Skip to main content

Tutorial: Migrate from Regular Access Server to Access Server on Docker

Abstract

This tutorial guides you through migrating to an Access Server installation running on Docker and copying over the configuration.

Overview

If you have Access Server hosted on a Linux instance or cloud image and want to move to a Docker container, follow this migration guide.

To migrate, you'll follow these steps:

  1. Back up your current system in your regular Access Server.

  2. Launch a Docker host and install the Access Server container image there.

  3. Move your backup to your new Access Server on Docker.

When done correctly, your OpenVPN clients won’t require reinstalling to connect, as the migration keeps the necessary certificate and user data intact.

Review these tips before you begin:

  • Set up a hostname. When you migrate to a new server, the easiest way to keep the user experience the same is to keep their access the same. This is done by setting up a hostname. If you did this for your VPN server before adding clients, whether you set up a hostname, your VPN connections won’t see a difference. If, however, your migration results in a new IP address, you’ll need to update client connections.

  • Note that you should skip the database backup steps if you’re using a separate database to support a cluster of Access Servers. Instead, you can set up a new instance with a subscription, add it to your cluster, then remove the old node.

  • A regular Access Server.

  • Docker.

  • SSH access to the instance.

Back up your current, regular Access Server configuration databases. Access Server uses SQLite configuration database files to store its information by default. These include:

  • Passwords (for local authentication).

  • MFA codes for TOTP authentication.

  • VPN client and server certificates.

  • Web interface certificates.

  • Log reports.

Use these commands to back up your SQLite configuration database files. Your Access Server has a unique private and public key used internally in the certificate management system to generate unique client certificates. These certificates are incompatible with those of another installation, so you need to migrate them.

  1. Sign in to the Access Server and get root privileges.

  2. Run these commands to create Access Server configuration backups:

    • After running these commands, the backup files ending in .bak can be found in the /usr/local/openvpn_as/ directory. The files contain everything unique about your Access Server installation.

Tip

We recommend creating backups automatically as good security etiquette.

Set up a new server to copy over your database backups. For details on these steps, refer to Access Server on Docker Quick Start Guide.

Important

Ensure you have an SSH key for the new instance or access to the key used for the existing AWS Tiered instance. You can use the same private key to establish SSH access to both instances.

With your new Access Server on Docker running, you can move your configuration over before going live.

To connect with a file transfer application such as WinSCP, you need key pairs from the old and new instances.

Important

You don't need to copy database files if you already use a separate database to support a cluster of Access Servers. Instead, add the new subscription server to your cluster and remove the old, tiered node.

Follow these steps to move your configuration backup to your new Docker container:

  1. Sign in to the Docker Linux host console and get root privileges.

  2. Run these commands to stop the Access Server container image, restore the backup, and then start the Access Server container image:

    docker stop openvpn-as
    which apt > /dev/null 2>&1 && apt -y install sqlite3
    which yum > /dev/null 2>&1 && yum -y install sqlite
    cd /<data_folder>/etc/db
    [ -e ../../config.db.bak ]&&(rm -f config.db;sqlite3<../../config.db.bak config.db)
    [ -e ../../certs.db.bak ]&&(rm -f certs.db;sqlite3 <../../certs.db.bak certs.db)
    [ -e ../../userprop.db.bak ]&&(rm -f userprop.db;sqlite3 <../../userprop.db.bak userprop.db)
    [ -e ../../log.db.bak ]&&(rm -f log.db;sqlite3 <../../log.db.bak log.db)
    [ -e ../../config_local.db.bak ]&&(rm -f config_local.db;sqlite3 <../../config_local.db.bak config_local.db)
    [ -e ../../cluster.db.bak ]&&(rm -f cluster.db;sqlite3 <../../cluster.db.bak cluster.db)
    [ -e ../../notification.db.bak ]&&(rm -f notification.db;sqlite3 <../../notification.db.bak notification.db)
    [ -e ../../as.conf.bak ]&&cp ../../as.conf.bak ../as.conf
    chmod 0600 /<data_folder>/etc/db/*.db
    chmod 0600 /<data_folder>/etc/as.conf
    docker start openvpn-as
    • These commands restore the configuration backup on your new Access Server running in Docker.

Important

Replace <data_folder> with the location for storing Access Server configuration files when you install the Access Server Docker image.

If you don't know the data folder used by the Access Server container, run this command:

docker inspect -f '{{ .HostConfig.Binds }}' openvpn-as

For example:

root@openvpnas:~# docker inspect -f '{{ .HostConfig.Binds }}' openvpn-as
[/openvpnas:/openvpn]

In the above output, the data folder is openvpnas, so this is the folder you need to use in the backup commands like this:

cd /openvpnas/etc/db

After running these commands, the backup files ending in .bak can be found in the <data_folder> directory. The files contain everything unique about your Access Server installation.

You can restore the resulting backup files to another Access Server, including a higher version of Access Server, as we try to maintain backward compatibility.

If the configuration becomes completely lost at any point, all currently installed OpenVPN clients will be unable to connect to this server. Unique information stored in the certificates database cannot be recreated. Each installation of Access Server has unique certificates, and if you lose this information without a backup, you must completely reinstall Access Server and the VPN clients.

To automatically move your clients over to your new Access Server on Docker, update your DNS A record if using a hostname so that it points to the IP address of your new server.

Once you've set up your hostname or IP address to point to your new server, your users will automatically connect to it.

For details, refer to Tutorial: Setting up your Access Server Hostname.

  1. If you use PAM authentication, the passwords are stored in the operating system. They will not be backed up in the configuration files from step one.

  2. If you encounter errors when attempting to transfer the files using WinSCP, it may be due to insufficient privileges. Connect using SCP and choose “sudo su -” from the Shell field.

  3. If you use Access Server's clustering function, your data is stored separately in a MySQL-type database. Rather than following the above steps for backing up and restoring database configurations, you will simply set up a new server, add it to the cluster, and then remove the old node from the cluster.