Software Packages


Access Server release notes for 2.1.12 (changes made since 2.1.9)


* Problems with gaps in sequentially ordered lists of keys in the configuration database are now automatically repaired when using sacli start on the command line.
* TLS level 1.2 for the OpenVPN protocol is labeled the default for new installations. Upgrades of existing installations remain at the previously set level.
* TLS level 1.1 for the web services is labeled the default for new installations. Upgrades of existing installations remain at the previously set level.
* SSLv2 and SSLv3 support has been deprecated and will be removed completely in a future release.
* SSL settings page is now renamed to TLS settings page, since TLS is now the prevalent technology and SSL is phasing out.
* Alias interfaces like eth0:1 and such could not be selected for source NAT outgoing VPN client traffic. This bug has now been fixed.
* An option has been added to completely disable TLS auth. This should only ever be used for compatibility with clients that offer no way to implement TLS auth at all.


Access Server release notes for 2.1.9 (changes made since 2.1.8)


* Small code improvements, slightly faster response time on web interface.

* Fixed broken 'current users' page in the web interface while users were connected on Access Server 2.1.8.


Access Server release notes for 2.1.8 (changes made since 2.1.6)


*OpenVPN Connect Client for Windows is signed properly.

*Disabling compression on the server no longer leads to a compression stub error.

*Security fixes for issues reported by Guido Vranken (CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, CVE-2017-7522) and other fixes.


Access Server release notes for 2.1.6 (changes made since 2.1.4)


*OpenVPN Connect Client for Mac OS X updated to version to address the "error no. 8" bug that occurred on some systems that have an IPv6 DNS server assigned as primary DNS server.

*OpenVPN Connect Client for Windows updated to version to address the problem where an autologin type profile would endlessly loop in reconnection state when the autologin profile encounters an authorization problem (no longer valid, revoked, and such).

*Access Server 2.1.6 web services updated to fix CRLF injection vulnerability CVE-2017-5868 reported by Sysdream Labs.

*Access Server 2.1.6 OpenVPN core updated to fix CVE-2017-7478 and CVE-2017-7479 as well as other issues reported by Quarkslab and Cryptography Engineering LLC.


Access Server release notes for 2.1.4 (changes made since 2.1.2)


* Client: Added MAC address reporting on Windows and MacOS

* Added support for systemd in Ubuntu 16


Access Server release notes for 2.1.2 (changes made since 2.1.1) 


* Fixed a problem with DNS implementation on the server side where DNS options wouldn't be pushed if the Windows Networking NETBIOS options was used on the server.

* Fixed openssl memory leak

* Introduced web session cookie expiration timers and rotation.

* New packages for Ubuntu 16 now available.


Access Server release notes for 2.1.1 (changes made since 2.1.0)


* Updated OpenSSL to 1.0.2h (Fixes a reported security vulnerability in AES-NI)

* Admin UI : On VPN Settings page, added "DNS resolution zones" for setting "dhcp-option DOMAIN ..." OpenVPN settings.

* The previous "Default Domain Suffix" field is now used to set the "dhcp-option ADAPTER_DOMAIN_SUFFIX ..." OpenVPN setting.

* Connect client: Fixed an installation issue where the service component would not start after installation. Affected only a few specific situations, and is now resolved.

* NOTE: DNS behavior is slightly altered since version 2.1.0 of the Access Server. If you encounter problems please review your settings in the Admin UI under VPN Settings, specifically the section for DNS settings.


Access Server release notes for 2.1.0 (changes made since 2.0.26)

* Windows client routing : use the "route-metric" directive (which may be pushed) to set the gwmetric on TAP interface

* client routing : add pushed routes even when redirect-gateway is also pushed.

* Windows tray client : fixed issue with win/ that could break "Go to <server>" menu command.

* tls-auth : disable tls-auth when "auth none" is given in config even when "tls-auth" directive is present.


Access Server release notes for 2.0.26 (changes made since 2.0.25) 


* AWS Instance ID: Allow ability to keep license key valid for the lifetime of the instance it is activated on

* Windows Connect client : discovered and fixed an issue on Win 10 where tray icons would not update properly when autostart profiles are used.

* Windows Connect client: fixed Windows 10 DNS issue where Windows would not select DNS server pushed by Access Server

* Macintosh Connect Client: fixed an issue where with specific network configurations, DNS servers would get unconfigured after a disconnect

* OpenVPN Access Server core: fixed a bug introduced in 2.0.25 that required FAVOR_LZO=1 for mobile clients

* OpenVPN Access Server core: fixed a bug introduced in 2.0.25 where a TLS refresh issue occurred with mobile clients


Access Server release notes for 2.0.25 (changes made since 2.0.24) 


* Fixed issue with PolarSSL/mbedTLS that was preventing client connections in some cases.


Access Server release notes for 2.0.24 (changes made since 2.0.21)

* Fixed potential DoS vulnerability in port-share feature.

* Updated PolarSSL/mbedTLS to 1.3.15

* Added 3072-bit DH parameters, to allow 3072-bit RSA web certs with ECDH key agreement.  Added better error reporting when key size is used without matching DH params. Current keys sizes supported are 1024, 2048, 3072, and 4096.

