Skip to main content

Tutorial: Downgrade Access Server

Abstract

How to downgrade Access Server. Use this tutorial as a last resort.

Overview

This tutorial provides the steps necessary to downgrade your Access Server version.

Caution

We recommend running Access Server's latest version as a security best practice. Downgrading to an older version should only be done when a pressing need arises.

Refer to the upgrading topic for running the latest version.

If you choose to downgrade, you do so at your own risk, and our ability to support you may be limited.

Prerequisites

  • Console access and the ability to get root access.

  • An Access Server portal account.

  • An installed Access Server.

Important

This tutorial shows you a practical example of properly downgrading Access Server.

In this example, an Access Server is running 2.14.3. We upgrade it to 3.0.2, then need to downgrade to 2.14.3.

Step 1: Create a backup of your current configuration

Important

Ensure you have a backup before making any changes. For our example, we have a configuration backup from Access Server 2.14.3.

Important

It is ultimately your responsibility to maintain backups of your Access Server configuration. The configuration contains unique certificates that can't be recreated if lost. If you upgraded your Access Server and don't have configuration backups from before the upgrade, you might be unable to downgrade because the configuration database schemas have changed.

When you perform an in-place upgrade, Access Server automatically backs up the SQLite3 database files that contain the pre-upgrade configuration. It stores these backups in the /usr/local/openvpn_as/etc/backup/ directory with timestamps. However, Access Server doesn’t make a backup if you use a MySQL database. You must make that type of backup in the MySQL database system.

If you don’t use MySQL or clustering, and your Access Server is a standalone or failover setup using the default SQLite3 databases, the automatic backups made during upgrades should be sufficient to perform a downgrade. However, any changes you make after creating the backup will be lost when restoring the configuration backup.

Step 2: Downgrade the Access Server package

We deliver the openvpn-as Access Server package via our software repository for supported Linux operating systems. The latest available version is selected when you install or upgrade from the repository. If an older Access Server release is available for your operating system, you can select it using the package manager.

Note

Not all Access Server releases may be available for your operating system. Suppose you also upgraded your operating system when upgrading Access Server. In that case, you may be unable to downgrade to the desired version without downgrading your operating system.

  1. Connect to your console and get root privileges.

  2. Run the command below for your Linux OS to list the Access Server package (openvpn-as) versions available in the software repository:

    • Ubuntu/Debian: List the openvpn-as versions from the software repository:

      apt update && apt list -a openvpn-as

      An overview similar to the following displays:

      openvpn-as/noble,now 3.0.2-87c70987-Ubuntu24 amd64 [installed]
openvpn-as/noble 3.0.1-84b60e70-Ubuntu24 amd64
openvpn-as/noble 3.0.0-2b84043e-Ubuntu24 amd64
openvpn-as/noble 2.14.3-5936bcd7-Ubuntu24 amd64
openvpn-as/noble 2.14.2-40b190d8-Ubuntu24 amd64
openvpn-as/noble 2.14.1-ff013d4d-Ubuntu24 amd64
openvpn-as/noble 2.14.0-b90cb316-Ubuntu24 amd64

      To downgrade to version 2.14.3, use the following package: 2.14.3-5936bcd7-Ubuntu24. Save this for the next steps.

    • RHEL: List the openvpn-as versions from the software repository:

      yum list --showduplicates openvpn-as

      An overview similar to the following displays:

      Installed Packages
openvpn-as.x86_64                        3.0.2_87c70987-1.el9                        @openvpn-as-rhel9
Available Packages
openvpn-as.x86_64                        2.11.1_f4027f58-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        2.11.2_72c0e923-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        2.11.3_af31575c-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        2.12.0_2e834031-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        2.12.1_bc070def-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        2.12.2_f897d9cb-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        2.12.3_76774795-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        2.13.0_c7623b5a-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        2.13.1_d8cdeb9c-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        2.14.0_b90cb316-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        2.14.1_ff013d4d-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        2.14.2_40b190d8-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        2.14.3_5936bcd7-1.el9                        openvpn-as-rhel9
openvpn-as.x86_64                        3.0.0_2b84043e-1.el9                         openvpn-as-rhel9
openvpn-as.x86_64                        3.0.1_84b60e70-1.el9                         openvpn-as-rhel9
[root@rhel-as ~]#

      To downgrade to 2.14.3, use the following package: 2.14.3_5936bcd7-1.el9. Save this for the next steps.

