Before you begin
Backup your settings first. You can use the backup commands on the command line found here to make a complete backup of the settings on your Access Server installation safely without having to stop operations on your server. If you’ve never made a backup before, now would be a good time to remind you that it would be a good idea to set up an automated backup plan.
There are a couple of notes that you should take a careful look at before proceeding:
Compatibility with older OpenVPN Access Servers
The compatibility is actually really good – all the way back to version 1.7.1 you can just do the update as described in this document and you should have a working Access Server with the latest version. There are some compatibility issues due to changed security settings that can usually be fixed though (described in the next section) so that old clients can still connect to a newer Access Server. It is usually also possible to just rollback to an older version by installing the older version and restoring the data to it. It is important to note however that OpenVPN Access Server version 2.6 and higher have a different database schema and that rolling back then is not so easy.
Compatibility with older OpenVPN client software
Generally the compatibility is very good, but there may be cases where older software is not able to connect to a modern Access Server. This can usually be remedied by either updating the client software to a more recent version, or by lowering the security requirements of the OpenVPN Access Server. The one thing that is currently relevant to this is that the OpenVPN protocol was originally TLS 1.0 based, but was later extended to also make TLS 1.1 and TLS 1.2 possible. When you upgrade your Access Server to version 2.5 or higher, and your TLS settings were the default TLS 1.0, it will now set the TLS level to TLS 1.1. In this situation, client software like the open source OpenVPN program version 2.2 or old builds of 2.3, may not be able to connect. Likewise, OpenVPN Connect Client 2.1.1 or older, may not be able to connect anymore. Usually you will see TLS errors in the log files then. The solution is to either update the client software to the latest version, or after the upgrade go to the TLS Settings page in the Admin web UI and set the OpenVPN daemons back to the old setting of TLS 1.0. With that setting, older clients are able to connect to a modern Access Server installation. Please take care not to change the web services TLS setting there, as this is unrelated to this issue.
Old-style perpetual license keys – end of support notice
Many years ago, license keys were sold of the perpetual type. We no longer sell these. However we do still honor the original terms they were sold under. And one of those terms was that no support or upgrades were allowed when such a license key was expired. If you currently are using such an old type license key and an Access Server of version 1.8.4 or older, then when you upgrade, such a license key will be lost. See also our licensing FAQ page for more information. All other license keys sold in 2013 and later are all of the standard license key type in the BYOL licensing system and you can safely upgrade without risk to your license keys. But it is still important to note that we only provide assistance in solving problems with license keys if the license keys are still actually valid. If they are expired, we cannot help you with those licenses. If the licenses are not expired, we will of course help you in whatever way we can to get them operating on your Access Server installation. If you have an active license key on your Access Server now, and you update your Access Server software, the license key should stay intact and all settings should remain intact as well. If not please contact us for a license key reissue.
Amazon AWS tiered instance licensing
If you use our Amazon AWS tiered instances that come prelicensed with a stated amount of “xx connected devices" then you need not worry about licenses at all. That is then taken care of internally by Amazon’s systems that take care of licensing and billing. You can then just upgrade the Access Server program itself, or even migrate to a whole new instance.
In-place upgrade of the Access Server
With this upgrade procedure you are just upgrading the OpenVPN Access Server program, while keeping your license keys and settings intact. The operating system, the settings, and license keys, are unaffected when you perform such an upgrade. In almost all cases, the upgrade can be performed in about a minute or two and will result in only momentary loss of connectivity for your VPN clients. It is not possible to avoid disconnecting your VPN clients when performing an upgrade, even if you run a failover setup. If you are running a failover setup please read more about this in the next section.
We recommend you reboot the server after performing an upgrade of the OpenVPN Access Server program.
Upgrade an entire appliance, OS included
We have a separation migration or reinstallation guide for this. The guide describes how to take a backup of a system and restoring the configuration to another Access Server installation.
Failover upgrade procedure
Just as with an ordinary single node setup you should do backups of both nodes first before proceeding. With a failover setup you should be careful not to actively run the failover and primary node at different versions, as this may cause some interesting problems with configuration changes between one version and the other. With a failover setup it is generally also recommended to follow a specific procedure to avoid triggered the failover unnecessarily, and to ensure you have a way to easily restore connectivity in the rare event that anything goes wrong with the upgrade process.
We recommend that the failover node be taken offline. So basically to shut down the (virtual) machine that this failover installation of Access Server is installed on. The primary node should remain online and upgraded. Follow the standard upgrade steps to upgrade it to the latest version and check to see if everything is working as expected. If it is working then you can bring the failover node online and perform the same upgrade steps there as well. At an opportune time you can then test to see if the failover system is working properly.
If however in the rare event that something goes wrong with the upgrade process of the primary node, then we recommend that you try to gather log file information and contact us at the support ticket system. And, that you then take this primary node offline. Once it is offline, you can bring the failover node online, and it will then take over and handle connections. This gives breathing room to look into the problem on the primary node at leisure while all essential tasks are handled by the failover node. Once any issues are diagnosed and resolved, you can bring the primary node back up, take the failover node offline, and test the primary node. If that all checks out you can then bring the failover node back online and perform the same upgrade steps there as well. At an opportune time you can then test to see if the failover system is working properly.
