Skip to main content

Config Database

Access Server stores configurations in SQLite database files. You can also migrate to a MySQL-type database, but the SQLite database files are the default setup.


When you modify your Access Server setup in the Admin Web UI or with a command-line tool, you update the configuration and these database files.

Default configuration file locations

The default locations of the configuration files are as follows, depending on your version of Access Server.

In Access Server versions before release 2.6.1:

  • Global server configuration: /usr/local/openvpn_as/etc/db/config.db

  • Server and client certificates: /usr/local/openvpn_as/etc/db/certs.db

  • User and group properties: /usr/local/openvpn_as/etc/db/userprop.db

  • Log database: /usr/local/openvpn_as/etc/db/log.db

  • Debug and low level settings: /usr/local/openvpn_as/etc/as.conf

These were added since Access Server 2.6.1:

  • Local server node configuration: /usr/local/openvpn_as/etc/db/config_local.db

  • Cluster configuration: /usr/local/openvpn_as/etc/db/cluster.db

  • Cluster configuration: /usr/local/openvpn_as/etc/db/clusterdb.db

  • Cluster notification system: /usr/local/openvpn_as/etc/db/notification.db

How to view the current server configuration

You can list your current server's configuration, user and group properties, and specific properties for users and groups with the command-line tool sacli.

Configuration for authentication modes

The user configuration is stored differently depending on your authentication mode. This tutorial helps you determine where to find user and group properties.

Back Up Access Server's Configuration

It's a security best practice to create regular backups of your configuration. We also recommend it before upgrading or migrating to a new server. Follow this tutorial to create backups of your SQLite 3 database files.


If you use a separate database server, ensure you create a server backup. The above tutorial applies to Access Servers using the default SQLite3 database files.


If you need help creating a backup VPN, refer to the high-availability topic.

Recover Access Server with backup files

Should you need to recover an Access Server from a backup point or migrate to a new server, refer to this tutorial for the commands to restore from backup files:

Recover damaged database configuration files

Suppose your Access Server uses the default SQLite3 database files on a single node, and they've become managed. Refer to our troubleshooting page:

Use ConfigReplace for manual configuration edits

Access Server 2.10.1 and newer supports a command, ConfigReplace, which allows you to upload configuration changes in one file, and Access Server imports those changes to the correct configuration files.

Change the database backend

Access Server can store configuration in MySQL-type database systems such as Amazon RDS, MySQL, and MariaDB.

You can follow one of the below tutorials to switch to a database server using the Admin Web UI or the command line:

Access Server database compatibility

We've tested and confirmed that the latest Access Server version works on these operating systems with the following relational database management system (RDBMS) versions:


MySQL 5.7.36

MySQL 8.0.27

MariaDB 10.11.5

MariaDB 11.0.3

CentOS 7

Amazon Linux 2

Ubuntu 20.04 (x86_64)

Ubuntu 20.04 (ARM64)

Ubuntu 22.04 (x86_64)

Ubuntu 22.04 (ARM64)

Debian 10

Debian 11

Debian 12

Red Hat 7

Red Hat 8

* only with an updated connector

Red Hat 9


For MariaDB, we recommend using MariaDB 10.5.8 or newer. A known issue exists in MariaDB 10.4.3 due to a bug in the MariaDB code that causes connectivity issues. If you plan to use a version of the MariaDB server that is newer than available in repositories on the host where Access Server is installed, you may need to update the MariaDB connector. For more details, refer to the official MariaDB connector documentation.

Set up an SSL connection to MySQL

With Access Server 2.9.0 and newer, you can make an encrypted connection to MySQL or AWS RDS servers.

Wipe Access Server's configuration


This command permanently deletes all of your Access Server settings.

Wipe all configuration settings, certificates, and user/group properties:

ovpn-init --force

Active fixed license keys remain in place on the server. Since these are single-activation, unlike subscription licenses, it may be important for you to know that the wiping configuration doesn’t wipe activated keys.

Access Server comes with an installation wizard to set up the initial configuration. After running the above command, you start with a clean slate for Access Server. The installation wizard runs again upon connecting to your server’s terminal. We recommend accepting the default settings and then adjusting those later using the Admin Web UI, unless you're setting up a failover server — then make sure to choose that this server will be a failover system. When asked for an activation key, press enter to add it later in the Admin Web UI.