  3. Install a specific version (for example, 2.14.3):

    • Ubuntu/Debian:

      bash <(curl -fsS https://packages.openvpn.net/as/install.sh) --as-version=2.14.3 --yes
apt autoremove -y

    • RHEL:

      bash <(curl -fsS https://packages.openvpn.net/as/install.sh) --as-version=2.14.3 --yes
yum autoremove -y

    If the installation script fails for you, use these optional steps:

    • Ubuntu/Debian:

      apt install openvpn-as=2.14.3-5936bcd7-Ubuntu24 -y --allow-downgrades --autoremove

    • RHEL:

      yum downgrade openvpn-as-2.14.3_5936bcd7-1.el9 -y

  4. Verify the installed version with one of the commands below:

    • Ubuntu/Debian:

      dpkg -l|grep openvpn-as

      or

      /usr/local/openvpn_as/scripts/sacli Version

      or

      cat /usr/local/openvpn_as/etc/VERSION

    • RHEL:

      rpm -qa|grep openvpn-as

      or

      /usr/local/openvpn_as/scripts/sacli Version

      or

      cat /usr/local/openvpn_as/etc/VERSION

    Note

    These commands should return the same version and build number.

  5. Pin the package so it's not automatically upgraded:

    • Ubuntu/Debian:

      apt-mark hold openvpn-as

    • RHEL:

      yum versionlock openvpn-as

      Note

      This requires you to have the yum-versionlock plugin installed.

Tip

If you don't have the correct software repository installed:

Step 3: Restore the configuration backup

As we add new Access Server features, we update the configuration database schema accordingly. To work correctly, Access Server requires that the configuration database be the same version or an older version. Access Server can upgrade a configuration database automatically, but can’t downgrade it. Therefore, you need to restore a backup if you downgrade the Access Server. If you try to use a configuration from a newer Access Server version, you will likely encounter problems.

Restore from a manual backup

Refer to this tutorial on how to restore Access Server's configuration from backup files:

Restore from an automatic backup

When you perform an in-place upgrade of Access Server, it automatically makes backups of the SQLite3 database files containing the pre-upgrade configuration, which it stores in the /usr/local/openvpn_as/etc/backup/ directory with timestamps.

Access Server also automatically backs up during a downgrade. Ensure you restore the backup set Access Server automatically created when you upgraded it. Be careful not to use the backup set created during the downgrade. Usually, this means you should restore the second-most recent backup when downgrading.

  • Restore a backup set (for example, "2026-01-31T16:35:43+00:00"):

    systemctl stop openvpnas
which apt > /dev/null 2>&1 && apt -y install sqlite3
which yum > /dev/null 2>&1 && yum -y install sqlite
cd /usr/local/openvpn_as/etc/backup/
cd "2026-01-31T16:35:43+00:00"
[ -e config.db ]&& /bin/cp config.db ../../db/config.db
[ -e certs.db ]&&/bin/cp certs.db ../../db/certs.db
[ -e userprop.db ]&&/bin/cp userprop.db ../../db/userprop.db
[ -e log.db ]&&/bin/cp log.db ../../db/log.db
[ -e config_local.db ]&&/bin/cp config_local.db ../../db/config_local.db
[ -e cluster.db ]&&/bin/cp cluster.db ../../db/cluster.db
[ -e notification.db ]&&/bin/cp notification.db ../../db/notification.db
chmod 0600 /usr/local/openvpn_as/etc/db/*.db
chmod 0600 /usr/local/openvpn_as/etc/as.conf
systemctl start openvpnas

Step 4: Verify normal operation

As your final step, verify that Access Server is working and that your clients are connecting successfully.

  1. Review the logs to see that Access Server starts up correctly.

  2. Check that you can access the Admin and Client Web UIs.

Important

Any changes made after the backup was created will be lost when restoring the configuration backup. So keep this in mind when testing.

If you face any issues, contact our support team with your steps, a problem description, and error messages from the Access Server log file.

In this section: