Subscription model licensing configuration options

Description of subscription licensing model

The software subscription licensing model for OpenVPN Access Server allows to unlock an amount of concurrent VPN connections to this server. It is available from our website and can be a monthly or yearly subscription, with the option to renew automatically. It is flexible in the sense that it can be activated on a single Access Server, or on multiple, and they will then use VPN connections from this allowed connections pool as necessary when VPN clients connect. It also allows changing the size of the subscription at will.

There are different software licensing models for OpenVPN Access Server. You can use the software licensing troubleshooting guide to determine what software license type you are using now, if any.

Change order of disconnection behavior

In the software subscription licensing model, it is possible that you get more VPN clients connected than are allowed by your subscription. This can happen for example if your subscription is used on multiple Access Servers at the same time, and the total amount of VPN connections added up from these Access Servers exceed the subscription limit. If this happens, our licensing system will disconnect as many users as necessary to stay within that limit again. So if for example you have a subscription that allows 10 VPN connections, and you have 11 VPN connections established now, then the 11th VPN connection will be disconnected.

As of Access Server 2.8.6 there is an option to choose whether the most recent or the oldest connection should be disconnected when you go over the limit. The default is that the most recent or newest connections will be disconnected when you go over the subscription limit. Please note that all command line parameters are assumed to be executed on the Access Server as root user in the /usr/local/openvpn_as/scripts/ directory.

To set the behavior to disconnect most recent or newest VPN connections (default):

./sacli --key "subscription.enforcement_order" --value "newest" ConfigPut
service openvpnas restart

To set the behavior to disconnect oldest VPN connections:

./sacli --key "subscription.enforcement_order" --value "oldest" ConfigPut
service openvpnas restart

To reset to implied default value (newest):

./sacli --key "subscription.enforcement_order" ConfigDel
service openvpnas restart

Configure a local connection limit

Normally when you apply a subscription on multiple Access Servers, each server will be allowed to establish the total amount of allowed incoming VPN connections as specified on the subscription. For example if you have a subscription that allows 10 VPN connections, and you have it activated on three different Access Servers, then each Access Server will be allowed to accept 10 VPN connections. This allows any of these Access Servers to use up the full subscription.

However, when the total amount of established VPN connections on these three Access Servers added together exceeds the 10 VPN connections allowed by the subscription, then the licensing system will lower the amount of allowed VPN connections on the individual Access Servers to force them to disconnect VPN connections that exceed the amount you are allowed to connect on your subscription.

If you wish to share a subscription with multiple Access Servers, but limit an individual Access Server to a specific amount of allowed VPN connections, then you can use the local client connection limit option. This introduces a local limit on the amount of allowed VPN connections on a specific Access Server. By default the local limit is whatever the subscription allows. You can specify a lower amount per Access Server by using the instructions below. Replace <NUMBER_OF_CONNECTIONS> with the number of desired maximum connections allowed on this Access Server.

To configure a local limit in subscription mode:

./sacli --key "subscription.local_cc_limit" --value "<NUMBER_OF_CONNECTIONS>" ConfigPut
service openvpnas restart

To remove the limit:

./sacli --key "subscription.local_cc_limit" ConfigDel
service openvpnas restart

Activating subscription on command line

Activating a subscription on the command line (as root):

./sacli -v "InsertTheSubscriptionActivationKeyHere" LoadSubscription

Verify that it works:

./sacli SubscriptionStatus

Removing subscription on command line

Please note that when we talk about removing a subscription from the Access Server, we mean simply that the OpenVPN Access Server you are on will stop using that subscription. It does not mean that the subscription stops working on other servers, or that the billing for it stops. That is a completely separate step that is handled in our Access Server licensing portal on our website. So removing a subscription from the Access Server simply means that your particular Access Server will no longer be licensed through the subscription licensing model. You can always license the Access Server again later.

Removing a subscription on the command line:

./sacli DeactivateSubscription


If you experience problems with the subscription licensing system, please check the troubleshooting guide for software subscription licensing.