Windows platforms when MS Visual C++ redistributable was not present.


Access Server release notes for 2.5 (changes made since 2.1.12)

* Implemented an updated engine for rendering the admin web interface, improved the look, and paved the way for modernizing the web interface.

* The client web interface now defaults to letting users download the required software to their computers instead of using the connect UI by default.

* The connect UI is now considered to be deprecated and to be removed and replaced with a better solution in future releases.

* New OpenVPN Connect Client releases are included in this Access Server release.

* OpenVPN Connect Client for macOS is now properly signed and the issue that existed in the past that prevented this has been resolved.

* OpenVPN Connect Client for Windows now no longer suffers from the unwanted default route that Windows added when registering the connection.

* OpenVPN Connect Client for Windows now supports multiple DNS Resolution Zones on Windows client platforms that support NRPT.

* For new installations, AES-256-CBC is now the new default encryption cipher for VPN tunnel data. Existing installations that are upgraded retain their old cipher.

* SSLv2 and SSLv3 support, hidden and deprecated as it was, is now completely removed. Web service defaults to TLS 1.1 now.

* Additional activation servers added for Amazon AWS tiered instances, this allows for tighter security settings on security groups while retaining activation status.

* Library for mbed TLS is now updated to version 2.6.

* OpenVPN 2.4 code now merged into Access Server.


Access Server release notes for 2.1.12 (changes made since 2.1.9)


* Problems with gaps in sequentially ordered lists of keys in the configuration database are now automatically repaired when using sacli start on the command line.
* TLS level 1.2 for the OpenVPN protocol is labeled the default for new installations. Upgrades of existing installations remain at the previously set level.
* TLS level 1.1 for the web services is labeled the default for new installations. Upgrades of existing installations remain at the previously set level.
* SSLv2 and SSLv3 support has been deprecated and will be removed completely in a future release.
* SSL settings page is now renamed to TLS settings page, since TLS is now the prevalent technology and SSL is phasing out.
* Alias interfaces like eth0:1 and such could not be selected for source NAT outgoing VPN client traffic. This bug has now been fixed.
* An option has been added to completely disable TLS auth. This should only ever be used for compatibility with clients that offer no way to implement TLS auth at all.


Access Server release notes for 2.1.9 (changes made since 2.1.8)


* Small code improvements, slightly faster response time on web interface.

* Fixed broken 'current users' page in the web interface while users were connected on Access Server 2.1.8.


Access Server release notes for 2.1.8 (changes made since 2.1.6)


*OpenVPN Connect Client for Windows is signed properly.

*Disabling compression on the server no longer leads to a compression stub error.

*Security fixes for issues reported by Guido Vranken (CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, CVE-2017-7522) and other fixes.


Access Server release notes for 2.1.6 (changes made since 2.1.4)


*OpenVPN Connect Client for Mac OS X updated to version to address the "error no. 8" bug that occurred on some systems that have an IPv6 DNS server assigned as primary DNS server.

*OpenVPN Connect Client for Windows updated to version to address the problem where an autologin type profile would endlessly loop in reconnection state when the autologin profile encounters an authorization problem (no longer valid, revoked, and such).

*Access Server 2.1.6 web services updated to fix CRLF injection vulnerability CVE-2017-5868 reported by Sysdream Labs.

*Access Server 2.1.6 OpenVPN core updated to fix CVE-2017-7478 and CVE-2017-7479 as well as other issues reported by Quarkslab and Cryptography Engineering LLC.


Access Server release notes for 2.1.4 (changes made since 2.1.2)


* Client: Added MAC address reporting on Windows and MacOS

* Added support for systemd in Ubuntu 16


Access Server release notes for 2.1.2 (changes made since 2.1.1) 


* Fixed a problem with DNS implementation on the server side where DNS options wouldn't be pushed if the Windows Networking NETBIOS options was used on the server.

* Fixed openssl memory leak

* Introduced web session cookie expiration timers and rotation.

* New packages for Ubuntu 16 now available.


Access Server release notes for 2.1.1 (changes made since 2.1.0)


* Updated OpenSSL to 1.0.2h (Fixes a reported security vulnerability in AES-NI)

* Admin UI : On VPN Settings page, added "DNS resolution zones" for setting "dhcp-option DOMAIN ..." OpenVPN settings.

