Tutorial: Keep Access Server Updated
How to keep Access Server updated to the latest version. We recommend running the latest version for best security practices.
Overview
This tutorial provides you with detailed information for updating and upgrading Access Server.
Below are your different installation options. We recommend upgrading from the official OpenVPN software repository.
The official OpenVPN software repository enhances the user experience for installing and upgrading Access Server. The following will give you instructions for adding the repository to a new installation, adding it to an existing server to upgrade, using Linux to automatically update Access Server, updating Access Server without updating all other Linux packages, and preventing Access Server from automatically updating.
Refer to the section that suits your needs.
For a related resource, we have a video that shows you how to update Access Server to the latest version.
Use these backup commands on the command line to completely back up your settings without stopping your server. The information stored in Access Server (e.g., server and client certificates) is unique and cannot be replaced. If you haven't already done so, we recommend setting up automated backup tasks.
The current version of Access Server is very compatible with past versions. You can update as described here for versions all the way back to 1.7.1. If needed, Access Server leaves a copy of old data in this directory whenever you upgrade: /usr/local/openvpn_as/etc/backup.
Some cases may exist where older client software cannot connect to a modern Access Server. To fix this, simply update to a more recent client software version. If that isn't possible, you may lower Access Server's security requirements. It may be that an upgraded Access Server has the minimum required TLS security level set to a higher version, causing an issue with older clients. You can change this for your server:
Sign in to the Admin Web UI.
Click Configuration > TLS Settings.
Set the OpenVPN daemons to TLS 1.0.
If you have an Amazon AWS tiered instance pre-licensed with “xx connected devices,” you don’t need to worry about licenses. Amazon’s licensing and billing systems take care of them internally. Simply upgrade the Access Server package itself.
Beginning with Access Server 2.7.5, we distribute the package and client bundle primarily through our official software repository. From our central server, you can obtain the latest Access Server software. Your Linux operating system will download and install the latest version and upgrade your existing installation whenever you get updates and upgrades.
To copy and paste the commands to add the Access Server repository and install Access Server:
Sign in to the Access Server portal on our site.
Click Get Access Server.
Click Linux Software Package.
Select your Linux OS.
Copy the commands to add the repository and install the openvpn-as package.
Run the commands on your server.
We provide detailed installation guides for the different platforms available. Refer to these installation guides for steps.
If you are using Access Server 2.7.4 or older, follow these steps:
Determine your operating system by running these commands:
cat /etc/issue lsb_release -a uname -a
This outputs useful information. If you encounter some failure, that is fine. You should still get what you need. An example output from an older Access Server system on Amazon AWS gives this:
OpenVPN Access Server Appliance 2.1.9 \n \l No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.2 LTS Release: 16.04 Codename: xenial Linux openvpnas2 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 21 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Use the output to find your operating system name, version number and whether it's x86 (32 bits) or x86_64 (64 bits).
Sign in to the Access Server portal.
Click Get Access Server.
Click Linux Software Package.
Select your Linux system based on the output and copy the commands from the instructions.
Paste those commands to your server's command line.
The commands set up the software repository for you, download and install the latest Access Server version, and upgrade your existing installation.
After adding the repository, when you run
apt update
andapt upgrade
in the future, Access Server will be updated at the same time as your system.For the final step, we recommend rebooting your server:
reboot
This completes the upgrade process.
Caution
If your operating system is older than those we have listed, you may need to consider updating your whole system. For example, we no longer offer downloads for CentOS 5 as it could not handle the functions we support today for IPv6. Installing Access Server on an older platform than it was designed for will result in failure.
We recommend keeping your Linux operating system updated. With the built-in package manager program, it’s easy to retrieve updates and install them. We recommend doing this regularly to keep up with security fixes. To do so, run these commands when logged on to the Access Server as a root user:
Ubuntu and Debian
apt update apt upgrade
RedHat and CentOS
yum check-update yum update
These commands update packages within the version of your operating system. If your Access Server uses our software repository, it will also upgrade the Access Server and bundled OpenVPN Connect apps if there are newer versions.
These commands will not upgrade your Linux OS, such as from Debian 8 to Debian 9. Such a large upgrade is called a distribution upgrade. If you use a fixed license key, a distribution upgrade could break it. Contact us for help. See this page for details on migrating your Access Server installation.
If you have Access Server 2.7.5 or higher, it’s likely you are using our repository. When we release a new version of Access Server on our website and to the repository, you should be able to install it easily.
Update and upgrade packages when you update your operating system with these commands:
Ubuntu and Debian:
apt update apt upgrade
RedHat and CentOS
yum check-update yum update
After the updates are complete, reboot the server:
reboot
If all went well, your Access Server and your Linux system are now up to date.
Important
If you are running an instance of Access Server on a cloud image (AWS, Google, DigitalOcean, or Azure), we have pinned the openvpn-as package, which prevents your Ubuntu server from including it in updates with the commands above.
Once you have added the Access Server software repository to your system, any time you run the commands to update your operating system, it will also pull in the new Access Server release and bundled connect clients, if there are any. For cloud images (Google, Azure, AWS, and DigitalOcean), ESXi, and HyperV appliances, we have pinned the openvpn-as package so that the Access Server program doesn't update when you install operating system updates.
We have done this to avoid a sudden change in process. Past versions of Access Server stayed at their currently installed version number when people ran operating system updates. We did not want to surprise a system administrator with a new Access Server version just by performing security updates.
