OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server
access server repo

Installations and upgrades using the official OpenVPN Software Repository

The official OpenVPN Software Repository provides you with an enhanced user experience for installing and upgrading OpenVPN Access Server. The following will give you instructions for adding the repository with a new installation, adding it to an existing server in order to upgrade, using Linux to automatically update Access Server, updating Access Server without updating all other Linux packages, and preventing Access Server from automatically updating. Refer to the section that suits your needs.

Adding the repository with a new Access Server installation

Beginning with Access Server 2.7.5, we distribute the package and client bundle primarily through our official software repository. From our central server, you can obtain the latest Access Server software. Your Linux operating system will download and install the latest version and upgrade your existing installation whenever you get updates and upgrades.

You can find simple copy and paste instructions on how to do this on the software packages download page on our website. This is our recommended method for installation and updates. The steps found there are all it takes to add the repository and get started with a new Access Server installation within minutes.

Adding the repository and upgrading existing Access Server

If you are using Access Server 2.7.4 or older, you need to do the following:

  • Determine your operating system
  • Get the instructions for your OS from our website to install the repository
  • Install the latest version of Access Server

To determine your operating system:

cat /etc/issue
lsb_release -a
uname -a

This should output some useful information. If you encounter some failure, that is fine. You should still get what you need. Below is an example of output from an older Access Server on Amazon AWS:


          OpenVPN Access Server Appliance 2.1.9 \n \l
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
Linux openvpnas2 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 21 14:59:54 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux
        

Now we know that we’re running Ubuntu 16.04.2 LTS on an x86_64 platform. With the information on your system, determine the operating system name, version number, and whether it’s x86 (32 bits) or x86_64 (64 bits).

Based on those three things, look up the repository installation instructions on our software packages download page on our website. Select the operating system that you use, which version of operating system from the choices, and a list of instructions displays.

The instructions give you the commands for you to copy and paste to your server’s command line. It will set up the software repository for you, download and install the latest Access Server version, and upgrade your existing installation.

After adding the repository, when you run apt update and apt upgrade in the future, it will update Access Server at the same time as your system.

For the final step, we recommend rebooting your server:

reboot

This completes the upgrade process.

NOTE: If your operating system is older than those we have listed, you may need to consider updating your whole system. For example, we no longer offer downloads for CentOS 5 as it could not handle functions we support today for IPv6. Installing OpenVPN Access Server on an older platform than it was designed for will result in failure.

Updating Access Server with Linux OS updates

We recommend keeping your Linux operating system updated. With the built-in package manager program, it’s easy to retrieve updates and install them. We recommend doing this regularly to keep up with security fixes. To do so, run these commands when logged on to the Access Server as a root user:

Ubuntu and Debian

apt-get update
apt-get upgrade

RedHat and CentOS

yum check-update
yum update

These commands update packages within the version of your operating system. If your Access Server uses our software repository, it will also upgrade the Access Server and bundled Connect Clients if there are any newer versions.

These commands will not upgrade your Linux OS, such as from Debian 8 to Debian 9. Such a large upgrade is called a distribution upgrade, and chances are doing one could break your license key. If that happens, you will need to contact us to have it reissued. See this page for details on migrating your Access Server installation.

Updating Access Server if you are already using the repository

If you have OpenVPN Access Server 2.7.5 or higher, it’s likely you are using our repository. When we release a new version of Access Server on our website and to the repository, you should be able to install it easily.

Any updates and upgrades will run whenever you update your operating system with these commands:

Ubuntu and Debian

apt update
apt upgrade

RedHat and CentOS

yum check-update
yum update

After this completes, reboot the server:

reboot

If all went well, your Access Server is now up to date along with your Linux system.

If you are running an instance of Access Server on a cloud image (AWS, Google, DigitalOcean, or Azure), we have pinned the openvpn-as package, which prevents your Ubuntu server from included it in updates with the commands above. For information about this, refer to the section below.

Preventing Access Server updates

apt-mark unhold openvpn-as

Once you have added the OpenVPN Access Server software repository to your system, any time you run the commands to update your operating system, it will also pull in the new Access Server release and bundled connect clients, if there are any. For cloud images (Google, Azure, AWS, and DigitalOcean), and ESXi and HyperV appliances, we have pinned the openvpn-as package so that the Access Server program does not update when you install operating system updates.

The reason we have done this is to avoid a sudden change in process. Past versions of Access Server stayed at their currently installed version number when people ran operating system updates. We did not want to end up surprising a system administrator with a new Access Server version just be doing security updates.

You can change that by unpinning it, and repin if you’d like with these commands.

Unpin the openvpn-as package:

apt-mark hold openvpn-as

Repin the openvpn-as package:

apt-mark hold openvpn-as
package installer files

Installations and upgrades using package installer files

Linux programs are installed as packages, either from a software repository or a separately downloaded and installed file. We recommend using our official repository. We also continue to support OpenVPN Access Server as software package files that can be downloaded and installed separately.

Beginning with Access Server 2.7.5, we have split the program into two pieces:

  • OpenVPN Access Server bundled Connect software for Windows and macOS
  • The OpenVPN Access Server program itself

You must install both packages:

  • Navigate to the Software Repository & Packages page
  • Select your Linux operating system
  • Click on Option 2: Manually Download Packages in the modal window
  • Follow the instructions found there with the download links provided
failover upgrade

Failover upgrade procedure

NOTE: Before you begin, make sure that you do backups of both nodes. Use these backup commands on the command line.

