OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Instructions to patch licensing system on older Access Servers

Introduction

The licensing system of the OpenVPN Access Server product is going to be updated after January 20th of 2019 to add support for new features and to enhance security. Because of this there will be some changes on our end, and this requires a small change in the licensing system to be implemented on your existing OpenVPN Access Server installation as well. This patch ensures that new license keys and renewal license keys can be activated after the mentioned date. The impact of this change is kept as minimal as possible, and we will provide information to answer the most common questions and to make this transition go as smoothly as possible.

Please note that this change does not affect our Amazon AWS tiered instances that are pre-licensed with a predefined amount of connections. These are billed through Amazon AWS directly and uses a different licensing system that does not need this update.

For more information and answers to questions you may have regarding this changes see:

Installation instructions

Ideally you should make sure you keep your OpenVPN Access Server up-to-date, as our Access Server since version 2.6.1 already incorporates the changes necessary. But if for some reason you are unable to upgrade or find the time to do maintenance on your server, please use these instructions instead to patch your server live, without having to stop your server or disconnect your VPN client. Make sure you have access to your OpenVPN Access Server’s console, or through SSH to the command line interface of the server. Make sure to obtain root privileges.

Then run the following command to apply the patch:

wget https://swupdate.openvpn.net/as/hotfix/openvpn-as-hotfix-2018-1.tar && tar xvf openvpn-as-hotfix-2018-1.tar && cd openvpn-as-hotfix-2018-1 && ./install

After you run this command, you should see something like this on your screen:

launch wrapper openvpnas modified
launch wrapper liman modified
apply temporary post_auth
attempting warm restart
warm restart succeeded
no original post_auth
live hotfix applied

This means that the installation of the patch has concluded successfully. You may now activate a license key as per usual on your Access Server.

Troubleshooting

While we have tested the installation of this patch carefully on many environments, it is possible that if something is out of date or not entirely as expected, that the installation command will fail. We have a couple of solutions lined up for issues that we encountered in our testing and how to work around them. In our installation instructions we assume that a very basic tool called wget is present and that the Access Server has unimpeded access to the Internet.

If those requirements are not met, you may still download the licensing patch manually and transfer it to your Access Server yourself, and then run the installation program. You can start the installation with these commands with root user privileges in the directory where you stored the licensing patch file on your Access Server:

tar xvf openvpn-as-hotfix-2018-1.tar && cd openvpn-as-hotfix-2018-1 && ./install

You can verify integrity of the file with this command:

sha256sum openvpn-as-hotfix-2018-1.tar

The resulting sha256sum should be 7e47fd172596656a990b338f770f7b5ccb6b2629a286f8a19957dbf7b5aef2b7

Some common problems and solutions:

-bash: wget: command not found
The program wget is used to easily fetch the required files from our website. But if your system doesn’t have wget installed it will fail with such a message. To resolve this either install wget yourself with a command like apt-get install wget or yum install wget, or if that fails for some reason, you may download the file manually yourself and then transfer it to your Access Server manually.

ERROR: Certificate verification error for swupdate.openvpn.net: unable to get local issuer certificate
This means that the identity of our download server could not be verified. This is usually because the Certificate Authority bundle on your system is outdated. Usually this can be resolved by updating your OS. But an easy way around this problem is to try to download it using unsecured HTTP traffic instead with this command instead:

wget http://swupdate.openvpn.net/as/hotfix/openvpn-as-hotfix-2018-1.tar && tar xvf openvpn-as-hotfix-2018-1.tar && cd openvpn-as-hotfix-2018-1 && ./install

Resolving swupaa (swupdate.openvpn.net)… failed: Temporary failure in name resolution.
This means your DNS settings are broken. Look into fixing your DNS resolution system so that your Access Server can actually translate swupdate.openvpn.net to its related IP address.

I’m seeing an error containing “error loading post_auth script: missing post_auth/post_auth_cr function"
That can happen but it is expected behavior. If you see this, you can ignore this as it is no cause for concern.

Uninstalling the patch

While there should be no need to ever uninstall the patch, we chose the safe path and provided an uninstall script that rolls back the changes made. It is in the same directory as the patch itself, and can be started with this command:

./uninstall

 

Share