Click for text version
Magnus Wedberg / home

Migrate an IPCop OpenVPN installation from 1.4.x to 2.0.x
If you are using the IPCop Linux router distribution, and also used the old Zerina add-on to get OpenVPN client support, and have dozens-to-hundreds of client certificates, you might be unwilling to upgrade as there is no official migration path. After discussions in the forums and some experiments I present the following method of migrating close to all OpenVPN settings and certificates.

Be warned
I don't know how this will affect your pre-existing IPsec networks using certs. You have been warned. I have only tested this on pre-existing OpenVPN-only installations moving to completely fresh identical ones.

This is TUN only!
You must change all your client settings files anyway if using DEV TAP. Only TUN is supported in IPCop 2.x... at least through the GUI. Instructions still apply, but with an additional layer of upfudgery.

What isn't migrated?
You will have to copy and fill in all "main" and "advanced" settings (routes pushed etc) as the settings file isn't identical between the versions and this is easy to fix anyway. It's the old file /var/ipcop/ovpn/settings that should simply be moved to /var/ipcop/openvpn/settings, but I wouldn't recommend it.

What I would recommend is creating a OpenVPN installation with the exact same configuration (IP range etc) as the old, including creating CA certs of course, and then follow the instructions below to overwrite those files with the ones from the old installation.

Afterwards, we are going to collect all important files from the old installation, copy them to the new system, and distribute them to their new locations and names.

Enter the following commands on the server you are migrating from:

mkdir /root/ovpnmig cp /var/ipcop/ovpn/ca/cacert.pem /root/ovpnmig/cacert.pem cp /var/ipcop/ovpn/ca/cakey.pem /root/ovpnmig/cakey.pem cp /var/ipcop/ovpn/ca/dh1024.pem /root/ovpnmig/dh1024.pem cp /var/ipcop/ovpn/certs/servercert.pem /root/ovpnmig/servercert.pem cp /var/ipcop/ovpn/certs/serverkey.pem /root/ovpnmig/serverkey.pem cp /var/ipcop/ovpn/certs/serial /root/ovpnmig/serial cp /var/ipcop/ovpn/certs/index.txt /root/ovpnmig/index.txt cp /var/ipcop/ovpn/certs/index.txt.attr /root/ovpnmig/index.txt.attr cp /var/ipcop/ovpn/crls/cacrl.pem /root/ovpnmig/cacrl.pem cp /var/ipcop/ovpn/ovpnconfig /root/ovpnmig/ovpnconfig cp /var/ipcop/ovpn/certs/*.pem /root/ovpnmig/ cp /var/ipcop/ovpn/certs/*.p12 /root/ovpnmig/

If using Putty, you can copy/paste (right click in Putty) the whole code section above.

Then move the directory /root/ovpnmig to the same location on the new installation, and...

Enter the following commands on the newer 2.x installation:

mv /root/ovpnmig/cacert.pem /var/ipcop/ca/cacert.pem mv /root/ovpnmig/cakey.pem /var/ipcop/private/cakey.pem mv /root/ovpnmig/dh1024.pem /var/ipcop/private/dh1024.pem mv /root/ovpnmig/servercert.pem /var/ipcop/certs/hostcert.pem mv /root/ovpnmig/serverkey.pem /var/ipcop/certs/hostkey.pem mv /root/ovpnmig/index.txt /var/ipcop/certs/index.txt mv /root/ovpnmig/index.txt.attr /var/ipcop/certs/index.txt.attr mv /root/ovpnmig/serial /var/ipcop/certs/serial mv /root/ovpnmig/cacrl.pem /var/ipcop/crls/cacrl.pem mv /root/ovpnmig/ovpnconfig /var/ipcop/openvpn/config mv /root/ovpnmig/*.pem /var/ipcop/openvpn/certs/ mv /root/ovpnmig/*.p12 /var/ipcop/openvpn/certs/ touch /var/ipcop/openvpn/certs/index.txt touch /var/ipcop/openvpn/certs/serial echo 01 > /var/ipcop/openvpn/certs/serial touch /var/ipcop/vpn/rootcertsettings echo ROOTCERT_OU= > /var/ipcop/vpn/rootcertsettings echo ROOTCERT_EMAIL= >> /var/ipcop/vpn/rootcertsettings echo ROOTCERT_HOSTNAME= >> /var/ipcop/vpn/rootcertsettings echo ROOTCERT_CITY= >> /var/ipcop/vpn/rootcertsettings echo ROOTCERT_STATE= >> /var/ipcop/vpn/rootcertsettings echo ROOTCERT_COUNTRY= >> /var/ipcop/vpn/rootcertsettings echo ROOTCERT_ORGANIZATION= >> /var/ipcop/vpn/rootcertsettings chown nobody:nobody /var/ipcop/ca/cacert.pem chown nobody:nobody /var/ipcop/private/* chown nobody:nobody /var/ipcop/certs/* chown nobody:nobody /var/ipcop/crls/cacrl.pem chown nobody:nobody /var/ipcop/openvpn/config chown nobody:nobody /var/ipcop/openvpn/certs/* chown nobody:nobody /var/ipcop/vpn/rootcertsettings

Then edit the settings file:

nano /var/ipcop/vpn/rootcertsettings

...and give values to ROOTCERT_HOSTNAME (same as, well, your root cert, which might be an IP), ROOTCERT_COUNTRY (two-letter country code, such as US or SE) and ROOTCERT_ORGANIZATION (the org named in your root cert). This has the only effect of pre-filling fields when adding new clients, but that is nice to have.

An additional note
2.0.x introduces something new; .pem files are now not only located in /var/ipcop/openvpn/certs but in /var/ipcop/certs as well. But there, they won't have their real names but rather their "serial-number-names", so that (for example) YourName.pem is duplicated as 12.pem. This seems to have no real use, but it's an observation. If you want to copy the pem files to this location too and change the names manually, you can use /var/ipcop/certs/index.txt to translate. However, it seems to work anyway. YMMV.


photos articles services about