OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Keeping OpenVPN Access Server updated

Request More Information

Before you begin

Backup your settings first. You can use the backup commands on the command line found here to make a complete backup of the settings on your Access Server installation safely without having to stop operations on your server. If you’ve never made a backup before, please consider setting up some backup task. The information stored in Access Server like server and client certificates is unique and cannot be replaced.

There are a couple of notes that you should take a careful look at before proceeding:

Compatibility with older OpenVPN Access Servers

The compatibility is actually really good – all the way back to version 1.7.1 you can just do the update as described in this document and you should have a working Access Server with the latest version. There are some compatibility issues due to changed security settings that can usually be fixed though (described in the next section) so that old clients can still connect to a newer Access Server. Doing a rollback to an older version is possible with some caveats. Access Server does leave a copy of old data in the directory /usr/local/openvpn_as/etc/backup for you when you do an upgrade.

Compatibility with older OpenVPN client software

Generally the compatibility is very good, but there may be some cases where older software is not able to connect to a modern Access Server. This can usually be remedied by either updating the client software to a more recent version, or by lowering the security requirements of the OpenVPN Access Server. The one thing that is usually going on with old software and an updated Access Server is that the OpenVPN protocol was originally TLS 1.0 based, but was later extended to also make TLS 1.1 and TLS 1.2 possible. When you upgrade your Access Server to version 2.5 or higher, and your TLS settings were the default TLS 1.0, it will now set the TLS level to TLS 1.1 to increase security. In this situation, client software like the open source OpenVPN program version 2.2 or old builds of 2.3, may not be able to connect because they only know TLS 1.0. Likewise, OpenVPN Connect Client 2.1.1 or older, may not be able to connect anymore. Usually you will see TLS errors in the log files then. The solution is to either update the client software to the latest version, or after the upgrade go to the TLS Settings page in the Admin web UI and set the OpenVPN daemons back to the old setting of TLS 1.0. With that setting, older clients will continue to be able to connect to a modern Access Server installation. Please take care not to change the web services TLS setting there, as this is unrelated to this issue.

Old-style perpetual license keys – end of support notice

Many years ago, license keys were sold of the perpetual type. We no longer sell these. However, we do still honor the original terms they were sold under. And one of those terms was that no support or upgrades were allowed when such a license key’s term for support had expired. If you currently are using such an old type license key and an Access Server of version 1.8.4 or older, then when you upgrade, such a license key will be lost. See also our licensing FAQ page for more information. All other license keys sold in 2013 and later are all of the standard license key type in the BYOL licensing system and you can safely upgrade without risk to your license keys. But it is still important to note that we only provide assistance in solving problems with license keys if the license keys are still actually valid. If they are expired, we cannot help you with those licenses. If the licenses are not expired, we will of course help you in whatever way we can to get them operating on your updated Access Server installation. If you have an active license key on your Access Server now, and you update your Access Server software, the license key should stay intact and all settings should remain intact as well. If not please contact us for a license key reissue.

Amazon AWS tiered instance licensing

If you use our Amazon AWS tiered instances that come prelicensed with a stated amount of “xx connected devices" then you need not worry about licenses at all. That is then taken care of internally by Amazon’s systems that take care of licensing and billing. You can then just upgrade the Access Server program itself, or even migrate to a whole new instance.

In-place upgrade of the Access Server

With this upgrade procedure you are just upgrading the OpenVPN Access Server program, while keeping your license keys and settings intact. The operating system, the settings, and license keys, are unaffected when you perform such an upgrade. In almost all cases, the upgrade can be performed in about a minute or two and will result in only momentary loss of connectivity for your VPN clients. It is not possible to avoid (temporarily) disconnecting your VPN clients when performing an upgrade, even if you run a failover setup. If you are running a failover setup please read more about this in the next section.

We recommend you reboot the server after performing an upgrade of the OpenVPN Access Server program.

Upgrade an entire appliance, OS included

We have a separate migration or reinstallation guide for this. The guide describes how to take a backup of a system and restoring the configuration to another Access Server installation.

Failover upgrade procedure

Just as with an ordinary single node setup you should do backups of both nodes first before proceeding. With a failover setup you should be careful not to actively run the failover and primary node at different versions, as this may cause some interesting problems with configuration changes between one version and the other. With a failover setup it is generally also recommended to follow a specific procedure to avoid triggering the failover unnecessarily, and to ensure you have a way to easily restore connectivity in the very rare event that anything goes wrong with the upgrade process.

We recommend that the failover node be taken offline. So basically to shut down the (virtual) machine that this failover installation of Access Server is installed on. The primary node should remain online and be the one that gets upgraded. Follow the standard upgrade steps to upgrade it to the latest version and check to see if everything is working as expected. If it is working then you can bring the failover node online and perform the same upgrade steps there as well. At an opportune time you can then test to see if the failover system is working properly by taking the primary node down and checking to see if everything works as expected.

If however in the rare event that something goes wrong with the upgrade process of the primary node, then we recommend that you try to gather log file information and contact us at the support ticket system. And, that you then take this primary node offline. Once it is offline, you can bring the failover node online, and it will then just start up as the old system it was, and take over and handle connections. This gives breathing room to look into the problem on the primary node at leisure while all essential tasks are handled by the failover node. Once any issues are diagnosed and resolved, you can bring the primary node back up, take the failover node offline, and test the primary node. If that all checks out you can then bring the failover node back online and perform the same upgrade steps there as well. At an opportune time you can then test to see if the failover system is working properly.

Software repository

As of version Access Server 2.7.5 we distribute Access Server primarily through an official software repository. What this means is that there is a central server that contains our latest Access Server software, and you can tell your operating system to use that central server to download and install that latest version, and in the process upgrade your existing installation. We provide simple copy and paste instructions on how to do this on the software packages download page on our website. This is the recommended method of installing and updating Access Server.