Package installer files
Programs on Linux are installed as packages, either from a repository or as a separately downloaded and installed file. OpenVPN Access Server currently comes only in separately downloaded packages for a number of operating systems. To find out exactly which operating systems are currently supported take a look at the software packages download page on our main website.
Doing the actual upgrade
You need either console or SSH access to the server, whether it’s an ESXi, HyperV, or AWS appliance, or a dedicated installation, it doesn’t matter. All upgrades are done exactly the same on all platforms. The very first step you should take is get access to the server and get root privileges. Then figure out which operating system you are running right now, and grab the correct package file from our website. Then install it with an upgrade command, and we then recommend rebooting.
Figure out your operating system:
cat /etc/issue lsb_release -a uname -a
You should get some useful information out of these commands. Some may fail in some situations, which is fine, you should still be getting the information you need. Below is an example of output that I got on one of my Access Server installation that just so happened to be on Amazon AWS:
OpenVPN Access Server Appliance 2.1.9 \n \l No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.2 LTS Release: 16.04 Codename: xenial Linux openvpnas2 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
This information tells us we are running Ubuntu 16.04.2 LTS on an x86_64 platform. Take a look at the information you are seeing on your system, and determine the operating system name and version number and whether it’s only x86 (32 bits) or x86_64 (64 bits). Based on which Linux operating system you have, look up the installation file on our software packages download page on our main website. Select the operating system you use and next select the installation package for your specific operating system. Note that there are 64 bits versions (x64) and 32 bits versions (x86). If your operating system is 64 bits, it is recommended to install the 64 bits version, but you can also install the 32 bits version (not recommended). If your operating system is 32 bits only then you cannot use the 64 bits version but must install the 32 bits version.
If you have an operating system version that is older than what we have listed, you may need to consider updating your whole system including the whole operating system instead. For example, we don’t offer downloads for CentOS 5 anymore, because CentOS 5 was not able to handle functions we now need to use for IPv6 support. Trying to install OpenVPN Access Server meant for CentOS 6 on an older platform like CentOS 5 will result in failure. If however you have a newer version of an operating system, like Ubuntu 17, then the installation file for Ubuntu 16 will almost certainly work just fine.
Downloading and upgrading the package
In order to upgrade the Access Server, you will need to download the Access Server package and place it somewhere on the intended server host. You can do this via a roundabout way by using your desktop computer to download the installation package from our website, and then uploading it using a tool such as SCP or WinSCP. But an easier method is to use wget, which is a tool designed to retrieve files directly from the Internet and save it directly on the file system of the Linux operating system where you are upgrading the OpenVPN Access Server program.
You can right-click the download link and select “Copy Link Address" or “Copy target" or such. The exact wording depends on the browser used. The goal is having the link to the installation package in your copy/paste buffer. Next go to the Linux server where you want to install the OpenVPN Access Server program and use wget to download the installation package file directly to the server.
Type wget followed by the pasted URL:
wget <paste copied url>
An example of what such a command could look like is shown below. Use the correct URL in your situation:
Optional step for advanced users: it is possible to use https:// for the connection instead if you prefer a secure connection, and you can verify if the package file you have downloaded has been correctly downloaded, and that it is in fact the package file that we are distributing and not somehow a tainted copy. This is all very unlikely but still you can check with the tool sha256sum, which creates a hash for the downloaded file. You can then compare it with the Access Server installation package sha256sum hash table on our website. Use command line “sha256sum openvpn-as-2.x.x-Ubuntu18.amd_64.deb" to generate the hash, and compare it to what is listed on the site. If they match you can be certain that you have the right file and it has downloaded correctly.
Now that the installation package file is downloaded to your system you can perform the upgrade with the following command:
Upgrade installation package on Debian/Ubuntu system:
dpkg -i openvpn-as-2.x.x-Ubuntu18.amd_64.deb
Upgrade installation package on RedHat/CentOS/Fedora system:
rpm -Uvh openvpn-as-2.x.x-CentOS7.x86_64.rpm
The upgrade process should then commence and finish. Afterwards you should reboot:
Update the operating system
As time passes, a number of updates for the Linux operating system you are using may have been released. To ensure that your operating system is up to date the built-in package manager program can be used to retrieve the updates and install them. It is recommended to do this regularly to keep up with security fixes. To do so use these commands when logged on to the Access Server as a root user.
In Ubuntu/Debian systems:
apt-get update apt-get upgrade
On a CentOS/Red Hat system it is similar:
yum update yum upgrade
These updates only update packages within the version of the operating system you are in. It does not for example upgrade you from Debian 8 to Debian 9. Comparing it to Windows it is like running Windows Update but staying with Windows 7, instead of upgrading to Windows 10. On Linux such a big upgrade from one version of the operating system to another, is called a distribution upgrade, and while this can be done, chances are it will break your licenses and you need to contact us to have them reissued if that occurs. Generally we like to advise that if your operating system is too old, you should upgrade the entire operating system by reinstalling. Basically, make a backup of your system, and start over new with a new Access Server installation on a more up-to-date operating system, and then restore your data and license keys there. See this page on migrating your Access Server installation.