Subscription model licensing configuration options

Description of subscription licensing model

The software subscription licensing model for OpenVPN Access Server unlocks a number of concurrent VPN connections. Subscription licensing is available from our website and can be purchased as a monthly or yearly subscription, with the option to renew automatically. Subscriptions are flexible in the sense that they can be activated on a single Access Server or on multiple Access Servers, and when your VPN clients connect the connections are activated from an allowed-connections pool as necessary. Subscriptions also allow you to scale the number of connections up or down at will.

There are different software licensing models for OpenVPN Access Server. You can use the software licensing troubleshooting guide to determine what software license type you are using now, if any.

Change order of disconnection behavior

In the software subscription licensing model it is possible to have more VPN clients connected than your subscription allows. For example, if your subscription is used on multiple Access Servers at the same time, and the total number of VPN connections across these Access Servers exceeds your subscription limit, our licensing system disconnects as many users as necessary to keep your subscription within the purchased limit.

As of Access Server 2.8.6 there is an option to choose whether the most recent or the oldest connection should be disconnected when you go over the subscription limit. By default, the most recent or newest connections are disconnected first. The commands below allow you to change or specifically define the subscription enforcement order.

Note: all command line parameters are assumed to be executed on the Access Server as root user in the /usr/local/openvpn_as/scripts/ directory.

To set the behavior to disconnect the most recent or newest VPN connections (default):

./sacli --key "subscription.enforcement_order" --value "newest" ConfigPut
service openvpnas restart

To set the behavior to disconnect the oldest VPN connections:

./sacli --key "subscription.enforcement_order" --value "oldest" ConfigPut
service openvpnas restart

To reset to the implied default value (newest):

./sacli --key "subscription.enforcement_order" ConfigDel
service openvpnas restart

Log Message: “subscription: enforcement_order is not set. Will disconnect newest subscription clients”

If the subscription enforcement order is not specified for your Access Server subscription, you may receive the following warning in the log: “subscription: enforcement_order is not set. Will disconnect newest subscription clients”.
This message simply means that if the subscription.enforcement_order is not defined and the number of concurrent connections exceeds your subscription limit, the newest connection is dropped first.

The subscription.enforcement_order message is expected behavior, and you can either ignore it or choose to set the subscription enforcement order. You can configure our licensing system to disconnect clients that exceed the limit in two ways: starting with the newest; or starting with the oldest. To do this manually, use one of the sacli commands above and define the subscription.enforcement_order as either “newest” or “oldest”.

Configure a local connection limit

Normally when you apply a subscription on multiple Access Servers, each server will be allowed to establish the total number of allowed incoming VPN connections as specified on the subscription. For example if you have a subscription that allows 10 VPN connections, and you have it activated on three different Access Servers, then each Access Server will be allowed to accept 10 VPN connections. This allows any of these Access Servers to use up the full subscription.

However, when the total number of established VPN connections on these three Access Servers added together exceeds the 10 VPN connections allowed by the subscription, then the licensing system will lower the number of allowed VPN connections on the individual Access Servers to force them to disconnect VPN connections that exceed the number you are allowed to connect on your subscription.

If you wish to share a subscription with multiple Access Servers, but limit an individual Access Server to a specific number of allowed VPN connections, then you can use the local client connection limit option. This introduces a local limit on the number of allowed VPN connections on a specific Access Server. By default the local limit is whatever the subscription allows. You can specify a lower number per Access Server by using the instructions below. Replace <NUMBER_OF_CONNECTIONS> with the number of desired maximum connections allowed on this Access Server.

To configure a local limit in subscription mode:

./sacli --key "subscription.local_cc_limit" --value "<NUMBER_OF_CONNECTIONS>" ConfigPut
service openvpnas restart

To remove the limit:

./sacli --key "subscription.local_cc_limit" ConfigDel
service openvpnas restart

Change hostname that displays in subscription portal

The Access Server reports its hostname to our subscription server, which you can view in our billing portal. You can set the display name should you prefer, customizing it to differentiate it from other servers. This is not required, but a helpful, “cosmetic” step you may take to identify your servers as seen in the Access Server Information for your subscription.

Before making these changes, it would be good to answer a few questions:

  • Is there any other software running on your Linux server that would be negatively affected by a hostname change?
  • Is there a policy within your company for server naming, where this may affect an already assigned DNS name for the machine? (If yes, verify the local DNS setup on the machine is correct and if Access Server should have picked up the assigned hostname already.)

If you can answer no to both questions, then follow these next steps. Not all distributions have the hostnamectl command. For older systems, such as Ubuntu 16, you will need to edit /etc/hosts and possibly /etc/hostname.

These instructions were tested with Ubuntu 20.

To set the hostname:

hostnamectl set-hostname [put-your-desired-hostname-here]

To ensure that hostname is set up correctly:


To restart the OpenVPN Access Server:

service openvpnas restart

To view the hostname in your billing portal:

  1. Log in to your Access Server account.
  2. In Subscriptions, click on the name of your subscription.
  3. From the Subscription Details page, click on Access Server Information.
  4. The hostname of the servers with this activated subscription display under Hostname.

Activating subscription on command line

Activating a subscription on the command line (as root):

./sacli -v "InsertTheSubscriptionActivationKeyHere" LoadSubscription

Verify that it works:

./sacli SubscriptionStatus

Removing subscription on command line

Please note that when we talk about removing a subscription from the Access Server, we mean simply that the OpenVPN Access Server you are on will stop using that subscription. It does not mean that the subscription stops working on other servers, or that the billing for it stops. That is a completely separate step that is handled in our Access Server licensing portal on our website. So removing a subscription from the Access Server simply means that your particular Access Server will no longer be licensed through the subscription licensing model. You can always license the Access Server again later.

Removing a subscription on the command line:

./sacli DeactivateSubscription


If you experience problems with the subscription licensing system, please check the troubleshooting guide for software subscription licensing.