Package installer files

Programs on Linux are installed as packages, either from a software repository as mentioned above, or as a separately downloaded and installed file.  OpenVPN Access Server is available from a software repository, and this is the recommended method. However, in some cases, people use Access Server in an environment that is isolated from the Internet, or for some reason do not want to use a software repository. In such cases, we do still offer the software package files that can be downloaded and installed separately. However, since version Access Server 2.7.5 the program has been split into two pieces:

  1. OpenVPN Access Server bundled Connect software for Windows and macOS
  2. The OpenVPN Access Server program itself

You must install both packages. To see instructions on how to do an installation without a repository by downloading packages and installing them, take a look at the software packages download page on our website. There will be a manual download option visible after you select an operating system you wish to download packages for. The instructions are there. You will also find download links there for the packages in case you want to download them to your own computer.

Upgrading if you are already using the repository

If you are on one of our cloud or appliance images with version OpenVPN Access Server 2.7.5 or higher it is very likely that you are using our repository to install updates. If there is a new Access Server released on our website and repository, you should be able to install it fairly easily. You need either console or SSH access to the server, and get root privileges. Then run the command below.

Upgrade Access Server to latest version using the repository:

apt-mark unhold openvpn-as && apt update && apt -y upgrade && apt-mark hold openvpn-as

After this is done, please reboot the server:


If all went well your Access Server is now up to date.

Install repository, then upgrade

If you are using Access Server 2.7.4 or older, you will have to figure out which operating system you are running right now, and then select the correct operating system. You can then obtain instructions from our website on how to install the repository. With that information you can then install the software repository and install the latest version of Access Server. In the future you can then use the software repository to update your Access Server.

You need to know which operating system you’re on. All official OpenVPN Inc cloud images and appliance images that we released in 2018 and 2019 are Ubuntu 18 x64. But in case you need to be sure or don’t know what operating system you have, you can use the information below to figure this out.

Figure out your operating system:

cat /etc/issue
lsb_release -a
uname -a

You should get some useful information out of these commands. Some may fail in some situations, which is fine, you should still be getting the information you need. Below is an example of output from an older Access Server on Amazon AWS:

OpenVPN Access Server Appliance 2.1.9 \n \l
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
Linux openvpnas2 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This information tells us we are running Ubuntu 16.04.2 LTS on an x86_64 platform. Take a look at the information you are seeing on your system, and determine the operating system name and version number and whether it’s only x86 (32 bits) or x86_64 (64 bits). Based on which Linux operating system you have, look up the repository installation instructions on our software packages download page on our website. Select the operating system you use, and then in the selection drop-down select which version of that operating system you have. If we take the above example, you would here select Ubuntu 16 64bits.

You will then see a list of instructions that you can copy paste to your server’s command line. It will set up the software repository for you, and download and install the latest Access Server version for you and upgrade your existing installation. In the future you can use apt update and apt upgrade to update your system and the Access Server at the same time.

Note that there are 64 bits versions (x64) and 32 bits versions (x86). If your operating system is 64 bits, it is recommended to install the 64 bits version, but you can also install the 32 bits version (not recommended). If your operating system is 32 bits only then you cannot use the 64 bits version but must install the 32 bits version.

If you have an operating system version that is older than what we have listed, you may need to consider updating your whole system including the whole operating system instead. For example, we don’t offer downloads for CentOS 5 anymore, because CentOS 5 was not able to handle functions we now need to use for IPv6 support. Trying to install OpenVPN Access Server software that is designed for CentOS 6 on an older platform like CentOS 5 will result in failure. So installing an Access Server meant for a newer operating system than you have, will usually fail. If however you install an Access Server meant for a slightly older operating system than you have, will usually succeed. For example the package for Ubuntu 16 64 bits may work on Ubuntu 17 64 bits.

We recommend that after the upgrade process has completed you reboot the server:


This completes the upgrade process.

Update the operating system

As time passes, a number of updates for the Linux operating system you are using may have been released. To ensure that your operating system is up to date the built-in package manager program can be used to retrieve the updates and install them. It is recommended to do this regularly to keep up with security fixes. To do so use these commands when logged on to the Access Server as a root user.

In Ubuntu/Debian systems:

apt-get update
apt-get upgrade

On a CentOS/Red Hat system it is similar:

yum update
yum upgrade

These updates only update packages within the version of the operating system you are in. If your Access Server is using a software repository to download and install packages, it will also upgrade the Access Server and the bundled Connect Clients. But these commands do not for example upgrade you from Debian 8 to Debian 9. Comparing it to Windows it is like running Windows Update but staying with Windows 7, instead of upgrading to Windows 10. On Linux such a big upgrade from one version of the operating system to another, is called a distribution upgrade, and while this can be done, chances are it will break your license key (but not Amazon AWS tiered instances) and you need to contact us to have them reissued if that occurs. Generally we like to advise that if your operating system is too old, you should upgrade the entire operating system by reinstalling. Basically, make a backup of your system, and start over new with a new Access Server installation on a more up-to-date operating system, and then restore your data and license keys there. See this page on migrating your Access Server installation.

Prevent Access Server from updating

When you use the OpenVPN Access Server software repository, then any time you run the commands to update your operating system, you will also pull in the new Access Server release, if there is any, as well as new bundled connect clients, if there are any. On our cloud images and our appliances for ESXi and HyperV we have pinned the openvpn-as package so that the Access Server program does not update when you simply want to install operating system updates. It can be unpinned and repinned with these commands:

Unpin the openvpn-as package:

apt-mark unhold openvpn-as

Repin the openvpn-as package:

apt-mark hold openvpn-as