* The previous "Default Domain Suffix" field is now used to set the "dhcp-option ADAPTER_DOMAIN_SUFFIX ..." OpenVPN setting.

* Connect client: Fixed an installation issue where the service component would not start after installation. Affected only a few specific situations, and is now resolved.

* NOTE: DNS behavior is slightly altered since version 2.1.0 of the Access Server. If you encounter problems please review your settings in the Admin UI under VPN Settings, specifically the section for DNS settings.


Access Server release notes for 2.1.0 (changes made since 2.0.26)

* Windows client routing : use the "route-metric" directive (which may be pushed) to set the gwmetric on TAP interface

* client routing : add pushed routes even when redirect-gateway is also pushed.

* Windows tray client : fixed issue with win/ that could break "Go to <server>" menu command.

* tls-auth : disable tls-auth when "auth none" is given in config even when "tls-auth" directive is present.


Access Server release notes for 2.0.26 (changes made since 2.0.25) 


* AWS Instance ID: Allow ability to keep license key valid for the lifetime of the instance it is activated on

* Windows Connect client : discovered and fixed an issue on Win 10 where tray icons would not update properly when autostart profiles are used.

* Windows Connect client: fixed Windows 10 DNS issue where Windows would not select DNS server pushed by Access Server

* Macintosh Connect Client: fixed an issue where with specific network configurations, DNS servers would get unconfigured after a disconnect

* OpenVPN Access Server core: fixed a bug introduced in 2.0.25 that required FAVOR_LZO=1 for mobile clients

* OpenVPN Access Server core: fixed a bug introduced in 2.0.25 where a TLS refresh issue occurred with mobile clients


Access Server release notes for 2.0.25 (changes made since 2.0.24) 


* Fixed issue with PolarSSL/mbedTLS that was preventing client connections in some cases.


Access Server release notes for 2.0.24 (changes made since 2.0.21)

* Fixed potential DoS vulnerability in port-share feature.

* Updated PolarSSL/mbedTLS to 1.3.15

* Added 3072-bit DH parameters, to allow 3072-bit RSA web certs with ECDH key agreement.  Added better error reporting when key size is used without matching DH params. Current keys sizes supported are 1024, 2048, 3072, and 4096.

* The AS web UI "Server" header now defaults to "OpenVPN-AS" and can be overriden using the config key cs.web_server_name

* Added to the existing set of RFC 1918 subnets considered by the AS to be private.

* Added "X-Frame-Options: SAMEORIGIN" header to all AS Admin UI and CWS pages.


Access Server release notes for 2.0.21 (changes made since 2.0.20)

* OpenVPN Connect for OSX fixed to work on El Capitan


Access Server release notes for 2.0.20 (changes made since 2.0.17)

* Updated OpenSSL to 1.0.2d

* Updated web CA bundle

* Added web session timeout parameter "sa.session_expire".  For more info, see

* Support tls-version-min parameter in bundled clients

Access Server release notes for 2.0.17 (changes made since 2.0.12)

AS web server:

* Support DH and ECDH ciphersuites

* Turned off RC4 ciphersuites

* In OpenSSL mode, allow override of default ciphersuite string. 

See for more info.


* Support ECDH ciphersuites (DH has always been supported).


* Updated to 1.0.2a.

Access Server release notes for 2.0.12 (changes made since 2.0.11)


* Updated PolarSSL to fix CVE-2015-1182


Access Server release notes for 2.0.11 (changes made since 2.0.10)


* Applied fix for CVE-2014-8104 in OpenVPN core that addresses a denial-of-service vulnerability where an authenticated client could stop the server.

* For new generated certs, use SHA256 instead of SHA1 as the cert digest algorithm.

* For new installs, set a default minimum TLS version of 1.0 for the web server. Existing installs can set the minimum TLS version on the SSL Settings page of the Admin UI.


Access Server release notes for 2.0.10 (changes made since 2.0.8)



*Fixed a bug in 2.0.8 when modifying user permissions that could potentially cause the user to disappear from queries, especially when setting the "Admin" flag on a user.

If affected by this issue, you can repair the DB by using the following commands:

   cd /usr/local/openvpn_as/scripts

   ./confdba -u --assign_type


*Enable tls-version-min directive in generated client profiles when "Select minimum TLS protocol version accepted by OpenVPN server" Admin UI setting is changed from its default value.


 *Updated PolarSSL to 1.3.8.