OpenVPN Access Server comes with a built-in failover mode you can deploy on your local LAN network. It allows one primary node to handle all tasks, with a secondary standby node. The secondary node comes online automatically, taking over all tasks, if your primary node fails. This is done with a method called UCARP using VRRP heartbeat network packets. For more details, refer to Setting up high-availability failover mode on our site.

It’s important to keep both Access Server nodes updated with the same versions. We also recommend following a specific upgrade procedure to avoid triggering the failover unnecessarily. This should also ensure that you have a way to easily restore connectivity in the rare event that anything goes wrong with the upgrade.
Begin by making a backup of the failover node and then taking it offline. First make the backup and then, shut down the (virtual) machine where your failover installation of Access Server is installed.

Keeping your primary node online, make a backup and then begin with your upgrade steps. To upgrade using the repository, please click on the Software Repository section on this page. To upgrade using the package installer, please click on the Package Files section on this page.
Once you have completed the upgrade of your primary node, validate that everything is working as expected. Once the primary node is good to go, you can bring the failover node online and perform the same upgrade steps there as well. The failover node won't actually do anything while the primary node is online. So you can now safely upgrade it to the latest version. Afterwards give it a few minutes to get a configuration update from your primary node before you start testing failover functionality.

At an opportune time, we recommend testing to see if the failover system is working properly. To do this, take the primary node down and check to see that your connections and Admin Web UI work as expected.

If something goes wrong with the upgrade process of the primary node, we recommend you gather log file information and contact us with our support ticket system. Then, take the primary node offline. Once it is offline, bring the failover node online. It should start up as the old system it was and take over and handle connections. This keeps your clients up and running while you look into the problem on the primary node. Once issues are diagnosed and resolved, you can bring the primary node back up, take the failover node offline, and perform the upgrade steps as outlined above.

Replace entire appliance

Replace entire appliance or cloud image

If you are in the situation that your appliance of cloud image is really outdated, and/or your installation has an old and no longer supported operating system, you should consider installing a new one. Please refer to our migration or reinstallation guide for this. It describes how to backup your system and restore the configuration to another Access Server. We recommend this step if your Linux OS is too old. Upgrade your entire OS and start over with a new Access Server installation. When you restore your data and license keys, you’ll be up and running again.

Usually, this kind of migration or reinstallation can be done in a way where you can keep the current system up and running while you set up a new system in parallel. Then, you can test it before you do the actual switch.

Updating Access Server

Updating OpenVPN Access Server

This page provides you with detailed information for updating and upgrading OpenVPN Access Server. Below you’ll find three different areas to navigate. We recommend using the official OpenVPN Software Repository for upgrading. We also still support upgrading with package files, which may be useful for an offline installation of Access Server (not connected to the Internet).. The final section provides information for upgrading an Access Server Failover setup, if that matches your environment.

Before you begin

We recommend following these steps before updating OpenVPN Access Server:
1. Backup your settings. To make a complete backup of your settings without stopping your server, use these backup commands on the command line. The information stored in Access Server (e.g.: server and client certificates) is unique and cannot be replaced. We recommend setting up automated backup task if you haven’t already done so.
2. Check server compatibility. Compatibility of the current version of Access Server to past versions is very good. You can update as described here for versions all the way back to 1.7.1. If needed, Access Server does leave a copy of old data in this directory, whenever you upgrade: /usr/local/openvpn_as/etc/backup
3. Check client compatibility. There may be some cases where older client software cannot connect to a modern Access server. To fix this, simply update to a more recent version of the client software. If that is not possible, you may lower the security requirements of the Access server. It may be that an upgraded Access Server has the minimum required TLS security level set to a higher version, causing an issue with older clients. You can change this for your server. Open the Admin Web UI, go to TLS Settings and set OpenVPN daemons to TLS 1.0.
4. Update old license keys. This only applies to perpetual license keys. All license keys sold in 2013 and later are standard license keys, not perpetual. We still honor the original terms under which we used to sell perpetual licenses. One of these terms was that no support or upgrades were allowed when the license key’s term for support expired. If you have an old license key and an Access Server 1.8.4 or older, an upgrade will lose that license key. For more, see our licensing FAQ page.
5. Understand Amazon AWS tiered instance licensing. If you have an Amazon AWS tiered instance, pre-licensed with “xx connected devices”, you don’t need to worry about licenses. It is taken care of internally by Amazon’s systems that handle licensing and billing. Simply upgrade the Access Server package itself.
01

Software Repository

As of Access Server 2.7.5, we distribute Access Server through our official OpenVPN software repository. We provide a central server with the latest Access Server software. You can tell your operating system to download and install the latest from that location, upgrading your existing installation. This is the recommended method for installations and updates. Ready to install or update using the repository? Click here to expand this section for details.

Read More
Access Server Repository
Point Break
02

Package Files

If you will not be using the official OpenVPN Access Server software repository for installations and updates, you can instead download the packages separately to your server and install them. Click here for information on how to do that.

Read More
03

Failover upgrade

As of Access Server 2.7.5, we distribute Access Server through our official OpenVPN software repository. We provide a central server with the latest Access Server software. You can tell your operating system to download and install the latest from that location, upgrading your existing installation. This is the recommended method for installations and updates. Ready to install or update using the repository? Click here to expand this section for details.

Read More
Failover Upgrade
replace access server appliance
04

Replace entire appliance or cloud image

If you will not be using the official OpenVPN Access Server software repository for installations and updates, you can instead download the packages separately to your server and install them. Click here for information on how to do that.

Read More