How to Migrate an OpenVPN Access Server

Issue:- I have a license already, how to increase the amount?

Prerequisites

• An installed Access Server.

• Knowledge of your server's license type (covered in step 1).

• Knowledge of how clients connect — via IP address or hostname (covered in step 2).

Step 1: Understand your license type's behavior for an upgrade

1. Sign in to the Admin Web UI.

2. Click Configuration > Activation.

3. Take note of your activated license key to determine the type. For description and examples of the license types available, refer to License keys for Access Server.

4. Now that you know your license type, refer to the appropriate section below to understand how it affects an upgrade/migration.

AWS tiered subscriptions

You can purchase your connections through AWS when you launch a per-licensed Amazon AWS image. Amazon's system then manages licensing and billing for your instances. You can set up a new instance and migrate your data there.

For example, if you want to switch from a 10 connected devices instance to a 25 connected devices instance, you would backup your old instance's Access Server configuration, restore it to the new instance, update the DNS recording pointing to your Access Server or reattach the old elastic IP to the new instance, and then take the old instance down (to avoid incurring extra costs).

Step 2: Ensure a smooth end-user experience

Your users and clients can connect to your Access Server in two ways:

1. Using the server's IP address.

2. Using a fully-qualified domain name (FQDN) or hostname.

If you use the server IP address

If your clients connect using the IP address, this will likely change when you migrate servers, and clients will no longer be able to connect. Existing client installations will need to download new connection profiles—unless you can associate the same IP address with the new server (such as with an Elastic IP in AWS).

We recommend setting up a proper hostname, such as vpn.yourcompany.com, so you don't have to update clients and connections should the server's IP address change:

• Tutorial: Setting up your Access Server Hostname

If you use the hostname

If your clients connect using the hostname, you’ll only need to update the DNS A record with the new IP address once you’ve migrated servers.

Step 3: Make an Access Server configuration backup

Create backup files

The following commands apply to the Access Server configuration stored in SQLite files. If you are using a different database backend, these are not applicable.

Use the commands below to create configuration file backups while Access Server is live. You don’t need to stop the Access Server for this; it can continue running.

• Sign in to the Access Server console with root privileges.

• Run these commands to create Access Server configuration backups:

which apt > /dev/null 2>&1 && apt -y install sqlite3
which yum > /dev/null 2>&1 && yum -y install sqlite
cd /usr/local/openvpn_as/etc/db
[ -e config.db ]&&sqlite3 config.db .dump>../../config.db.bak
[ -e certs.db ]&&sqlite3 certs.db .dump>../../certs.db.bak
[ -e userprop.db ]&&sqlite3 userprop.db .dump>../../userprop.db.bak
[ -e log.db ]&&sqlite3 log.db .dump>../../log.db.bak
[ -e config_local.db ]&&sqlite3 config_local.db .dump>../../config_local.db.bak
[ -e cluster.db ]&&sqlite3 cluster.db .dump>../../cluster.db.bak
[ -e notification.db ]&&sqlite3 notification.db .dump>../../notification.db.bak 
cp ../as.conf ../../as.conf.bak

• After running these commands, the backup files ending in .bak can be found in the /usr/local/openvpn_as/ directory. The files contain everything unique about your Access Server installation.

You can restore the resulting backup files to another Access Server, including a higher version of Access Server, as we try to do our best to maintain backward compatibility.

If the configuration becomes completely lost at any point, all currently installed OpenVPN clients will be unable to connect to this server. Unique information stored in the certificates database cannot be recreated. Each installation of Access Server has unique certificates, and if you lose this information without a backup, you must completely reinstall Access Server and the VPN clients.

Step 4: Launch your new Access Server

• Install a new Access Server on the hardware and platform of your choice.

Step 5: Restore the backup files to the new server

Restore the backup files

While creating backups can be done with Access Server up and running, restoring a backup to a new installation of Access Server must be done with the Access Server service turned off. We assume you have an Access Server installation to which you wish to restore a backup set. Our instructions on restoring a backup include steps to stop the Access Server service, restore the backup set, and start the Access Server service again.

• Sign in to the console with root privileges.

• Run these commands to stop the Access Server service and restore the backup:

service openvpnas stop
which apt > /dev/null 2>&1 && apt -y install sqlite3
which yum > /dev/null 2>&1 && yum -y install sqlite
cd /usr/local/openvpn_as/etc/db
[ -e ../../config.db.bak ]&&(rm -f config.db;sqlite3<../../config.db.bak config.db)
[ -e ../../certs.db.bak ]&&(rm -f certs.db;sqlite3 <../../certs.db.bak certs.db)
[ -e ../../userprop.db.bak ]&&(rm -f userprop.db;sqlite3 <../../userprop.db.bak userprop.db)
[ -e ../../log.db.bak ]&&(rm -f log.db;sqlite3 <../../log.db.bak log.db)
[ -e ../../config_local.db.bak ]&&(rm -f config_local.db;sqlite3 <../../config_local.db.bak config_local.db)
[ -e ../../cluster.db.bak ]&&(rm -f cluster.db;sqlite3 <../../cluster.db.bak cluster.db)
[ -e ../../notification.db.bak ]&&(rm -f notification.db;sqlite3 <../../notification.db.bak notification.db)
[ -e ../../as.conf.bak ]&&cp ../../as.conf.bak ../as.conf
chmod 0600 /usr/local/openvpn_as/etc/db/*.db
chmod 0600 /usr/local/openvpn_as/etc/as.conf
service openvpnas start

• These commands restore the configuration backup.

Step 6: Test with the local hosts file

Before you switch over to the new server and shut down your old server, you can test a connection from your machine using the local hosts file.

1. Open the hosts file with administrator privileges.

2. Add the IP address of your new VPN server.

3. Point it to your hostname, such as vpn.yourcompany.com.

4. Test your connections to the new server:

   • Can you access the Admin and Client Web UIs?

   • Can you connect to the VPN server with your existing OpenVPN Connect connection profile?

5. Once your tests pass, you can update the DNS record to point to your new server so all users switch over.

   ---

Stay tuned!

Thanks for reading! Be sure to follow and subscribe for more updates and upcoming blogs.