upgrade 2.9 issue

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
frank3427
OpenVpn Newbie
Posts: 3
Joined: Thu Oct 22, 2020 4:03 pm

upgrade 2.9 issue

Post by frank3427 » Sat Jun 19, 2021 3:16 pm

I upgraded my 2.8.8 installation to 2.9

after the upgrade I was not able to get the web interface. I did not find running process as in 2.8.8

2.8.8
root@vpn:~# ss -tupln | grep openvpn
udp UNCONN 0 0 10.108.24.21:1194 0.0.0.0:* users:(("openvpn-openssl",pid=1487,fd=5))
tcp LISTEN 0 32 10.108.24.21:443 0.0.0.0:* users:(("openvpn-openssl",pid=1475,fd=5))
root@vpnc:~#

2.9.0
root@vpn:~# ss -tupln | grep openvpn

I rollback to 2.8.8 an everything comes back

chilinux
OpenVPN Power User
Posts: 104
Joined: Thu Mar 28, 2013 8:31 am

Re: upgrade 2.9 issue

Post by chilinux » Sat Jun 19, 2021 10:27 pm

OpenVPN Access Server 2.9.0 has several major changes including being modified to work in Python v3. It is possible not all the options/features have been fully tested for regression issues yet.

As long as the rollback to 2.8.8 is working for you, it is probably best to stay with that.

If you open a ticket with support, the should eventually be able to look into what is causing the issue.

If you want to troubleshoot the problem yourself, attempt accessing the admin web server on port 943 instead of 443. Also, take a look at the server logs from a system shell.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 220
Joined: Tue Feb 16, 2021 10:41 am

Re: upgrade 2.9 issue

Post by openvpn_inc » Mon Jun 21, 2021 3:32 pm

Hello frank,

You should contact us on the support ticket system at https://openvpn.net/support

We can then gather some information on your exact situation and where it went wrong, and provide steps to correct the problem. We are very interested to learn details about the problem you have experienced. If we can get the details of what went wrong, we can work on solving it. However, please do not post such details on this public forum. Please use our support ticket system, as that is secure.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

beerfloat
OpenVpn Newbie
Posts: 1
Joined: Fri Apr 02, 2021 3:58 pm

Re: upgrade 2.9 issue

Post by beerfloat » Tue Jun 22, 2021 6:29 pm

Well this is not great. You pushed 2.9.1 through automatic repositories like (in my case) yum, and when installed users can't connect anymore.
I find out connections only start working again after they redownload profiles.

This is not what I expect from commercial software.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 220
Joined: Tue Feb 16, 2021 10:41 am

Re: upgrade 2.9 issue

Post by openvpn_inc » Wed Jun 23, 2021 11:17 am

Hello beerfloat,

We do the absolute maximum effort to ensure compatibility with all previous versions of OpenVPN Access Server, even going back to versions of 10 years ago. We do extremely extensive tests covering well over a thousand cases. But it is still possible that we missed some particular case. We request that you contact us on our support ticket system so that we can get details of your configuration, so that we can either give you the commands to resolve your problem, or if it is a bug, that we solve it on our end in the next release.

We would love to investigate further regarding the issue you just reported. The support ticket system at https://openvpn.net/support is the right place to securely send us some log files and other information we might need to find out what happened and solve it if possible.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

chilinux
OpenVPN Power User
Posts: 104
Joined: Thu Mar 28, 2013 8:31 am

Re: upgrade 2.9 issue

Post by chilinux » Thu Jun 24, 2021 8:01 pm

I'm not sure it is completely to OpenVPN AS' advantage to claim the absolute maximum effort is already being done. It makes it sound like there is no room for improvement or that OpenVPN AS is not willing discuss the possibilities for improvement.

I would agree that OpenVPN AS has done an amazing job at testing the majority of the product. But the degree to which it has always ensured compatibility going back over 10 years has not always been true. If you go back far, you could enable Layer 2 / TAP VPN but the upgrade would no longer honor the configuration. It is simply not part of the core product and overly complicated it but removing it also impacts behavior. More recently, post_auth script users may have needed to update their scripts twice over the last year. Once when the python LDAP module was changed and a second when the product moved to python v3.

