Description of subscription licensing model
The software subscription licensing model for OpenVPN Access Server unlocks a number of concurrent VPN connections. Subscription licensing is available from our website and can be purchased as a monthly or yearly subscription, with the option to renew automatically. Subscriptions are flexible in the sense that they can be activated on a single Access Server or on multiple Access Servers, and when your VPN clients connect the connections are activated from an allowed-connections pool as necessary. Subscriptions also allow you to scale the number of connections up or down at will.
There are different software licensing models for OpenVPN Access Server. You can use the software licensing troubleshooting guide to determine what software license type you are using now, if any.
Change order of disconnection behavior
In the software subscription licensing model it is possible to have more VPN clients connected than your subscription allows. For example, if your subscription is used on multiple Access Servers at the same time, and the total number of VPN connections across these Access Servers exceeds your subscription limit, our licensing system disconnects as many users as necessary to keep your subscription within the purchased limit.
As of Access Server 2.8.6 there is an option to choose whether the most recent or the oldest connection should be disconnected when you go over the subscription limit. By default, the most recent or newest connections are disconnected first. The commands below allow you to change or specifically define the subscription enforcement order.
Note: all command line parameters are assumed to be executed on the Access Server as root user in the /usr/local/openvpn_as/scripts/ directory.
To set the behavior to disconnect the most recent or newest VPN connections (default):
./sacli --key "subscription.enforcement_order" --value "newest" ConfigPut service openvpnas restart
To set the behavior to disconnect the oldest VPN connections:
./sacli --key "subscription.enforcement_order" --value "oldest" ConfigPut service openvpnas restart
To reset to the implied default value (newest):
./sacli --key "subscription.enforcement_order" ConfigDel service openvpnas restart
Log Message: “subscription: enforcement_order is not set. Will disconnect newest subscription clients”
If the subscription enforcement order is not specified for your Access Server subscription, you may receive the following warning in the log: “subscription: enforcement_order is not set. Will disconnect newest subscription clients”.
This message simply means that if the subscription.enforcement_order is not defined and the number of concurrent connections exceeds your subscription limit, the newest connection is dropped first.
The subscription.enforcement_order message is expected behavior, and you can either ignore it or choose to set the subscription enforcement order. You can configure our licensing system to disconnect clients that exceed the limit in two ways: starting with the newest; or starting with the oldest. To do this manually, use one of the sacli commands above and define the subscription.enforcement_order as either “newest” or “oldest”.
Configure a local connection limit
Normally when you apply a subscription on multiple Access Servers, each server will be allowed to establish the total amount of allowed incoming VPN connections as specified on the subscription. For example if you have a subscription that allows 10 VPN connections, and you have it activated on three different Access Servers, then each Access Server will be allowed to accept 10 VPN connections. This allows any of these Access Servers to use up the full subscription.
However, when the total amount of established VPN connections on these three Access Servers added together exceeds the 10 VPN connections allowed by the subscription, then the licensing system will lower the amount of allowed VPN connections on the individual Access Servers to force them to disconnect VPN connections that exceed the amount you are allowed to connect on your subscription.
If you wish to share a subscription with multiple Access Servers, but limit an individual Access Server to a specific amount of allowed VPN connections, then you can use the local client connection limit option. This introduces a local limit on the amount of allowed VPN connections on a specific Access Server. By default the local limit is whatever the subscription allows. You can specify a lower amount per Access Server by using the instructions below. Replace <NUMBER_OF_CONNECTIONS> with the number of desired maximum connections allowed on this Access Server.
To configure a local limit in subscription mode:
./sacli --key "subscription.local_cc_limit" --value "<NUMBER_OF_CONNECTIONS>" ConfigPut service openvpnas restart
To remove the limit:
./sacli --key "subscription.local_cc_limit" ConfigDel service openvpnas restart
Activating subscription on command line
Activating a subscription on the command line (as root):
./sacli -v "InsertTheSubscriptionActivationKeyHere" LoadSubscription
Verify that it works:
Removing subscription on command line
Please note that when we talk about removing a subscription from the Access Server, we mean simply that the OpenVPN Access Server you are on will stop using that subscription. It does not mean that the subscription stops working on other servers, or that the billing for it stops. That is a completely separate step that is handled in our Access Server licensing portal on our website. So removing a subscription from the Access Server simply means that your particular Access Server will no longer be licensed through the subscription licensing model. You can always license the Access Server again later.
Removing a subscription on the command line:
If you experience problems with the subscription licensing system, please check the troubleshooting guide for software subscription licensing.