Troubleshooting guide for OpenVPN Access Server subscription licensing

Confirm that you are using subscription licensing

There are different ways to license OpenVPN Access Server, so it is important that you confirm that you are using the correct troubleshooting guide if you are having problems with the software licensing. This guide is specifically for subscription licensing.

This is our most recent licensing model to unlock more connections. It is a long activation key that works on OpenVPN Access Server 2.8.1 and above, and can be shared across multiple servers and be activated multiple times. It is a more flexible model that allows changing the subscription connection amount on-the-fly and can be a monthly or yearly subscription. It requires an Internet connection to function. Subscription activation keys can for example look like this:

ThisIsAnExampleKeyVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUga2V5IGFuZCBpcyB0b3RhbGx5IGZha2UuIElmIHlvdSdyZSByZWFkaW5nIHRoaXMsIHlvdSd2ZSBqdXN0IGZvdW5kIGFuIGVhc3RlciBlZ2cgb24gdGhlIG9wZW52cG4ubmV0IHdlYnNpdGUsIGNvbmdyYXR1bGF0aW9ucy4gSSdtIHNvcnJ5LCBidXQgdGhlcmUgaXMgbm8gcHJpemUgYXR0YWNoZWQuIEhhdmUgYSBuaWNlIGRheS4=

If your activation method looks to be different, consult the information on our software licensing troubleshooting page to determine which activation method you are actually using.

Activating a subscription

In Access Server you can go to Configuration > Activation. There you can enter the subscription activation key and press the Activate button. The OpenVPN Access Server will then attempt to contact our activation servers and activate this subscription. You will see whether this succeeded or not immediately on your screen. Please note that you need at least Access Server version 2.8.1 or higher in order to be able to activate a subscription license. If you have an older Access Server version, you must first upgrade your Access Server to a more recent version.

Some important facts regarding subscription licensing:

  • If you have an OpenVPN Access Server that is older than version 2.8.1 then activation of a subscription will fail. This function was only introduced as of version 2.8.1 so that version or higher is required.
  • If the option to enter an activation key is not present in your Access Server’s activation page, it could be that you are already licensed through some other software licensing method. In that case we recommend that you contact support for the best course of action.
  • It is also important to note that an active subscription on your Access Server will overrule other licensing modes. Other modes are suppressed while a subscription is active. However that does not automatically mean that billing for other licensing modes is also suspended.
  • Only one subscription can be active on an Access Server. You can have multiple Access Servers on the same subscription, but you can’t have multiple different subscriptions active on the same Access Server.

You can also activate a subscription on the command line, which makes it possible to for example automate deployment and activation of an Access Server. A subscription activation key can be activated multiple times.

Activating a subscription on the command line (as root):

cd /usr/local/openvpn_as/scripts/
./sacli -v "InsertTheSubscriptionActivationKeyHere" LoadSubscription

Verify that it works:

./sacli SubscriptionStatus

Removing a subscription from the Access Server

Please note that when we talk about removing a subscription from the Access Server, we mean simply that the OpenVPN Access Server you are on will stop using that subscription. It does not mean that the subscription stops working on other servers, or that the billing for it stops. That is a completely separate step that is handled in our Access Server licensing portal on our website. So removing a subscription from the Access Server simply means that your particular Access Server will no longer be licensed through the subscription licensing model. You can always license the Access Server again later.

On the web interface, you can simply go to Configuration > Activation, and click the Deactivate button, to remove the subscription from this Access Server.

You can also remove a subscription on the command line.

Removing a subscription on the command line (as root):

cd /usr/local/openvpn_as/scripts/
./sacli DeactivateSubscription

Troubleshooting

If the activation fails for some reason, you may want to verify that access to our activation server at asb.sts.openvpn.net is possible. It uses port TCP 443 to contact that server. If contact is not possible because you are behind a proxy server, or because there is no Internet access, then you cannot use the subscription licensing method. The subscription licensing method specifically does not support working behind a proxy server. It must have a direct connection to asb.sts.openvpn.net on port TCP 443.

You can try to verify connectivity and check the SSL certificate presented:

echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 | grep "OpenVPN Inc"

If you get an output similar to this, the connection should be okay:

depth=0 C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
verify error:num=21:unable to verify the first certificate
verify return:1
 0 s:C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
   i:C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = STS Master CA
subject=C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
issuer=C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = STS Master CA
DONE

If the output you see is quite different, with different values for ST, L, O, and CN, then you might have the problem that there is some firewall or proxy server in the way and is interfering with the traffic to our activation servers. If that is the case, you should arrange to have this address whitelisted, if you want subscription licensing to function. If you see connection timeout or connection failure or such, you should investigate why the connection is not possible at all.

invalid key format
If you get this error message, the most commonly experienced issue is that you do not have an up-to-date OpenVPN Access Server. Only version 2.8.1 or higher can accept a subscription activation key. If you try to activate a subscription activate key on an older Access Server, it will not recognize this key format and show you that error message. The solution is to upgrade your Access Server to a more recent version. Another possible explanation is that you did not copy/paste the full activation key correctly. In that case simply try again.

Share