Troubleshooting guide for OpenVPN Access Server subscription licensing

Upgrade to Latest Version

Confirm that you are using subscription licensing

There are different ways to license OpenVPN Access Server, so it is important that you confirm that you are using the correct troubleshooting guide if you are having problems with the software licensing. This guide is specifically for subscription licensing.

This is our most recent licensing model to unlock more connections. It is a long activation key that works on OpenVPN Access Server 2.8.1 and above, and can be shared across multiple servers and be activated multiple times. It is a more flexible model that allows changing the subscription connection amount on-the-fly and can be a monthly or yearly subscription. It requires an Internet connection to function. Subscription activation keys can for example look like this:

ThisIsAnExampleKeyVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUga2V5IGFuZCBpcyB0b3RhbGx5IGZha2UuIElmIHlvdSdyZSByZWFkaW5nIHRoaXMsIHlvdSd2ZSBqdXN0IGZvdW5kIGFuIGVhc3RlciBlZ2cgb24gdGhlIG9wZW52cG4ubmV0IHdlYnNpdGUsIGNvbmdyYXR1bGF0aW9ucy4gSSdtIHNvcnJ5LCBidXQgdGhlcmUgaXMgbm8gcHJpemUgYXR0YWNoZWQuIEhhdmUgYSBuaWNlIGRheS4=

If your activation method looks to be different, consult the information on our software licensing troubleshooting page to determine which activation method you are actually using.

Activating a subscription

In Access Server you can go to Configuration > Activation. There you can enter the subscription activation key and press the Activate button. The OpenVPN Access Server will then attempt to contact our activation servers and activate this subscription. You will see whether this succeeded or not immediately on your screen. Please note that you need at least Access Server version 2.8.1 or higher in order to be able to activate a subscription license. If you have an older Access Server version, you must first upgrade your Access Server to a more recent version.

Some important facts regarding subscription licensing:

  • If you have an OpenVPN Access Server that is older than version 2.8.1 then activation of a subscription will fail. This function was only introduced as of version 2.8.1 so that version or higher is required.
  • If the option to enter an activation key is not present in your Access Server's activation page, it could be that you are already licensed through some other software licensing method. In that case we recommend that you contact support for the best course of action.
  • It is also important to note that an active subscription on your Access Server will overrule other licensing modes. Other modes are suppressed while a subscription is active. However that does not automatically mean that billing for other licensing modes is also suspended.
  • Only one subscription can be active on an Access Server. You can have multiple Access Servers on the same subscription, but you can't have multiple different subscriptions active on the same Access Server.

You can also activate a subscription on the command line, which makes it possible to for example automate deployment and activation of an Access Server. A subscription activation key can be activated multiple times.

Activating a subscription on the command line (as root):

cd /usr/local/openvpn_as/scripts/
./sacli -v "InsertTheSubscriptionActivationKeyHere" LoadSubscription

Verify that it works:

./sacli SubscriptionStatus

Removing a subscription from the Access Server

Please note that when we talk about removing a subscription from the Access Server, we mean simply that the OpenVPN Access Server you are on will stop using that subscription. It does not mean that the subscription stops working on other servers, or that the billing for it stops. That is a completely separate step that is handled in our Access Server licensing portal on our website. So removing a subscription from the Access Server simply means that your particular Access Server will no longer be licensed through the subscription licensing model. You can always license the Access Server again later.

On the web interface, you can simply go to Configuration > Activation, and click the Deactivate button, to remove the subscription from this Access Server.

You can also remove a subscription on the command line.

Removing a subscription on the command line (as root):

cd /usr/local/openvpn_as/scripts/
./sacli DeactivateSubscription

Change hostname that displays in subscription portal

You can view information about the Access Servers activated with a specific subscription when you sign in to your account on our site, click on the subscription name, then Access Server Information. If you want to change the hostname that displays there, refer to Subscription Model License Configuration Options for instructions.

Troubleshooting

If the activation fails for some reason, you may want to verify that access to our activation server at asb.sts.openvpn.net is possible. It uses port TCP 443 to contact that server. If contact is not possible because you are behind a proxy server, or because there is no Internet access, then you cannot use the subscription licensing method. The subscription licensing method specifically does not support working behind a proxy server. It must have a direct connection to asb.sts.openvpn.net on port TCP 443.

You can try to verify connectivity and check the SSL certificate presented:

echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc"

If you get an output similar to this, the connection should be okay:

depth=0 C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
verify error:num=21:unable to verify the first certificate
verify return:1
 0 s:C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
   i:C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = STS Master CA
subject=C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
issuer=C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = STS Master CA
DONE

If the output you see is quite different, with different values for ST, L, O, and CN, then you have some firewall or proxy server in the way and it is interfering with the traffic to our activation servers. If that is the case, you should arrange to have this address whitelisted or allowed through in your firewall systems, if you want subscription licensing to function. If you see connection timeout, connection failure, connection refused, you should investigate why the connection is not possible at all, as it again will most likely be a firewall on your end.

invalid key format
If you get this error message, the most commonly experienced issue is that you do not have an up-to-date OpenVPN Access Server. Only version 2.8.1 or higher can accept a subscription activation key. If you try to activate a subscription activate key on an older Access Server, it will not recognize this key format and show you that error message. The solution is to upgrade your Access Server to a more recent version. Another possible explanation is that you did not copy/paste the full activation key correctly. In that case simply try again.

Debug flag for troubleshooting

Our support team uses debug flags as a helpful troubleshooting step. You can use the debug flag, ‘DEBUG_SUBSCRIPTION=2’ to start logging subscription information to openvpnas.log. Note that adding this debug flag creates the possibility of increasing the logging data and therefore the file size. For instructions on how to use this debug flag, refer to the DEBUG_SUBSCRIPTION=2 section on the Logging and Debug Flag page.