*Fixed bridging regression in 2.0.8 where instantiating the bridged tunnel was failing because of the introduction of two separately named openvpn binaries for OpenSSL and PolarSSL.


Access Server release notes for 2.0.8 (changes made since 2.0.7)


* Updated to OpenSSL 1.0.1h to address security issues.

* Added PolarSSL support as an alternative to OpenSSL for the OpenVPN protocol and integrated web server (In Admin UI, go to Configuration -> SSL Settings page).

* Added options to control minimum SSL/TLS versions for both the OpenVPN protocol and web server.

* Implemented HTTP Proxy support in OpenVPN Connect client on Windows.

In tray menu, go to Options -> HTTP Proxy -> Set to set the proxy address and port.  An auth dialog should pop up if proxy creds are required.

* In OpenVPN Connect clients for Windows and Mac, allow http-proxy and related directives to be specified in imported profiles, e.g.:

http-proxy ntlm.proxy.tld 3128 auto-nct





* In OpenVPN Connect Windows client, integrated NDIS 6 TAP driver.

Client will now detect Windows version and install NDIS 5 driver for pre-Vista and NDIS 6 for Vista and higher.

* Fixed bug in OpenVPN Connect clients (Windows and Mac) pertaining to case sensitivity of DNS names.

* In Windows OpenVPN Connect tray client, don't take focus unless we are raising a dialog.

* Allow control over the visibility of links provided to Client Web Server users (In Admin UI, go to Configuration -> Client Settings page).

* Added pagination support to Admin UI for User Permissions and Revoke Certificates pages.  This allows the User Properties and Certificates DBs to potentially scale to millions of rows when the underlying DB engine (e.g. MySQL) supports it.


Access Server release notes for 2.0.7 (changes made since 2.0.6)

* Updated bundled Windows and Mac clients to OpenSSL 1.0.1g to fix Heartbleed issue.

* Minor NAT/routing iptables fixes.


Access Server release notes for 2.0.6 (changes made since 2.0.5)

* Updated OpenSSL to 1.0.1g to fix CVE-2014-0160 (aka Heartbleed vulnerability).
This is a critical vulnerability, and all Access Server users are advised to upgrade immediately.

(Note: If you would like to patch the OpenSSL libraries for older versions of Access Server please download the libs for your distro and copy them into /usr/local/openvpn_as/lib from here:


* Revised cloud initialization procedures for better compatibility on OpenVZ platform instances.

Access Server release notes for 2.0.5 (changes made since 2.0.3)

* Support NAT vs. routing as a fine-grained property that can apply to individual ACL items.


* Initialize Certificate DB to use 2048-bit RSA keys (increased from

1024) for fresh installs.

* Fixed potential security issue: in some cases, when using Google Authenticator, the Google authenticator secret might be written to the log file.

* On EC2, have ovpn-init automatically determine the public IP address of the instance, for setting the default public hostname.

* Added support for appliance initialization on the CloudSigma cloud platform.

Access Server release notes for 2.0.3 (changes made since 2.0.2)

* Extended ACL and DMZ port settings to allow specification of a
port range

* Fixed issue where an invalid port (or port range) specified for
DMZ in the User Permissions page would be silently ignored, with
no error message.

* Added a potential improvement on the iptables rule generation for
DNS packets.

* Extended the "Allow Access To these Networks" field in User/Group
Permission pages to allow the full route specification syntax
supported by the backend, including subnets, services, port
ranges, and NAT vs. Routing flag

* Updated help documentation on Admin UI

Access Server release notes for 2.0.2 (changes made since 2.0.1)

* Fixed bug where TLS negotiation broke connections from iOS clients.


Access Server release notes for 2.0.1 (changes made since 2.0.0)


 * Revised user access rule routing implementation to resolve issues on certain systems.


Access Server release notes for 2.0.0 (changes made since 1.8.5)



* Initial AS IPv6 milestone — IPv4.Addr is now an IPv4/6 discriminated union

derived from ovpn3 (swig-wrapped) module.


* Added necessary swig patch to build ovpn3 python module.


* Fix Admin UI Cross-site request forgery (CSRF) vulnerability (CVE-2013-2692)


* Added Android and iOS client links to CWS.


* Fixed issue where pressing logout button from CWS would raise web exception.


* Add constant-time hash compare for authlocal module.


* Added “proto” parameter to VPNConnect and ovpncli tool, for selecting tcp/

udp transport protocol.


