Tutorial: Downgrade Access Server
How to downgrade Access Server. Use this tutorial as a last result.
Overview
This tutorial provides the steps necessary to downgrade your Access Server version.
Caution
We recommend running Access Server's latest version as a security best practice. Downgrading to an older version should only be done when a pressing need arises.
Refer to the upgrading topic for running the latest version.
If you choose to downgrade, you do so at your own risk, and our ability to support you may be limited.
Console access and the ability to get root access.
An Access Server portal account.
An installed Access Server.
Refer to this tutorial to make a backup of Access Server configurations:
Important
It is ultimately your responsibility to maintain backups of your Access Server configuration. The configuration contains unique certificates you can’t reproduce if they’re lost. Suppose you’ve upgraded your Access Server and don’t have configuration backups before the upgrade. In that case, you might be unable to downgrade due to changes in the configuration database schemas.
When you perform an in-place upgrade, Access Server automatically makes backups of the SQLite3 database files containing the pre-upgrade configuration. It stores these backups in the /usr/local/openvpn_as/etc/backup/ directory with timestamps. However, Access Server doesn’t make a backup if you use a MySQL database. You must make that type of backup in the MySQL database system.
If you don’t use MySQL or clustering, and your Access Server is a standalone or failover setup using the default SQLite3 databases, the automatic backups made during upgrades should be sufficient to perform a downgrade. However, any changes you make after creating the backup will be lost when restoring the configuration backup.
We deliver the openvpn-as Access Server package via our software repository for supported Linux operating systems. The latest available version is selected when you install or upgrade from the repository. If an older Access Server release is available for your operating system, you can select it using the package manager.
Note
Not all Access Server releases may be available for your operating system. Suppose you also upgraded your operating system when upgrading Access Server. In that case, you may be unable to downgrade to the desired version without downgrading your operating system.
Connect to your console and get root privileges.
Run the command below for your Linux OS to list the Access Server package (openvpn-as) versions available in the software repository:
Ubuntu/Debian: List the openvpn-as versions from the software repository:
apt update && apt list -a openvpn-as
An overview displays similar to this:
openvpn-as/jammy,now 2.13.1-d8cdeb9c-Ubuntu22 amd64 [installed] openvpn-as/jammy 2.13.0-c7623b5a-Ubuntu22 amd64 openvpn-as/jammy 2.12.3-76774795-Ubuntu22 amd64 openvpn-as/jammy 2.12.2-f897d9cb-Ubuntu22 amd64 openvpn-as/jammy 2.12.1-bc070def-Ubuntu22 amd64 openvpn-as/jammy 2.12.0-2e834031-Ubuntu22 amd64 openvpn-as/jammy 2.11.3-af31575c-Ubuntu22 amd64 openvpn-as/jammy 2.11.2-72c0e923-Ubuntu22 amd64 openvpn-as/jammy 2.11.1-f4027f58-Ubuntu22 amd64 openvpn-as/jammy 2.11.0-794ab41d-Ubuntu22 amd64
CentOS/RHEL/Amazon Linux 2: List the openvpn-as versions from the software repository:
yum list --showduplicates openvpn-as
An overview displays similar to this:
Installed Packages openvpn-as.x86_64 2.13.1_d8cdeb9c-CentOS7 @as-repo-centos7 Available Packages openvpn-as.x86_64 2.10.0_ca1e86b5-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.10.1_d5bffc76-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.10.2_3383e1e5-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.10.3_c47a813c-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.11.0_794ab41d-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.11.1_f4027f58-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.11.2_72c0e923-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.11.3_af31575c-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.12.0_2e834031-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.12.1_bc070def-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.12.2_f897d9cb-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.12.3_76774795-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.13.0_c7623b5a-CentOS7 as-repo-centos7 openvpn-as.x86_64 2.13.1_d8cdeb9c-CentOS7 as-repo-centos7 [root@centos-as ~]#
Install a specific version (for example, 2.11.1):
Ubuntu/Debian:
apt install openvpn-as=2.11.1-f4027f58-Ubuntu22 -y --allow-downgrades
CentOS/RHEL/Amazon Linux 2:
yum downgrade openvpn-as-2.11.1_f4027f58-CentOS7 -y
Verify the installed version with one of two commands:
Ubuntu/Debian:
dpkg -l|grep openvpn-as
or
/usr/local/openvpn_as/scripts/sacli Version
CentOS/RHEL/Amazon Linux 2:
rpm -qa|grep openvpn-as
or
/usr/local/openvpn_as/scripts/sacli Version
Note
Either command should return the same version and build number.
Pin the package so it's not automatically upgraded:
Ubuntu/Debian:
apt-mark hold openvpn-as
CentOS/RHEL/Amazon Linux 2:
yum versionlock openvpn-as
Note
This requires you to have the yum-versionlock plugin installed.
Tip
If you don't have the correct software repository installed:
Sign in to the Access Server portal.
Click Get Access Server.
Click on your Linux OS under Linux Software Package.
Use the appropriate command to add the OpenVPN repository to your system.
As we add new Access Server features, we correspondingly update the configuration database schema. To work correctly, Access Server needs the configuration database to be the same or an older version. Access Server can upgrade a configuration database automatically but can’t downgrade it. Hence, there is a need to restore a backup if you downgrade the Access Server. If you try to use a configuration from a newer Access Server version, you will likely encounter problems.
Restore from a manual backup
Refer to this tutorial on how to restore Access Server's configuration from backup files:
Restore from an automatic backup
When you perform an in-place upgrade of Access Server, it automatically makes backups of the SQLite3 database files containing the pre-upgrade configuration, which it stores in the /usr/local/openvpn_as/etc/backup/ directory with timestamps.
Access Server also makes automatic backups when performing a downgrade. Ensure you restore the backup set Access Server automatically created when you upgraded it. Be careful not to use the backup set automatically created when you downgrade. Usually, this means you should restore the second newest backup when performing a downgrade operation.
Restore a backup set (for example, "2024-04-23T19:04:51"):
service openvpnas stop cd /usr/local/openvpn_as/etc/backup/ cd "2024-04-23T19:04:51+00:00" [ -e config.db ]&& /bin/cp config.db ../../db/config.db [ -e certs.db ]&&/bin/cp certs.db ../../db/certs.db [ -e userprop.db ]&&/bin/cp userprop.db ../../db/userprop.db [ -e log.db ]&&/bin/cp log.db ../../db/log.db [ -e config_local.db ]&&/bin/cp config_local.db ../../db/config_local.db [ -e cluster.db ]&&/bin/cp cluster.db ../../db/cluster.db [ -e notification.db ]&&/bin/cp notification.db ../../db/notification.db service openvpnas start
As your final step, verify that Access Server works, and your clients connect successfully.
Review the logs to see that Access Server starts up correctly.
Check that you can access the Admin and Client Web UIs.
Important
Any changes made after the backup was created will be lost when restoring the configuration backup. So keep this in mind when testing.
If you face any issues, contact our support team with your steps, a problem description, and error messages from the Access Server log file.