* The AS web UI "Server" header now defaults to "OpenVPN-AS" and can be overriden using the config key cs.web_server_name

* Added to the existing set of RFC 1918 subnets considered by the AS to be private.

* Added "X-Frame-Options: SAMEORIGIN" header to all AS Admin UI and CWS pages.


Access Server release notes for 2.0.21 (changes made since 2.0.20)

* OpenVPN Connect for OSX fixed to work on El Capitan


Access Server release notes for 2.0.20 (changes made since 2.0.17)

* Updated OpenSSL to 1.0.2d

* Updated web CA bundle

* Added web session timeout parameter "sa.session_expire".  For more info, see

* Support tls-version-min parameter in bundled clients

Access Server release notes for 2.0.17 (changes made since 2.0.12)

AS web server:

* Support DH and ECDH ciphersuites

* Turned off RC4 ciphersuites

* In OpenSSL mode, allow override of default ciphersuite string. 

See for more info.


* Support ECDH ciphersuites (DH has always been supported).


* Updated to 1.0.2a.

Access Server release notes for 2.0.12 (changes made since 2.0.11)


* Updated PolarSSL to fix CVE-2015-1182


Access Server release notes for 2.0.11 (changes made since 2.0.10)


* Applied fix for CVE-2014-8104 in OpenVPN core that addresses a denial-of-service vulnerability where an authenticated client could stop the server.

* For new generated certs, use SHA256 instead of SHA1 as the cert digest algorithm.

* For new installs, set a default minimum TLS version of 1.0 for the web server. Existing installs can set the minimum TLS version on the SSL Settings page of the Admin UI.


Access Server release notes for 2.0.10 (changes made since 2.0.8)



*Fixed a bug in 2.0.8 when modifying user permissions that could potentially cause the user to disappear from queries, especially when setting the "Admin" flag on a user.

If affected by this issue, you can repair the DB by using the following commands:

   cd /usr/local/openvpn_as/scripts

   ./confdba -u --assign_type


*Enable tls-version-min directive in generated client profiles when "Select minimum TLS protocol version accepted by OpenVPN server" Admin UI setting is changed from its default value.


 *Updated PolarSSL to 1.3.8.


*Fixed bridging regression in 2.0.8 where instantiating the bridged tunnel was failing because of the introduction of two separately named openvpn binaries for OpenSSL and PolarSSL.


Access Server release notes for 2.0.8 (changes made since 2.0.7)


* Updated to OpenSSL 1.0.1h to address security issues.

* Added PolarSSL support as an alternative to OpenSSL for the OpenVPN protocol and integrated web server (In Admin UI, go to Configuration -> SSL Settings page).

* Added options to control minimum SSL/TLS versions for both the OpenVPN protocol and web server.

* Implemented HTTP Proxy support in OpenVPN Connect client on Windows.

In tray menu, go to Options -> HTTP Proxy -> Set to set the proxy address and port.  An auth dialog should pop up if proxy creds are required.

* In OpenVPN Connect clients for Windows and Mac, allow http-proxy and related directives to be specified in imported profiles, e.g.:

http-proxy ntlm.proxy.tld 3128 auto-nct





* In OpenVPN Connect Windows client, integrated NDIS 6 TAP driver.

Client will now detect Windows version and install NDIS 5 driver for pre-Vista and NDIS 6 for Vista and higher.

* Fixed bug in OpenVPN Connect clients (Windows and Mac) pertaining to case sensitivity of DNS names.

* In Windows OpenVPN Connect tray client, don't take focus unless we are raising a dialog.

* Allow control over the visibility of links provided to Client Web Server users (In Admin UI, go to Configuration -> Client Settings page).

* Added pagination support to Admin UI for User Permissions and Revoke Certificates pages.  This allows the User Properties and Certificates DBs to potentially scale to millions of rows when the underlying DB engine (e.g. MySQL) supports it.


Access Server release notes for 2.0.7 (changes made since 2.0.6)

* Updated bundled Windows and Mac clients to OpenSSL 1.0.1g to fix Heartbleed issue.

* Minor NAT/routing iptables fixes.


Access Server release notes for 2.0.6 (changes made since 2.0.5)

* Updated OpenSSL to 1.0.1g to fix CVE-2014-0160 (aka Heartbleed vulnerability).
This is a critical vulnerability, and all Access Server users are advised to upgrade immediately.

(Note: If you would like to patch the OpenSSL libraries for older versions of Access Server please download the libs for your distro and copy them into /usr/local/openvpn_as/lib from here:


* Revised cloud initialization procedures for better compatibility on OpenVZ platform instances.

Access Server release notes for 2.0.5 (changes made since 2.0.3)

* Support NAT vs. routing as a fine-grained property that can apply to individual ACL items.


* Initialize Certificate DB to use 2048-bit RSA keys (increased from

1024) for fresh installs.

* Fixed potential security issue: in some cases, when using Google Authenticator, the Google authenticator secret might be written to the log file.

* On EC2, have ovpn-init automatically determine the public IP address of the instance, for setting the default public hostname.

