OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Action needed: Important update for OpenVPN Access Server

Security Advisory

Updated licensing system

The licensing system of the OpenVPN Access Server product has been updated to add support for new features and to enhance security. Because of this there have been some changes on our end, and this requires a small change to be implemented on your existing OpenVPN Access Server installation as well. The impact of this is kept as minimal as possible, and we provide information below to answer the most common questions and to make this transition go as smoothly as possible. The change to the licensing system has happened on January 20th of 2019 so it is important you take action. Please review the information below to learn what impact this has, and how to take the necessary steps.

Please note that this change does not affect our Amazon AWS tiered instances that are pre-licensed with a predefined amount of connections. These are billed through Amazon AWS directly and use a different licensing system that does not need this update.

Frequently Asked Questions

"What do I have to do?"

You should upgrade your Access Server to the latest version available on our software packages page, which includes the changes to the licensing system. Alternatively, if you do not wish to upgrade now, you may use our licensing patch to update only the licensing code on an existing Access Server. The patch is designed so it can be applied live without shutting down or cold restarting the Access Server service, so VPN clients don't need to be disconnected, and it is compatible with Access Server 1.8.3 and above.

"What exactly will change?"

We are making it possible for new options for licensing in the future, in other words to create a more flexible licensing system. This will make it easier for you to change the amount of connections on an Access Server in a future update of our licensing system, and will allow us to prepare better licensing options for the exciting new clustering feature that we are developing (only available as beta at this time). On top of that we are improving the security of the licensing system while we are at it. This requires that Access Server is updated as well.

"What happens if I do nothing?"

Actually very little. If you continue using your current OpenVPN Access Server as it is without either upgrading or applying the licensing patch, it will function normally and the license keys that are on it right now will continue working just fine, even after January 20th (assuming your license keys do not expire before then of course). However, when you try to activate new license keys on an old or unpatched Access Server after that date, or renew license keys for this server and try to activate a renewal key on the server, it will produce an error message. To resolve this, either upgrade your Access Server to the latest version, or apply the live licensing patch. You can then activate license keys again normally after that date.

"Does this affect the licenses currently on my server?"

No. Those are completely unaffected and will continue to function normally.

"Do I need to buy new license keys?"

No. Your license keys remain completely unchanged.

"Can I upgrade my server or apply the licensing patch right now?"

Yes, please do. You may upgrade your Access Server at any time before or after January 20th. If you do it before that time, you will not have to worry about any possible licensing problems.

"I can't interrupt my production systems, and I don't want to upgrade."

That's alright, we understand that our product is being used in highly critical situations and updates and restarts can be disruptive. So we've accounted for that. First of all, if you do nothing, your existing license keys will continue working fine even after January 20th (assuming your license keys do not expire before then of course). And if after January 20th you want to activate a new license key, simply use our live licensing patch. With this patch you can continue using and running your current Access Server version. It will not require your Access Server service to go down and disconnect your VPN clients, but it simply patches the licensing system in memory while Access Server is running. If you have concerns, you may consider setting up a test platform and test the live licensing patch on that to ensure there will be no problems on your production system.

"I use a very old version of Access Server, older than 1.8.3."

Unfortunately the new licensing system cannot function properly on an Access Server that old. Version 1.8.3 is already more than 8 years old. Aside from the security considerations of running severely outdated software, we also just do not support such an old version anymore. We recommend that you upgrade to the latest version. However, if for whatever reason you must continue running such old software, and wish to activate a license key on this, contact our support ticket system and let us know the license key you wish to activate, and we will help you perform an activation procedure for your Access Server.

Frequently Asked Questions

You should upgrade your Access Server to the latest version available on our software packages page, which includes the changes to the licensing system. Alternatively, if you do not wish to upgrade now, you may use our licensing patch to update only the licensing code on an existing Access Server. The patch is designed so it can be applied live without shutting down or cold restarting the Access Server service, so VPN clients don't need to be disconnected, and it is compatible with Access Server 1.8.3 and above.

We are making it possible for new options for licensing in the future, in other words to create a more flexible licensing system. This will make it easier for you to change the amount of connections on an Access Server in a future update of our licensing system, and will allow us to prepare better licensing options for the exciting new clustering feature that we are developing (only available as beta at this time). On top of that we are improving the security of the licensing system while we are at it. This requires that Access Server is updated as well.

Actually very little. If you continue using your current OpenVPN Access Server as it is without either upgrading or applying the licensing patch, it will function normally and the license keys that are on it right now will continue working just fine, even after January 20th (assuming your license keys do not expire before then of course). However, when you try to activate new license keys on an old or unpatched Access Server after that date, or renew license keys for this server and try to activate a renewal key on the server, it will produce an error message. To resolve this, either upgrade your Access Server to the latest version, or apply the live licensing patch. You can then activate license keys again normally after that date.

No. Those are completely unaffected and will continue to function normally.

Yes, please do. You may upgrade your Access Server at any time before or after January 20th. If you do it before that time, you will not have to worry about any possible licensing problems.

That's alright, we understand that our product is being used in highly critical situations and updates and restarts can be disruptive. So we've accounted for that. First of all, if you do nothing, your existing license keys will continue working fine even after January 20th (assuming your license keys do not expire before then of course). And if after January 20th you want to activate a new license key, simply use our live licensing patch. With this patch you can continue using and running your current Access Server version. It will not require your Access Server service to go down and disconnect your VPN clients, but it simply patches the licensing system in memory while Access Server is running. If you have concerns, you may consider setting up a test platform and test the live licensing patch on that to ensure there will be no problems on your production system.

Unfortunately the new licensing system cannot function properly on an Access Server that old. Version 1.8.3 is already more than 8 years old. Aside from the security considerations of running severely outdated software, we also just do not support such an old version anymore. We recommend that you upgrade to the latest version. However, if for whatever reason you must continue running such old software, and wish to activate a license key on this, contact our support ticket system and let us know the license key you wish to activate, and we will help you perform an activation procedure for your Access Server.

Share