* Fixed issue where would endlessly ask for EULA agreement.


* Changes to Admin UI “At a glance” sidebar:


1. To avoid CSRF attacks, start/stop link on Server Status row has been

replaced by “More” link which redirects to server status page where

server can be started/stopped.


2. Links in “At a glance” sidebar vanish when current page would be the

destination of link.


* Update IPv6 AS branch to use Python 2.7.


* Updated most pyovpn dependencies other than Twisted/Nevow — contents of

current bundle:







































* Build Python with readline support.


* Changed pyovpn version number to 2.0.


* Changed all scripts that reference python version number to use 2.7.


* Fix to generation of iptables rules for DNS traffic:


Because generated iptables rules trap DNS requests early in ASx_IN_PRE

chain, if initial call to dns_server_subnets did not reduce the rules

to empty, we must instead use the whole list of non-reduced rules,

i.e. we cannot reduce them further based on access granted to private

subnets or the public internet.


* Added comment in LinuxIPv4Forward to extend to IPv6 so that

/proc/sys/net/ipv6/conf/all/forwarding is also set.


* Added CC_CMDS env var for debugging.  CC_CMDS is a comma-delimited list of

OpenVPN directives (such as iroute) to be appended to client-config list.


* Major IPv6 patch that addes IPv6 tunnel support to AS.


* Added Python-2.7 patch.


* Minor script updates.


* On Admin UI Current Users page, properly show both IPv4 and IPv6 addresses.


* Raised some string length limits from 128 and 256 to 512.


* Try to move AS default private subnets to RFC-1918 backwater.




“”: “″,

“vpn.server.group_pool.0″    : “″,




“”: “″,

“vpn.server.group_pool.0″    : “″,


* Fixed regression in related to regeneration of

Client object.


* Added post_auth script that shows connecting user, serial number,

CN, and SHA1 fingerprint of leaf cert.


* Fixed some instances where transport.write (in Twisted) might be called with

a unicode string, causing a Twisted exception. This was likely causing an

issue with failover rsync where the ssh password was being passed as unicode

to transport.write.


* Minor text updates to Admin UI:


1) Don’t cite LZO in compression settings because multiple compression

algorithms are now available.


2) Warn that layer 2 is incompatible with mobile.


3) Due to IPv6 address notation, ranges should now be delimited by ‘;’

instead of ‘:’.


* Because of tradeoff between Beast mitigation with RC4 and RC4′s own

weaknesses, turn off Beast mitigation by default, and change some of the

related text in the Admin UI. In particular, Beast flag now defaults to

false and is keyed by cs.beast_workaround2


* Added support for OpenVPN tls-version-min directive.


* Removed some debugging and redundant code.


* Added connect_timeout and server_poll_timeout parameters to Connect and

VPNConnect methods (and capicli and ovpncli tools).


connect_timeout (optional int|str) : set connection timeout (seconds)


server_poll_timeout (optional int|str) : set server-poll-timeout OpenVPN

parameter (seconds) — the number of seconds to try each remote entry before

moving on to the next


* The client backend as.conf can now specify a list of prepend and append

config file directives to be applied before and after the config file.


For example:




prepend_config.0=route-method exe

prepend_config.1=route-delay 30

prepend_config.2=route-metric 512



* Minor change in clisite to use new method IP.is_lo() to test whether address

is a loopback address.


* Fixed issue where exceptions in AuthRPCServer._render_finalize were causing

server-side stack traces to be sent to client.


* Minor rewording of BEAST option in Admin UI for clarity.


* If vpn.server.routing.snat_source list is non-empty, use it to generate SNAT

interface list rather than enum_interfaces.






This how to guide will demostrate the required steps for activating a license on the OpenVPN Access Server.


1. Navigate over to the OpenVPN Access Server Admin UI. (https://x.x.x.x:943/admin):

2. After you have logged into the Admin UI you will need to navigate to the "License" page:

3. After navigating to the Licence page you will need to grab your license key from your profile on our website (

4. After copying the key that you want to activate from your License Key page you will want to go back to you Admin UI and paste the license into the License Key Box:

5. After pasting the license key and clicking "Add A New License Key" you will get a message that says "License Key Activated":

Thats it, your license has been activated and you can now use your licensed copy of OpenVPN Access Server!

