Skip to main content

Tutorial: Downgrade Access Server


How to downgrade Access Server. Use this tutorial as a last result.


This tutorial provides the steps necessary to downgrade your Access Server version.


We recommend running Access Server's latest version as a security best practice. Downgrading to an older version should only be done when a pressing need arises.

Refer to the upgrading topic for running the latest version.Upgrading

If you choose to downgrade, you do so at your own risk, and our ability to support you may be limited.


It is ultimately your responsibility to maintain backups of your Access Server configuration. The configuration contains unique certificates you can’t reproduce if they’re lost. Suppose you’ve upgraded your Access Server and don’t have configuration backups before the upgrade. In that case, you might be unable to downgrade due to changes in the configuration database schemas.

When you perform an in-place upgrade, Access Server automatically makes backups of the SQLite3 database files containing the pre-upgrade configuration. It stores these backups in the /usr/local/openvpn_as/etc/backup/ directory with timestamps. However, Access Server doesn’t make a backup if you use a MySQL database. You must make that type of backup in the MySQL database system.

If you don’t use MySQL or clustering, and your Access Server is a standalone or failover setup using the default SQLite3 databases, the automatic backups made during upgrades should be sufficient to perform a downgrade. However, any changes you make after creating the backup will be lost when restoring the configuration backup.

We deliver the openvpn-as Access Server package via our software repository for supported Linux operating systems. The latest available version is selected when you install or upgrade from the repository. If an older Access Server release is available for your operating system, you can select it using the package manager.


Not all Access Server releases may be available for your operating system. Suppose you also upgraded your operating system when upgrading Access Server. In that case, you may be unable to downgrade to the desired version without downgrading your operating system.

  1. Connect to your console with root privileges.

  2. Run the command below for your Linux OS to list the Access Server package (openvpn-as) versions available in the software repository:

    • Ubuntu/Debian: List the openvpn-as versions from the software repository:

      apt updateapt list -a openvpn-as

      An overview displays similar to this:

      openvpn-as/jammy,now 2.13.1-d8cdeb9c-Ubuntu22 amd64 [installed]
      openvpn-as/jammy 2.13.0-c7623b5a-Ubuntu22 amd64
      openvpn-as/jammy 2.12.3-76774795-Ubuntu22 amd64
      openvpn-as/jammy 2.12.2-f897d9cb-Ubuntu22 amd64
      openvpn-as/jammy 2.12.1-bc070def-Ubuntu22 amd64
      openvpn-as/jammy 2.12.0-2e834031-Ubuntu22 amd64
      openvpn-as/jammy 2.11.3-af31575c-Ubuntu22 amd64
      openvpn-as/jammy 2.11.2-72c0e923-Ubuntu22 amd64
      openvpn-as/jammy 2.11.1-f4027f58-Ubuntu22 amd64
      openvpn-as/jammy 2.11.0-794ab41d-Ubuntu22 amd64
    • CentOS/RHEL/Amazon Linux 2: List the openvpn-as versions from the software repository:

      yum list --showduplicates openvpn-as

      An overview displays similar to this:

      Installed Packages
      openvpn-as.x86_64           2.13.1_d8cdeb9c-CentOS7         @as-repo-centos7
      Available Packages
      openvpn-as.x86_64           2.10.0_ca1e86b5-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.10.1_d5bffc76-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.10.2_3383e1e5-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.10.3_c47a813c-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.11.0_794ab41d-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.11.1_f4027f58-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.11.2_72c0e923-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.11.3_af31575c-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.12.0_2e834031-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.12.1_bc070def-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.12.2_f897d9cb-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.12.3_76774795-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.13.0_c7623b5a-CentOS7          as-repo-centos7
      openvpn-as.x86_64           2.13.1_d8cdeb9c-CentOS7          as-repo-centos7
      [root@centos-as ~]#
  3. Install a specific version (for example, 2.11.1):

    • Ubuntu/Debian:

      apt install openvpn-as=2.11.1-f4027f58-Ubuntu22 -y --allow-downgrades
    • CentOS/RHEL/Amazon Linux 2:

      yum downgrade openvpn-as-2.11.1_f4027f58-CentOS7 -y
  4. Verify the installed version with one of two commands:

    • Ubuntu/Debian:

      dpkg -l|grep openvpn-as


      /usr/local/openvpn_as/scripts/sacli Version
    • CentOS/RHEL/Amazon Linux 2:

      rpm -qa|grep openvpn-as


      /usr/local/openvpn_as/scripts/sacli Version


    Either command should return the same version and build number.

  5. Pin the package so it's not automatically upgraded:

    • Ubuntu/Debian:

      apt-mark hold openvpn-as
    • CentOS/RHEL/Amazon Linux 2:

      yum versionlock openvpn-as


      This requires you to have the yum-versionlock plugin installed.


If you don't have the correct software repository installed:

  1. Sign in to the Access Server portal.

  2. Click Get Access Server.

  3. Click on your Linux OS under Linux Software Package.

  4. Use the appropriate command to add the OpenVPN repository to your system.

As we add new Access Server features, we correspondingly update the configuration database schema. To work correctly, Access Server needs the configuration database to be the same or an older version. Access Server can upgrade a configuration database automatically but can’t downgrade it. Hence, there is a need to restore a backup if you downgrade the Access Server. If you try to use a configuration from a newer Access Server version, you will likely encounter problems.

Restore from a manual backup

Refer to this tutorial on how to restore Access Server's configuration from backup files:

Restore from an automatic backup

When you perform an in-place upgrade of Access Server, it automatically makes backups of the SQLite3 database files containing the pre-upgrade configuration, which it stores in the /usr/local/openvpn_as/etc/backup/ directory with timestamps.

Access Server also makes automatic backups when performing a downgrade. Ensure you restore the backup set Access Server automatically created when you upgraded it. Be careful not to use the backup set automatically created when you downgrade. Usually, this means you should restore the second newest backup when performing a downgrade operation.

  • Restore a backup set (for example, "2024-04-23T19:04:51"):

    service openvpnas stop
    cd /usr/local/openvpn_as/etc/backup/
    cd "2024-04-23T19:04:51+00:00"
    [ -e config.db ]&& /bin/cp config.db ../../db/config.db
    [ -e certs.db ]&&/bin/cp certs.db ../../db/certs.db
    [ -e userprop.db ]&&/bin/cp userprop.db ../../db/userprop.db
    [ -e log.db ]&&/bin/cp log.db ../../db/log.db
    [ -e config_local.db ]&&/bin/cp config_local.db ../../db/config_local.db
    [ -e cluster.db ]&&/bin/cp cluster.db ../../db/cluster.db
    [ -e notification.db ]&&/bin/cp notification.db ../../db/notification.db
    service openvpnas start

As your final step, verify that Access Server works, and your clients connect successfully.

  1. Review the logs to see that Access Server starts up correctly.

  2. Check that you can access the Admin and Client Web UIs.


Any changes made after the backup was created will be lost when restoring the configuration backup. So keep this in mind when testing.

If you face any issues, contact our support team with your steps, a problem description, and error messages from the Access Server log file.