Linux : How to reset OpenVPN user lockout without disconnecting users (or without restarting the openvpnas service)

By | June 14, 2020

OpenVPN enforce by default a 15 minutes lockout policy for unsuccessful login attempts.

As an avid system administrator and used to end-user struggles, you most likely encountered many times situations where a user tried to log in 20 times and blaming you that it isn’t working (all that because they are entering the wrong password, while being convinced they are doing the right thing!).

That being said, beside restarting the OpenVPN service, which would kick out all users and make you infamous, here is the way to go if you want to reset the lockout timeout without impacting users. This basically consist of lowering down the lockout policy to 1 second, apply the change and then change it back the way it was before.

./usr/local/openvpn_as/scripts/sacli --key "vpn.server.lockout_policy.reset_time" --value "1" ConfigPut
./usr/local/openvpn_as/scripts/sacli start
sleep 2
./usr/local/openvpn_as/scripts/sacli --key "vpn.server.lockout_policy.reset_time" ConfigDel
./usr/local/openvpn_as/scripts/sacli start