Easy method of switching from Openvpn-Acess Server to Community Edition?
This is an old question, but I would like to answer it in case someone else is trying to do the same thing. To switch from OpenVPN-AS to the community edition and keep the same configuration, the server.crt, server.key, dh.pem, and ca.crt used on the Access Server need to be referenced in the new community edition server.conf
file. Since by default, A.S. uses pam authentication for dual authentication, the new C.E. server must be configured this way as well. These lines need to be added to the server.conf:
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
Then the file /etc/pam.d/openvpn
needs to be created, with these lines:
auth sufficient /lib/security/pam_radius_auth.so debug
account sufficient /lib/security/pam_radius_auth.so
Any other options defined in the A.S. generated config need to be referenced in the server.conf file as well (such as port number, proto, com-lzo, cipher, etc). Since I could not figure out where or how those files are stored when using access server, I opted to simply uninstall openvpn-as, and start over.
In conclusion, I decided to rebuild the configuration from scratch because it was easier, and also made sense to learn how to properly deploy a community edition openvpn server myself. I opted to not use PAM authentication, and rather use easyrsa3 to set up the server and client certificates, using a separate machine as the certificate authority for enhanced security. I also used the tls auth option (incorporating a 'ta.key', as an HMAC firewall to help prevent denial of service attacks).
My advice to anyone wanting to switch from the Access Server to the Community Edition is to start from scratch, uninstall A.S. and install the openvpn
package, generate new certificates and keys, and most importantly, use a separate machine to sign the certificate requests.