If you would like to activate OpenVPN-AS via the command line please read this article:


Once you have a license activated and the VPN Server is running on your Access Server, remote users can login to the Client Web Server and download customized client configuration files and/or pre-configured Windows Client software installer files. These files are generated dynamically when a remote user successfully logs in.

You can determine the URL of the Client Web Server using the Server Network Settings page. Usually the public “Hostname or IP Address” setting is used for the URL, as this setting corresponds to the server’s public name or IP address (used by clients on the Internet to communicate with the server). E.g., if the “Hostname or IP Address” is set to “” (and the Client Web Server port number is 443), the URL for remote users to use to contact the Client Web Server would be

If you are not using 443 as the VPN port or have TCP mode disabled you will have to put port 943 at the end of the Ip Address:

*Note that the settings for the Client Web Server on the Server Network Settings page allow you to specify different IP address and port combinations for the Client Web Server, along with the VPN Server and Admin Web UI. Consult the Access Server documentation and Help page for more information on these settings.

Remote users login to the Client Web Server and see four hyperlinks: The first two are for the Generic Client Installer (Windows Only) and the Generic Client Profile the other two links are for the customized client configuration file (which can be used with any compatible OpenVPN client, version 2.1 or later), and one link for the Windows software installer. The remote user can immediately download and run the installer to add the pre-configured OpenVPN Windows Client on their computer.

*Note that installing the OpenVPN Client software requires administrative privileges on the Windows host (as a virtual network interface driver is included in the installation).

The setup process for installing the OpenVPN-AS Windows Client is pretty straightforward; click next to install, Accept the Agreement, and Click install where to allow the default installation location.

Once the Windows Client software is installed, the user can run the “OpenVPN” shortcut from the Programs list. The user provides his or her password at the Login dialog box and presses “Connect”. Once the OpenVPN Client communicates with the VPN Server, the VPN connection is established and the dialog box is minimized. At this point, the remote user is “on the VPN.” The user can terminate the VPN session by right-clicking on the OpenVPN Client icon (orange, with a ‘keyhole’ shape) in the taskbar and choose “Disconnect.”

Once the client has gotten the configuration settings from the OpenVPN Access Server you will see a status dialogue that says "Assigning IP Address..". after the IP Address has been assigned you will see this Status below, you are not connected the the OpenVPN Access Server.

After successful installation of the OpenVPN Access Server package you will be shown the following information in your terminal:

The Access Server has been successfully installed in /usr/local/openvpn_as
Configuration log file has been written to /usr/local/openvpn_as/init.log
Please enter "passwd openvpn" to set the initial
administrative password, then login as "openvpn" to continue
configuration here: https://listeningip:943/admin
To reconfigure manually, use the /usr/local/openvpn_as/bin/ovpn-init tool.
Access Server web UIs are available here:
Admin  UI: https://listeningip:943/admin
Client UI: https://listeningip:943/

You will need to run one more command before navigating to the OpenVPN Access Server Admin UI. You will need to set a password for the openvpn admin account, to do that you can run the following command in terminal:

passwd openvpn

After doing so you can navigate to the OpenVPN Access Server Admin UI. If you require a more advanced configuration you can go ahead and run the ovpn-init script:


Before installing the OpenVPN Access Server, you will need a host running a Linux distribution supported by OpenVPN-AS (e.g., 64-bit Fedora 22). This server host should have Internet access and should be prepared as follows:

  1. Ensure that SELinux is disabled (disabling SELinux requires a system reboot to take effect).
  2. Configure the server with the interface IP address(es) and domain name desired. Ensure that the network settings will permit OpenVPN clients to access the Access Server, and that the server’s domain name resolves properly to the desired interface address.

Completing the second step usually involves configuring the server in one of the following ways:

  •  The server has a static IP address that is reachable from clients on the Internet, at least for the TCP ports used by Access Server. Preferably, the server has a Fully Qualified Domain Name (FQDN) as its host name.

  •  The server has a dynamic IP address that is reachable by clients on the Internet and a dynamic DNS host name which tracks the changing IP address (this service is offered for free by various providers).

In either case, having the server located on a private network behind a corporate firewall implies that the firewall must be configured to forward client traffic (on the ports used by Access Server) between the public IP address and the server’s private IP address.

Note that the “Connectivity Test” page in the OpenVPN Access Server Admin Web UI can be used to check whether or not VPN clients on the Internet will be able to access your Access Server (with its current network settings).