Sergio_L's picture

I wish to migrate my old OpenVPN (stretch container on a strech lxc) to a new one (buster container on proxmox 7) hopefully using tklbam, I was hoping to use it to make a local backup that I can scp to the new server where I could pick it up and tha'll be it, I was obviously wrong.

I spent the last few hours trying to find a way to do this but I've failed miserably, I've read this and the pages in /usr/share/doc/tklbam

Everything seems to pint out that I have no other choice that to have a hub account for tklbam to be able to pick up the openvpn configuration-something, even if I want to use it once, offline.

So after many hours, I gave up, stopped openvpn on both servers and rsync /etc/openvpn and /var/lib/openvpn preserving ownership and permissions, then started openvpn but that did not worked either.

So I'm requiring some help, either a way to do it with tklbm or some other way.

BTW, It may very well be that I'm very bad at searching for stuff, but I was unable to find good documentation on tklbam, the one quoted before seems like a simplified version with very few examples, I understand that I shouldn't expect to have full documentation on how to use it without the hub, because after all it is a bussiness, but I'd appreciate if anyone could share a link for a more extensive documentation, and/or some examples to use it offline.

Thank you all for your time.


Jeremy Davis's picture

You don't need a Hub account, but that is certainly the easy way.

One other point worth making is that I can't guarantee that use of TKLBAM linked to the Hub (so you can download our pre-built backup profiles) will "just work" migrating your data from an older OpenVPN server to a newer one. Ideally it should, but I can't 100% guarantee that. Some manual intervention may still be required. So it's possible that you may still find yourself needing to troubleshoot an issue(s) similar to what you've already hit (after your rsync).

Anyway, there are a few pathways that I can think of:

  • TKLBAM linked to the Hub (just to pull the pre-built backup profile)
  • TKLBAM with self built profile
  • Debian-style OS upgrade

TKLBAM linked to the Hub

It sounds like you aren't that keen to use the Hub, which is fine. But I wanted to explain how you could use it (without uploading to AWS) if want, just in case this is of value (and/or other s that might come across this post).

Just in case you weren't aware, other than needing to link a AWS, you could just sign up to the Hub to pull our pre-built backup profiles. You will need to add card details too, but so long as you downgrade to free plans prior to the 14 day free trial expiring, then there are no charges from us (and if you forget and get charged, please reach out via support and I'll happy issue a refund). If you don't upload any backups, then there will be no charges from AWS either. So you could go that path and just not upload the data (and not enable automated backups).

To do that, set up your Hub account (and downgrade to free plans straight away if you have no plan to launch servers and/or push encrypted backups to the cloud). Then initialise TKLBAM on your old server:

tklbam-init YOUR_HUB_API_KEY

(Where YOUR_HUB_API_KEY is your actual Hub API key from your Hub account profile).

That will download the prebuilt backup profile from the Hub. Then rather than just running a full/normal backup (which would compress, encrypt and upload to AWS), just dump it to disk. I.e. like this:

mkdir /tklbam-dump
tklbam-backup --dump=/tklbam-dump

Then rsync (or scp, or whatever) that directory to your new server. TKLBAM should take care of permissions, so ownership by root should be fine. Then on your new server. Initialise TKLBAM (as above). And then assuming that you use the same path for your backup dump on your new server, restore like this:

tklbam-restore /tklbam-dump

As I say though, there is a chance that may not "just work". So you might still need to troubleshoot issues with it. I'm happy to try to help, so please let me know how it goes (if you go this way).

TKLBAM with self built profile

If want to use TKLBAM, without the Hub, then you have 2 options:

Use the --force-profile=empty switch. This won't configure any paths to backup though, so you actually need to know what you want to back up. Obviously that's not good in this scenario.

The other option is to generate a profile yourself. Note that you will need to create the profile on a fresh instance. Hopefully you still have the TurnKey v15.x (Stretch based) OpenVPN appliance as you'll need to install that and generate the TKLBAM profile on that.

You can find the base of the tklbam profiles on GitHub. There are instructions there too, but I'll short cut it for you. All the profiles depend on core (our base appliance) and in the case of OpenVPN, it's actually a bare profile (i.e. it has nothing extra beyond core) so that makes it pretty easy.

So launch the clean server and ssh in. Then create the profile like this:

# pull the core profile base
wget -O tklbam.conf
# make a dir for the profile
mkdir profile
# create the profile (skipping packages)
tklbam internal create-profile --no-packages profile/  tklbam.conf

The profile will now be in the profile/ directory. Copy (rsync/scp/etc) those files across to your actual server. To initialise TKLBAM with you profile (assuming the profile is in the profile/ directory):

tklbam-init --solo --force-profile=profile

Then you can follow the steps above for the last bit. I.e. create the backup dump locally, copy to the new server, then restore.

Debian-style OS upgrade

This option is a totally different way of getting to a Debian Buster base. It won't actually be v16.x (because not all all of our changes and updates are packaged) but for your purposes it should be fine. It's essentially just doing a "normal" Debian upgrade.

If you go this path, be sure that you have a full OS backup (the Proxmox backup should be fine) just in case things go pear shaped (as there's no coming back).

The Debian manual has a section on how to upgrade. That guide is quite verbose and probably don't need to follow it all to the letter, but I won't go into that in much detail here. Have a look and a read and see what you think. If you do go that way and have any issues, please feel free to post and I'll do my best to help out.

So hopefuly that's of some use to you. If you need any further details, please ask.

Good luck! :)

Add new comment