* Added support for appliance initialization on the CloudSigma cloud platform.

Access Server release notes for 2.0.3 (changes made since 2.0.2)

* Extended ACL and DMZ port settings to allow specification of a
port range

* Fixed issue where an invalid port (or port range) specified for
DMZ in the User Permissions page would be silently ignored, with
no error message.

* Added a potential improvement on the iptables rule generation for
DNS packets.

* Extended the "Allow Access To these Networks" field in User/Group
Permission pages to allow the full route specification syntax
supported by the backend, including subnets, services, port
ranges, and NAT vs. Routing flag

* Updated help documentation on Admin UI

Access Server release notes for 2.0.2 (changes made since 2.0.1)

* Fixed bug where TLS negotiation broke connections from iOS clients.


Access Server release notes for 2.0.1 (changes made since 2.0.0)


 * Revised user access rule routing implementation to resolve issues on certain systems.


Access Server release notes for 2.0.0 (changes made since 1.8.5)



* Initial AS IPv6 milestone — IPv4.Addr is now an IPv4/6 discriminated union

derived from ovpn3 (swig-wrapped) module.


* Added necessary swig patch to build ovpn3 python module.


* Fix Admin UI Cross-site request forgery (CSRF) vulnerability (CVE-2013-2692)


* Added Android and iOS client links to CWS.


* Fixed issue where pressing logout button from CWS would raise web exception.


* Add constant-time hash compare for authlocal module.


* Added “proto” parameter to VPNConnect and ovpncli tool, for selecting tcp/

udp transport protocol.


* Fixed issue where would endlessly ask for EULA agreement.


* Changes to Admin UI “At a glance” sidebar:


1. To avoid CSRF attacks, start/stop link on Server Status row has been

replaced by “More” link which redirects to server status page where

server can be started/stopped.


2. Links in “At a glance” sidebar vanish when current page would be the

destination of link.


* Update IPv6 AS branch to use Python 2.7.


* Updated most pyovpn dependencies other than Twisted/Nevow — contents of

current bundle:







































* Build Python with readline support.


* Changed pyovpn version number to 2.0.


* Changed all scripts that reference python version number to use 2.7.


* Fix to generation of iptables rules for DNS traffic:


Because generated iptables rules trap DNS requests early in ASx_IN_PRE

chain, if initial call to dns_server_subnets did not reduce the rules

to empty, we must instead use the whole list of non-reduced rules,

i.e. we cannot reduce them further based on access granted to private

subnets or the public internet.


* Added comment in LinuxIPv4Forward to extend to IPv6 so that

/proc/sys/net/ipv6/conf/all/forwarding is also set.


* Added CC_CMDS env var for debugging.  CC_CMDS is a comma-delimited list of

OpenVPN directives (such as iroute) to be appended to client-config list.


* Major IPv6 patch that addes IPv6 tunnel support to AS.


* Added Python-2.7 patch.


* Minor script updates.


* On Admin UI Current Users page, properly show both IPv4 and IPv6 addresses.


* Raised some string length limits from 128 and 256 to 512.


* Try to move AS default private subnets to RFC-1918 backwater.




“”: “″,

“vpn.server.group_pool.0″    : “″,




“”: “″,

“vpn.server.group_pool.0″    : “″,


* Fixed regression in related to regeneration of

Client object.


* Added post_auth script that shows connecting user, serial number,

CN, and SHA1 fingerprint of leaf cert.


* Fixed some instances where transport.write (in Twisted) might be called with

a unicode string, causing a Twisted exception. This was likely causing an

issue with failover rsync where the ssh password was being passed as unicode

to transport.write.


* Minor text updates to Admin UI:


1) Don’t cite LZO in compression settings because multiple compression

algorithms are now available.


2) Warn that layer 2 is incompatible with mobile.


3) Due to IPv6 address notation, ranges should now be delimited by ‘;’

instead of ‘:’.


* Because of tradeoff between Beast mitigation with RC4 and RC4′s own

weaknesses, turn off Beast mitigation by default, and change some of the

related text in the Admin UI. In particular, Beast flag now defaults to

false and is keyed by cs.beast_workaround2


* Added support for OpenVPN tls-version-min directive.


* Removed some debugging and redundant code.


* Added connect_timeout and server_poll_timeout parameters to Connect and

VPNConnect methods (and capicli and ovpncli tools).


connect_timeout (optional int|str) : set connection timeout (seconds)


server_poll_timeout (optional int|str) : set server-poll-timeout OpenVPN

parameter (seconds) — the number of seconds to try each remote entry before

moving on to the next


* The client backend as.conf can now specify a list of prepend and append

config file directives to be applied before and after the config file.


For example:




prepend_config.0=route-method exe

prepend_config.1=route-delay 30

prepend_config.2=route-metric 512



* Minor change in clisite to use new method IP.is_lo() to test whether address

is a loopback address.


* Fixed issue where exceptions in AuthRPCServer._render_finalize were causing

server-side stack traces to be sent to client.


* Minor rewording of BEAST option in Admin UI for clarity.


* If vpn.server.routing.snat_source list is non-empty, use it to generate SNAT

interface list rather than enum_interfaces.