Troubleshooting guide for OpenVPN Access Server AWS tiered instance licensing

Confirm that you are using AWS tiered instances

There are different ways to license OpenVPN Access Server, so it is important that you confirm that you are using the correct troubleshooting guide if you are having problems with the software licensing. This guide is specifically for Amazon AWS tiered instances.

This licensing model is only available on Amazon AWS and nowhere else. On the AWS Marketplace we have a number of our OpenVPN Access Server offerings available that come prelicensed upon launch. So if you pick the one with 10 connections, and launch it on Amazon AWS, then it will have 10 connections available immediately. It requires that the instance has access to the Internet. So there are no activation keys for this, it happens automatically online.

If your activation method looks to be different, consult the information on our software licensing troubleshooting page to determine which activation method you are actually using.

Troubleshooting

If you encounter the problem where an OpenVPN Access Server with x number of connected devices using the Amazon AWS tiered instance licensing model is showing you that your server is only licensed for 2 connections, while you launched an instance for "xx connected devices", then the most likely explanation here is that you are using a security group on this instance that is blocking access to the licensing servers. If that happens the OpenVPN Access Server cannot check to see if you are licensed and will fall back to its automatic built-in demonstration mode which allows all functionality without time limit, but allows only 2 simultaneous VPN connections. It's also possible you've launched your instance without a public IP or on a VPC that doesn't have Internet access, so the instance cannot access the activation servers.

These are the addresses that the licensing system will need contact to for the tiered instances to verify the licensed state and unlock the number of connections stated on the OpenVPN Access Server AWS tiered instance type:

IP address 169.254.169.254, port 80:
http://169.254.169.254/latest/meta-data/

These DNS names with wide dynamic IP ranges, on port TCP 443:
awspc1.openvpn.net
awspc2.openvpn.net

And these DNS names with static IP addresses, on port TCP 443:
awspc3.openvpn.net, IP address: 107.191.99.82
awspc4.openvpn.net, IP address: 107.161.19.201

Important note: awspc3.openvpn.net and awspc4.openvpn.net are only supported as of Access Server 2.5. Previous versions only use awspc1 and awspc2.

If you are strict on your security permissions, then you need to release access to the meta data system mentioned above, and at least one of the two static IP addresses of awspc3 or awspc4 mentioned above. The licensing system in the Access Server is designed to try a specific licensing server first, and if that fails, move on to the next, and so on, until all 4 addresses have been tried. As a result, if you only unblock for example awspc4 then it may be a minute or two before it picks up the license after the server has just started up, so please be patient.

For those curious, awspc3 will be tried first, then 2, then 4, then 1.

If you have unblocked these addresses, and are still experiencing problems, we recommend first temporarily unblocking everything on this particular system. To put it simply; to disable anything that can possibly block any type of connections. Be sure to check both iptables firewalls and security groups in Amazon, both of these can block traffic. The first thing to ensure is that neither of these are possibly blocking the traffic. And of course do a reboot of the system to be sure any transient issues are taken care of. Once this has been done, and there are still issues, then contact us please with any details you can provide so we can investigate the problem.

DNS can be a problem if you block it. But you can either resolve that by manually entering the names awspc3.openvpn.net and awspc4.openvpn.net with the IP address information shown above into the local hosts file, so resolution of those names can occur locally, or to allow DNS requests to go out normally to your DNS server.

If you see this reported in the logs, it means your DNS settings have a problem:

2018-08-28 16:33:39+0000 [twisted.names.dns.DNSDatagramProtocol (UDP)]
AWS INFO: error in product code validation, will retry in 30 seconds:
<twisted.names.dns. Message instance at 0x7fed9370e950>:
aws/info:202 (twisted.names.error.DNSServer Error)

If it is absolutely required by company policy that no external contact of any kind to the addresses mentioned above must be possible for your AWS instance, then the tiered instances are not suitable as they do need access to at least the meta data server and a licensing server. The fixed license key type may be suitable instead in this case if an offline activation is performed and no auto-scaling or instance type alterations are used that alter the virtual hardware and possibly break the locked license of the fixed license key model.

To further investigate the problems with the AWS tiered instances licensing system it can help to activate a special debug flag in as.conf and restarting the Access Server service. The /var/log/openvpnas.log file will then log information specific to the AWS licensing system, and any errors mentioned in there may aid in understanding and fixing what is wrong. Providing such information when you are contacting us for support would be of tremendous help to us in resolving the problem quickly. To enable debugging follow the steps below.

Open as.conf in nano text editor:

nano /usr/local/openvpn_as/etc/as.conf

Go to the bottom of the file and add this line:

DEBUG_AWSINFO=1

Now restart the Access Server service so that the changes can take effect:

service openvpnas restart

After reboot run this command to filter for the words "AWS INFO" in the log file:

cat /var/log/openvpnas.log | grep -i "AWS INFO"

If you see lines like these in /var/log/openvpnas.log, the meta data server was unreachable:

2017-10-04 19:32:30+0200 [Uninitialized] AWS INFO: error getting instance info 'doc': : An error occurred while connecting: 113: No route to host. (twisted.internet.error.ConnectError)
2017-10-04 19:32:30+0200 [Uninitialized] AWS INFO: error getting instance info 'sig': : An error occurred while connecting: 113: No route to host. (twisted.internet.error.ConnectError)
2017-10-04 19:32:30+0200 [Uninitialized] AWS INFO: error getting instance info 'pc': : An error occurred while connecting: 113: No route to host. (twisted.internet.error.ConnectError)
2017-10-04 19:32:30+0200 [Uninitialized] AWS not detected
2017-10-04 19:32:33+0200 [-] AWS INFO: error getting instance ID: 'NoneType' object has no attribute '__getitem__': aws/info:271 (exceptions.TypeError)
2017-10-04 19:32:33+0200 [-] AWS INFO: error getting instance ID: 'NoneType' object has no attribute '__getitem__': aws/info:271 (exceptions.TypeError)

You should be seeing a fair amount of debug information. You can attempt to make sense of this yourself or send it to us on the support ticket system so we can analyze it for you.