Migrating configuration from openvpn-as back to free openvpn

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
piashaw
OpenVpn Newbie
Posts: 12
Joined: Thu May 10, 2018 9:01 am

Migrating configuration from openvpn-as back to free openvpn

Post by piashaw » Thu May 27, 2021 11:29 am

Hi,

we have been using the openvpn-as for the last year and at a cost of about 100 USD per annum for 10 licences, it was great. Now that the new subscription model has come in and even with the 40% discount for this year, it means a minimum cost is about 500 USD going up to 850 USD next year which is more than we can afford.

Can I migrate the whole server across to the free version, obviously giving up the nice UI? We are not using multiple servers etc.

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: Migrating configuration from openvpn-as back to free openvpn

Post by chilinux » Fri May 28, 2021 8:07 am

The product is not really designed to help export a configuration for OpenVPN Community Edition. There are several fundamentally different concepts between how CE is normally administrator from how Access Server functions.

Things you can easily keep for migration are:

1) iptables / NAT configuration:
Just use iptables-save and iptables-restore command provided by your Linux distribution

2) OpenVPN client software
Both OpenVPN Connect v2 and v3 are compatible with OpenVPN CE

3) User/client OpenVPN configuration file template
The product is design to export a OpenVPN user configuration file which you can view in any text file viewer and use as a guide

But the similarities for migration end there. OpenVPN Access Server is built around the configuration and certificates being stored in a database. OpenVPN Community Edition is normally used with the configuration information stored in files. Also, certificate management with CE is normally done with the Easy-RSA scripts which also handles everything via files. Breaking down the AS database into all these files isn't something AS supports.

It might be technically possible to convert these databases into CE compatible files, but this is probably more work than it is worth. I would recommend instead starting from scratch with Easy-RSA. Without the AS web interfaces, Easy-RSA is going to be your method of creating and revoking user certificates. Also, starting from scratch with the OpenVPN configuration file or following a guide online for the configuration file will put you in a better position to support it over the life of using the product. Depending on the configuration parameters OpenVPN AS chooses for you only makes sense when you have OpenVPN AS support to take responsiblity for understanding why those parameters have been chosen.

The Community Project -> Server Administration section of the forum can provide further assistance.

As far as I know, a seemless migration from OpenVPN AS is outside of the scope of any part of this forum.
Last edited by chilinux on Fri May 28, 2021 11:27 pm, edited 1 time in total.

piashaw
OpenVpn Newbie
Posts: 12
Joined: Thu May 10, 2018 9:01 am

Re: Migrating configuration from openvpn-as back to free openvpn

Post by piashaw » Fri May 28, 2021 2:10 pm

Many thanks. I have recreated a separate server now from scratch. I'm trying to get my head around all the iptables rules now.

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: Migrating configuration from openvpn-as back to free openvpn

Post by chilinux » Fri May 28, 2021 9:40 pm

If you are familiar with iptables, you probably can reduce the rules down to your specific use case.

The rules they use seem to be extremely generalized and carefully engineered to make sure almost every possible use case is covered.

If you aren't familiar with iptables, you can try using their's.

Some of the rules assume you will specify in the OpenVPN server's configuration file that you will name the "tun" virtual network interface something that begins with as0t. By default OpenVPN AS runs two OpenVPN servers, one for UDP connections and one for TCP connections. These then bring up virtual tun interfaces of as0t0 and as0t1.

They also make interesting use of the "mark" feature of iptables to keep track of the direction the packets are passing through that need to either have the destination or source IP changed for NAT. There are other ways of accomplishing the same goal but this method is probably what they found to be the best for general use.

piashaw
OpenVpn Newbie
Posts: 12
Joined: Thu May 10, 2018 9:01 am

Re: Migrating configuration from openvpn-as back to free openvpn

Post by piashaw » Sat May 29, 2021 6:50 am

Sadly , I only have a basic understanding of iptables so lots of learning!!!

Basically I have 10 pieces of equipment in the field. they are on GSM connections and they contact the VPN server and automatically login (no password). I require the VPN so that we can access their webservers and do firmware uploads etc. As the units are dotted around, I couldn't find enough GSM providers who could give a genuine IP address for access from outside which is why I decided on using a VPN server.

So for example I use the range 10.10.10.10-20 for actual users eg me, and the range 10.10.10.100-110 for the units in the field.

What I would like is that the field units cannot see/ communicate with anyone else on the network (or each other) (I would have no idea if someone has stolen / hacked one of their units) and the users in the range 10-20 need to be able to access the field units in the range 100-110.

I have no issues if the users can access each other, the VPN server and even the local network.

I am sure it can't be that complicated, I'm just trying to work out the forwarding, inputs, outputs etc. It seems to have changed slightly over the years and I am using a Debian Buster based system.

Cheers

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: Migrating configuration from openvpn-as back to free openvpn

Post by chilinux » Sat May 29, 2021 9:14 pm

What you seem to be asking for, if I read it correctly, is known as a Private VLAN. If you purchase managed ethernet network switch that support private vlans, you can set the VPN server to be on a primary port and put the units on ports to be isolated. They will be able to communicate with the VPN server but not with each other. However, this is a feature of the switch, not something provided by iptables.

piashaw
OpenVpn Newbie
Posts: 12
Joined: Thu May 10, 2018 9:01 am

Re: Migrating configuration from openvpn-as back to free openvpn

Post by piashaw » Sun May 30, 2021 5:26 am

I'll need to look into that more to understand the private VLAN, initial thoughts are that it would work in a wired network however in my case all the field units need to connect into the network from outside over GSM.

piashaw
OpenVpn Newbie
Posts: 12
Joined: Thu May 10, 2018 9:01 am

Re: Migrating configuration from openvpn-as back to free openvpn

Post by piashaw » Wed Jun 02, 2021 6:53 am

I think I will need to delve into the iPTables and learning about iroute etc to see if I can achieve what I need to do.

Post Reply