More importantly, for the most part, OpenVPN AS still take a very hands off approach to the upgrade path. It is left to the customer to track the release notes and perform upgrades external to the OpenVPN AS web portal. For someone that can act as an active system administrator, that is fine. For a novice that is expecting more of an appliance that takes care of itself, this might come as a disappointment.

Here are some thing I think might help (or possibly not) improve the experience for novice users:

(1) Include daily update checks on the Status Overview page. Make it easy for the admin to tell from the web portal when the OS or OpenVPN AS has an upgrade available.

(2) Include the option for update check emails to be sent to an administrator email address.

(3) Build an additional package that can perform checks for known issues that might impact upgrades and issue a warning. For example, an openvpn-as-upchk package for 2.8.8 may issue a warning to users with post_auth enabled that they may need to modify their script to upgrade.

(4) Make being able to schedule automated upgrades part of the web portal. The interface should make it easy for OS security updates to be applied and if there is no pending warning for upgrading to also perform upgrades of OpenVPN AS itself.

(5) Automate client side health checks and rollback for upgrades. It should be possible for the service that starts up OpenVPN AS for the first time after the upgrade to confirm the expected processes start without error and that the expected network ports are listen to. If the upgrade doesn't pass an automated upgrade inspection, it should revert the upgrade and notify the administrator via the Status Overview page and email.

(6) Add better telemetry/diagnostic collection tools. Other products I deal with include a script for gathering logs and other details about a system for the customer to run whenever unexpected behavior takes place. This helps expedite support.

(7) Have more than one concurrent release repository. Some other products have more than one release such as a "stable" and a "feature" release. In some cases this goes as far as being three different releases such as stable, beta and canary. The OpenVPN AS product goes straight from in-house testing to stable. There appears to be no option for customers to be part of an early-release group.

(8) Please be more transparent about known issues. I reported something back in February which was finally acknowledged by support a month later. However, it is still not publicly acknowledged at all. That leaves me wondering what other things OpenVPN AS support knows doesn't work as documented but no customer facing information is provided to help them plan accordingly.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 220
Joined: Tue Feb 16, 2021 10:41 am

Re: upgrade 2.9 issue

Post by openvpn_inc » Fri Jun 25, 2021 11:29 am

Hello chilinux,

Your feedback is noted. Many of the items are already on our roadmap, however.

Just a note on Layer 2 - that still exists even now in AS 2.9. It's just hidden by default on a fresh install because we deprecated this feature. It's still present but due to it being deprecated we do not provide support for it anymore.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

chilinux
OpenVPN Power User
Posts: 104
Joined: Thu Mar 28, 2013 8:31 am

Re: upgrade 2.9 issue

Post by chilinux » Fri Jun 25, 2021 12:38 pm

openvpn_inc wrote:
Fri Jun 25, 2021 11:29 am
Hello chilinux,

Your feedback is noted. Many of the items are already on our roadmap, however.
Is the roadmap available to customers anyplace?

It would be nice to have access to that and be able to see some sort of status or ETA for roadmap items. As it is, I can't even get any form of meaningful status update on the bug I filed.
openvpn_inc wrote:
Fri Jun 25, 2021 11:29 am
Just a note on Layer 2 - that still exists even now in AS 2.9. It's just hidden by default on a fresh install because we deprecated this feature. It's still present but due to it being deprecated we do not provide support for it anymore.
I'm glad it is hidden. I was not asking for it to ever come back, I was just pointing out that things change over time (and with good reason). I was only making an example of it to lead up to my point that OpenVPN AS may benefit from taking a more active role on the upgrade path.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 220
Joined: Tue Feb 16, 2021 10:41 am

Re: upgrade 2.9 issue

Post by openvpn_inc » Tue Jun 29, 2021 12:45 pm

Hello chilinux,

No, our roadmap is not published at this time, sorry.

If you let me know the ticket number of the ticket you sent in, I can personally review your case and provide a response in that ticket.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply