As I said the client configuration is self explanatory for the users, but it is good for only Windows and Mac users. Because they are giving client applications only for Mac and Windows clients. For linux users, they are telling to use the native "openvpn" command.
But there is a big caveat for linux users when using it with the openvpn native command, "The server will not be able to push the dhcp-options to clients". The main issue is the clients will not get the "dns server addresses", "default domain name" & "domain search values".
As a result the users connects to the Access server on linux, will not be able to resolve the FQDNs of internal servers or URLs of internal sites.
Also, the client configuration giving from the server "client.ovpn" is the only file which carries the certificates and keys within the configuration file itself. This is preventing to use other openvpn client applications like KVPNC or NetworkManager gui applet.
How to overcome this limitations?
It is easy to make a configuration compatible with the other openvpn clients like NetworkManager or Kvpnc.
Basically we need to split the given configuration "client.ovpn" to five files; "ca.crt", "client.crt", "client.key", "ta.key" and "new-client.ovpn".
We can do all this manually using a text editor, but I have made a simple shell script which will do this for us.
#!/bin/bash
#
sed -n '//,/<\/ca>/ p' client.ovpn |grep -v " " |grep -v " " >ca.crt
sed -n '//,/<\/cert>/ p' client.ovpn |grep -v " " |grep -v " " >client.crt
sed -n '//,/<\/key>/ p' client.ovpn |grep -v " " |grep -v " " >client.key
sed -n '//,/<\/tls-auth>/ p' client.ovpn |grep -v " " |grep -v " " >ta.key
grep -v "#" client.ovpn > client1.ovpn
sed '//,/<\/tls-auth>/ d' client1.ovpn >new-client.ovpn
echo "ca ca.crt" >>new-client.ovpn
echo "cert client.crt" >>new-client.ovpn
echo "key client.key" >>new-client.ovpn
echo "tls-auth ta.key 1" >>new-client.ovpn
rm client.ovpn client1.ovpn
- Copy the above script and save it as "ovpn-split.sh" into your directory holding the "client.ovpn" file.
- Run $ chmod +x ovpn-split.sh
- Run the script as $ sh ovpn-split.sh
- Now you have all the needed files to use with kvpnc or NetworkManager cleints.
How to Backup the Access Server
The main difference between the AS and opensource version is that, all the configuration in AS is stored in Sqlite database. So there are chances to have corrupt the DB when you archive the entire folder of /usr/local/openvpn_as when the server is running. If the access server is not running a full archive of the /usr/local/openvpn_as directory is good enough for restoring in case of any disaster.
In this case we have a utility "sqlite3" comes with the AS installation. It is easy to create the db backup using the sqlite3 command, which is actually allow the user to store the db files as text files. But for the ease of regular use I have written a script which can be run regularly under cron, so you will have backups of all the DB files in text file format.
#!/bin/bash
#
# This script is to backup the SQLITE db using the sqlite3 utility comes with the OpenVPN AS server.
#Set the script directory
COMMAND=/usr/local/openvpn_as/scripts
#Set the DB directory
DB_DIR=/usr/local/openvpn_as/etc/db
#Set the destination backup directory as it is.
BACKUP_DIR=/root/backup_db
#
for i in certs.db config.db log.db userprop.db
do
$COMMAND/sqlite3 $DB_DIR/$i .dump >$BACKUP_DIR/$i.txt
done
#Innorder to restore Sqlite DB from text, use the following command syntax:
#
#./sqlite3 <[TEXT_FILE] [DB_FILE]
#
#While the DBs can be dumped while the Access Server is running, you should stop the Access Server before you restore the DBs.