You can change that by unpinning it, and repin if you’d like with these commands.
Unpin the openvpn-as package:
apt-mark unhold openvpn-as
Repin the openvpn-as package:
apt-mark hold openvpn-as
Linux programs are installed as packages from a software repository or a separately downloaded and installed file. We recommend using our official repository. We also continue to support Access Server as software package files that can be downloaded and installed separately.
Beginning with Access Server 2.7.5, we have split the program into two pieces:
Access Server bundled OpenVPN Connect software for Windows and macOS.
The Access Server program itself.
You must install both packages:
Sign in to the Access Server portal.
Click Get Access Server.
Select your Linux operating system and version.
Follow the instructions for Manual Download.
An Access Server cluster relies on a central database system to store information about users, certificates, and other cluster configurations. Some configuration information, such as which interface to listen on and how to connect to the central database system, stays locally on the individual cluster nodes.
Before you begin, we recommend making a backup. As some data is stored in a central database for a cluster setup, use the mysqldump tool for your backup. Once you've backed up the data stored in your central database, refer to Tutorial: How to Back Up Access Server Configuration for specifics on how to back up the local configuration stored in the config_local.db file.
All cluster nodes must run on the same version of Access Server. Therefore, when upgrading a cluster of Access Server nodes to a new version, ensure you upgrade all nodes. You don’t have to upgrade all at once, but it can be done in a rolling upgrade, where each node, in turn, gets upgraded until all nodes are on the same new version. A rolling upgrade ensures that the cluster is never fully down. Clients connected to a node that goes down for maintenance should automatically connect to the next available node. This may cause temporary disconnects for your users, but the clients should automatically reconnect.
Important
We recommend contacting support if you need to roll back due to difficulties. We can help out.
When Access Server starts up and detects an older version of the databases in use, it may need to perform certain database updates and possibly change some values. These changes are expected when updating your Access Server. In the case of a cluster, the central databases also get updated. In rare cases, this could lead to incompatibilities with older versions of Access Server.
Therefore, if you need to roll back to an older Access Server version for whatever reason, you should restore the databases to an older version. You can do this by restoring a backup of the databases taken before you performed the Access Server upgrade.
Warning
Before you begin, ensure that you do a backup of the primary node, which is in the master state. Use these backup commands on the command line.
Access Server has a built-in failover mode you can deploy on your local LAN network. It allows one primary node to handle all tasks, with a secondary standby node. The secondary node comes online automatically, taking over all tasks if your primary node fails. This is done using a method called UCARP, which uses VRRP heartbeat network packets. For more details, refer to Tutorial: How To Set Up Failover Mode.
Important
Keep both Access Server nodes updated with the same versions. We also recommend following a specific upgrade procedure to avoid triggering the failover unnecessarily. This should also ensure that you can easily restore connectivity if anything goes wrong with the upgrade.
Use the following command to determine the primary node for making a backup:
cat /var/log/openvpnas.log|grep "Switching to state:" |tail -n1
If you see
[WARNING] Switching to state: MASTER
— you are on the primary node. Make your backup here.If you see
[WARNING] Switching to state: BACKUP
— you are on the secondary node. Go to the other node and re-check if it's active.
Shut down the (virtual) machine where your failover installation of Access Server is installed.
Stop the primary node's Access Server service:
service openvpnas stop
Upgrade the software on the primary node:
To upgrade using the repository, follow the steps under Updating Access Server if you're already using the repository.
To upgrade using the package installer, follow the steps under Installations and upgrades using package installer files.
Validate everything works on your updated primary node. Access Server should have started automatically after the upgrade, but if it didn't, run
service openvpnas start
.After testing the primary node, bring the secondary node online and perform the same upgrade steps there.
Note
The secondary node won't actually do anything while the primary node is online. So you can now safely upgrade the secondary node to the latest version.
After completing the secondary node upgrade, wait ten minutes for a configuration update from your primary node before testing the failover functionality.
At an opportune time, we recommend testing to see if the failover system is working properly. To do this, take the primary node down and check to see that your connections and Admin Web UI work as expected.
Tip
If something goes wrong with the upgrade process of the primary node, we recommend you gather log file information and contact us with our support ticket system. Then, take the primary node offline. Once it is offline, bring the secondary node online. It should start up as the old system it was and take over and handle connections. This keeps your clients up and running while you look into the problem on the primary node. Once issues are diagnosed and resolved, you can bring the primary node back up, take the secondary node offline, and perform the upgrade steps outlined above.
If you are in a situation where your appliance of cloud image is really outdated, and/or your installation has an old and no longer supported operating system, you should consider installing a new one. Please refer to our migration or reinstallation guide for this. It describes how to back up your system and restore the configuration to another Access Server. We recommend this step if your Linux OS is too old. Upgrade your entire OS and start over with a new Access Server installation. You'll be up and running when you restore your data and license keys.
Usually, this kind of migration or reinstallation can be done so that the current system can be kept up and running while you set up a new system in parallel. Then, you can test it before you make the actual switch.
If you have a perpetual license key purchased prior to 2013, you must purchase a new subscription to upgrade your Access Server instance. All Access Server license keys purchased since 2013 are standard license keys, not perpetual.
OpenVPN strictly adheres to the original terms under which we sold perpetual licenses. One of those terms was that neither support nor upgrades were allowed when the license key’s support term expired. A perpetual license key will not work on an Access Server higher than version 1.8.4.