Access Server 3.1 Release Notes and Version Updates
Access Server 3.1.0 Highlights
Access Server 3.1.0 builds on the major foundation introduced in 3.0.0 with key enhancements for routing, performance, and security:
🌐 Domain Routing: You can now define access rules for specific domain names, in addition to IP addresses and subnets.
🐧 nftables Default: New installations now use nftables by default instead of iptables (upgrades still retain iptables for now).
🛡 Improved Session Management: New options for automatic logout, idle session warnings, and forced reauthentication after password or MFA changes.
📡 HTTP/2 Support: Access Server web services now support HTTP/2 for faster, more efficient connections.
🔐 Experimental ACME Support: Early-stage support for ACME clients like Let’s Encrypt to simplify certificate management.
⚙️ REST API & CLI Enhancements: New DNS-related API endpoint, better token renewal handling, and improved CLI tools like
sacli.📉 Dropped Support for Debian 11: This release no longer supports Debian 11, which has reached its end-of-life.
Access Server 3.1.0
Release date:
Feb 2, 2026
Important notes:
This is a major release that adds domain routing. You can now specify access to domains instead of only by IP addresses. Specified domains are resolved to internal VPN IP addresses, routed through the VPN tunnel, and then translated back to the real IP by the Access Server.
For new Access Server installations, nftables is now the default instead of iptables. Upgrades will stay on iptables for now, but may be upgraded to nftables in a future release.
Dropped support for the Debian 11 operating system. This operating system reached the end of life for standard support in August 2024.
New features:
Added vpn.session_token.renewal config key that allows for configuring VPN session token renewal interval separately from TLS key renegotiation.
Added web session token invalidation method that triggers on certain actions like password or MFA secret changes.
Added HTTP/2 support to Access Server's web services, which is enabled and used automatically.
Added DEBUG_CLUSTER and DEBUG_DB_CONVERT debug flags to be used in as.conf for debugging database issues.
Added idle session notification with the option to renew the session on the Admin Web UI.
Added automatic user logout functionality on web services when you change the user’s password to force reauthentication.
Added API endpoint /api/server/dns to retrieve automatically detected DNS servers from the OS.
Added experimental ACME client support for certificate providers such as Let’s Encrypt via configuration settings.
Bug fixes and improvements:
Fixed OpenVPN logo still showing on Admin Web UI login page when using custom logo branding.
Fixed exception messages in logs when using incorrect credentials on a RADIUS user.
Fixed warning messages in logs that occurred during conversion to a MySQL-type database.
Fixed error messages in logs that occurred when making API calls with invalid session tokens.
Fixed traceback in logs when a too-long username or password was entered.
Fixed traceback in logs when calling /api/profiles API endpoints without specifying a session token.
Fixed warning messages regarding duplicate table names in logs when configured to use nftables.
Fixed web service restart failure when calling a cold restart via API method.
Fixed the sacli ip command to report the correct IPv4 address, and added IPv6 reporting.
Fixed group_subnets user property not being deleted via API call when IPv6 group subnet is set.
Fixed an issue in the API where only the first rule was deleted from an ACL entry with multiple rules.
Fixed missing username parameter in API documentation for MFA enrollment API endpoint.
Fixed web service crash when calling IdP metadata endpoint with incorrect URL (authenticated admins only).
Fixed the sacli getbranding command.
Fixed ovpn-init Azure metadata handling to detect public IP addresses.
Fixed conversion to cluster not working when a custom server configuration profile name is in use.
Fixed startup failure when configured to use a specific network interface with nftables enabled.
Fixed Admin Web UI not working when a server configuration profile with a space in its name is used.
Fixed a missing log entry for failed user authentication attempts when the user was blocked.
Fixed sporadic processing failed error on the access control list API endpoint.
Fixed x509_attr_list config keys not adding configuration to the OpenVPN server daemon configuration.
Fixed startup failure when using ICMP access control rules in combination with nftables.
Fixed the print_aws_info error in the AWS-related information in sacli support output.
Fixed a race condition that prevented multidaemon UDP OpenVPN from being reachable when using a slow MySQL-type database.
Fixed logdba output being hardcoded to UTC; it's now able to show local time results again.
Fixed a subscription license information display issue on the Admin Web UI when in overdraft.
Fixed issue on Admin Web UI with not being able to select the last item in a list for bulk actions.
Fixed display issue on Admin Web UI when using very long user or group names.
Fixed ‘too long comment’ error message switching unexpectedly to server-locked profile in profile creation dialog.
Fixed the dialog not closing on the Admin Web UI after creating a new VPN CA.
Fixed being unable to save the RADIUS server password a second time without refreshing the page.
Fixed inter-client connectivity configuration keys not being removed if they are set back to default values on Admin Web UI.
Fixed VPN server data cipher configuration error message on Admin Web UI when not using the default values.
Fixed the group networking section for group subnet configuration, which was incorrectly visible in cluster mode.
Fixed issue with handling round-robin DNS name configuration when setting it to an empty value.
Improved web server certificate page in Admin Web UI to account for CN and subject alternative names.
Improved performance of the user search function.
Improved sacli vpnsummary and sacli vpnstatus performance.
Improved DNS server setting in Admin UI, it now shows which DNS servers it detected in the OS.
Improved web session token renewal to reduce unwanted web session token timeout occurrences.
Improved user and group endpoints with various small bugfixes and property validations.
Improved sacli support report output to include information about nftables configuration.
Improved error message clarity when attempting to create a VPN CA with an already existing common name.
Improved ovpn-init Azure metadata handling to read admin_pw and license values.
Improved logging for nftables in case rules fail to apply.
Improved consistency between profiles, create, and list API endpoints with the username parameter.
Improved authentication messages on web services when using PAM authentication.
Improved OpenVPN configuration in Admin Web UI, allowing multiple daemons on only TCP or only UDP.
Improved handling and messaging of receiving unexpected file formats on the IdP metadata file upload.
Improved sizing of client scripting text input fields on the Admin Web UI.
Improved the config editor in Admin Web UI to redact certain sensitive information.
Improved validation and log messages related to usernames and passwords that are too long (127 characters maximum).
Improved performance for cluster database endpoint information retrieval by adding caching.
Improved cluster error handling by adding loop detection to cluster communication due to misconfiguration.
Removed now unused config key cs.auto_generate from as.conf on new installations.
Removed TLS 1.0 and TLS 1.1 from the web services protocol dropdown on Admin Web UI.
EULA updated to account for updated dependency versions.