7

I recently installed the OpenVpn-Access Server on a vps and it's great. However, now that I got it running I want to switch over to the Community-Edition because I do not want to deal with purchasing licenses and I think the C.E. will do everything I need it to. I was wondering if anyone knows if there a simple way to switch from AS to CE and keep my current configuration settings without having to reinstall the whole thing and regenerate the keys&certificates? Any help would be greatly appreciated.

Chev_603
  • 1,676
  • 3
  • 18
  • 30

1 Answers1

7

This is an old question, but I would like to answer it in case someone else is trying to do the same thing. To switch from OpenVPN-AS to the community edition and keep the same configuration, the server.crt, server.key, dh.pem, and ca.crt used on the Access Server need to be referenced in the new community edition server.conf file. Since by default, A.S. uses pam authentication for dual authentication, the new C.E. server must be configured this way as well. These lines need to be added to the server.conf:

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn

Then the file /etc/pam.d/openvpn needs to be created, with these lines:

auth       sufficient   /lib/security/pam_radius_auth.so debug
account    sufficient    /lib/security/pam_radius_auth.so

Any other options defined in the A.S. generated config need to be referenced in the server.conf file as well (such as port number, proto, com-lzo, cipher, etc). Since I could not figure out where or how those files are stored when using access server, I opted to simply uninstall openvpn-as, and start over.

In conclusion, I decided to rebuild the configuration from scratch because it was easier, and also made sense to learn how to properly deploy a community edition openvpn server myself. I opted to not use PAM authentication, and rather use easyrsa3 to set up the server and client certificates, using a separate machine as the certificate authority for enhanced security. I also used the tls auth option (incorporating a 'ta.key', as an HMAC firewall to help prevent denial of service attacks).

My advice to anyone wanting to switch from the Access Server to the Community Edition is to start from scratch, uninstall A.S. and install the openvpn package, generate new certificates and keys, and most importantly, use a separate machine to sign the certificate requests.

MrG
  • 103
Chev_603
  • 1,676
  • 3
  • 18
  • 30
  • About " use a separate machine to sign the certificate requests.", could you point me to some usefull docs, please? Anyway, great answer! – realtebo Jul 25 '18 at 20:41
  • 1
    Sure, the instructions that I use are here: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto – Chev_603 Jul 29 '18 at 19:22