On Upgrading 2.3.18 to 2.6+
Posted: Mon Jun 05, 2023 9:26 pm
We have a large deployment all currently at 2.3.18. It consists of 4 servers (linux) and greater than 2000 clients (windows 10/7/XP -- i know, i know, please bare with me). All auth is by certificates and ccd's. This system has worked quite well for more than a decade. But it is time to upgrade.
Now I am faced with a quandary. I can easily upgrade all 4 servers at once. But upgrading the 2000+ clients (and any changes to their .ovpn files) will take a little time -- spread out at approx 100 per day. So in order not to loose connectivity, i have to make sure the new 2.6+ server will still connect to all older clients (we're talking BF-CBC) and then also connect to clients as they are upgraded to 2.6+. Or else, start by upgrading the clients to 2.6+ first and adjust them so they'll connect to the old 2.3.18 servers. Then have everything still work when i upgrade the servers later.
Reading through the docs, and playing with our dev environment, i was able to make a new client connect to the old server with --cipher AES-256-CBC on both. And vis-a-vis. But if i did that, then pre-upgraded clients (BF-CBC) would loose connection. If i tried to add BF-CBC to a list of ciphers on 2.6+, it would fail with "not supported".
Can anyone recommend any settings or a step-by-step workflow that would work with this scenario with minimal downtime?
Now I am faced with a quandary. I can easily upgrade all 4 servers at once. But upgrading the 2000+ clients (and any changes to their .ovpn files) will take a little time -- spread out at approx 100 per day. So in order not to loose connectivity, i have to make sure the new 2.6+ server will still connect to all older clients (we're talking BF-CBC) and then also connect to clients as they are upgraded to 2.6+. Or else, start by upgrading the clients to 2.6+ first and adjust them so they'll connect to the old 2.3.18 servers. Then have everything still work when i upgrade the servers later.
Reading through the docs, and playing with our dev environment, i was able to make a new client connect to the old server with --cipher AES-256-CBC on both. And vis-a-vis. But if i did that, then pre-upgraded clients (BF-CBC) would loose connection. If i tried to add BF-CBC to a list of ciphers on 2.6+, it would fail with "not supported".
Can anyone recommend any settings or a step-by-step workflow that would work with this scenario with minimal downtime?