FAQs for client-to-site VPN servers

What does a VPN health status indicate?

Status descriptions are as follows:

• Healthy - Indicates that your VPN server is operating correctly.
• Degraded - Indicates that your VPN server has compromised performance, capacity, or connectivity.
• Faulted - Indicates that your VPN server is completely unreachable and inoperative.
• Inapplicable - Indicates that the health state does not apply because of the current lifecycle state. A resource with a lifecycle state of failed or deleting will have a health state of inapplicable. A Pending resource might also have this state.

Why can't I save the password/passcode in the VPN client?

The passcode generated from IBM IAM is a Time-based One-Time Passcode (TOTP), which cannot be reused. You must regenerate it each time.

If I update a VPN server with connected VPN clients, what happens to the VPN clients?

The VPN clients are disconnected along with the VPN server. All VPN clients need to re-connect with the VPN server again. When you use the user ID and passcode authentication, you have to retrieve the passcode and initiate the connection from your VPN client.

Why is the VPN client disconnected?

The VPN server administrator can specify an idle time of the VPN client. When there is no traffic from the VPN client during the idle time window, the VPN server disconnects the client automatically. You must reinitiate the VPN session from your VPN client if it is disconnected.

If I delete a VPN server with connected VPN clients, what happens to the VPN clients?

The VPN clients are disconnected along with the VPN server.

What happens to a VPN server if I try to delete the subnet that the VPN server is on?

You cannot delete the subnet if any VPN servers are present.

How do I update the security group that my VPN server is attached to?

1. In the navigation pane, click VPNs > Client-to-site servers, and select the VPN server you want to update.
2. Click Attached security groups > Attach, and select the security group you want to attach.

Can I create routes and use the private IPs of the VPN server as next hop?

No, you cannot create routes and use the private IPs. The private IPs are not static and can change at any time. The VPN for VPC service updates routes in the VPC routing table automatically. If you create a VPC routing table and you want the VPN for VPC service to inject routes into the new routing table, you have to add the VPN server to the accept routes from flag. You must also remove the VPN server from the accept routes from flag if you do not want the VPN server to inject routes into the routing table. For more information, see Configuring route propagation for VPN servers.

What happens to a VPN server if I try to delete the security group that the VPN server is attached to?

You cannot delete a security group if any VPN servers are present.

Why must I choose subnets during VPN server provisioning?

The server resides in the VPN subnet that you choose. A VPN server needs two available private IP addresses in each subnet to provide high availability and automatic maintenance. It is best if you use the dedicated subnet for the VPN server of size 8, where the length of the subnet prefix is shorter or equal to 29. With dedicated subnets, you can customize the security group and ACL for greater VPN server flexibility.

Does VPN server support high-availability configurations?

Yes, it supports high availability in an Active/Active configuration. You must choose two subnets if you want to deploy a high availability VPN server with two fault domains. You can also upgrade the stand-alone VPN server to high-availability mode, and downgrade the high-availability VPN server to stand-alone mode.

Are there any caps on throughput for VPN server?

Up to 600 Mbps of aggregation throughput is supported with a stand-alone VPN server. A maximum of 1200 Mbps of aggregation throughput is supported with a high availability VPN server. Up to 150 Mbps of throughput for a single client connection (applicable for both stand-alone and high availability VPN servers).

Can I use a VPN server for IBM Cloud classic infrastructure?

Yes, you can use a VPN server for IBM Cloud classic infrastructure. However, you must also enable either Classic Access on the VPC, or configure IBM Cloud Transit Gateway to connect the VPC where the VPN server resides.

What VPN client is supported?

See Supported client software for details.

What protocol and port can I use for the VPN server?

You can use UDP or TCP and any port number to run the VPN server. UDP is recommended because it provides better performance; port 443 is recommended because other ports might be blocked by internet service providers. If you cannot connect to the VPN server from your VPN client, you can try TCP/443 because it is open on almost all internet service providers.

What route action should I use?

The action of the VPN route depends on the route destination:

• If the route destination is in the VPC, or an on-premises private subnet connected using VPN gateway, the route action can be deliver; otherwise, it is translate.
• If you want to block traffic from the client, use the drop route action to forward unwanted or undesirable network traffic to a null or "black hole" route.
• When the route action is translate, the source IP is translated to the VPN server private IP before it is sent out from the VPN server. This means that your VPN client IP is invisible from the destination devices.

What DNS server IP addresses should I use?

DNS server IP addresses are optional when you provision a VPN server. You should use 161.26.0.10 and 161.26.0.11 IP addresses if you want to access service endpoints and IaaS endpoints from your client. See Service endpoints and IaaS endpoints for details.

Use 161.26.0.7 and 161.26.0.8 if you need to resolve private DNS names from your client. See About DNS Services for details.

How do I update the certificate for the VPN server?

The VPN server is not aware of updates made to a certificate in Secrets Manager. You must re-import the certificate with a different CRN, and then update the VPN server with the new certificate CRN.

Can I use a customized hostname for the VPN server?

Yes, you can. You must create a CNAME DNS record and point it to the VPN server hostname in your DNS provider. After that, edit the client profile by replacing direct remote 445df6c234345.us-south.vpn-server.appdomain.cloud with remote your-customized-hostname.com.

445df6c234345.us-south.vpn-server.appdomain.cloud is an example VPN server hostname.

If you are using IBM Cloud Internet Services as your DNS provider, refer to CNAME Type record for information about how to add a CNAME DNS record.

What information should I provide in an IBM Support case if I need help?

Supply the following content in your IBM Support case:

1. Your VPN server ID.

2. Your VPN client and operating system version.

3. The logs from your VPN client.

4. The time range when you encountered the problem.

5. If user-ID-based authentication is used, supply the username.

6. If certificate-based authentication is used, supply the common name of your client certificate.

   To view the common name of your client certificate, use the OpenSSL command openssl x509 -noout -text -in your_client_certificate_file in the subject section.

How do I assign the VPN client role using IAM access management tags in the API?

When you manage user access using access management tags on a client-to-site VPN and enable the UserId and Passcode mode for Client Authentication, you must attach the VPN Client role with an access tag. Otherwise, the VPN client cannot connect to the VPN server. For more information, see Granting users access to tag IAM-enabled resources by using the API and set the role_id to crn:v1:bluemix:public:is::::serviceRole:VPNClient to grant access.