Upgrading to an HA VPN server

Upgrading to an HA VPN server in the UI

To change the VPN server type, follow these steps:

1. From your browser, open the IBM Cloud console and log in to your account.

2. Select the Navigation Menu icon , then click > VPC Infrastructure >VPNs in the Network section.

   If starting from the VPC Infrastructure menu, click VPNs in the Network section to open the VPNs for VPC page.

3. From the VPNs for VPC page, click the Client-to-site servers tab. Then, click the name of the VPN server that you want to modify.

4. In the Subnets section, do one of the following:

   • To upgrade to an HA VPN server, click Add+ to add a second subnet in a different zone.
   • To change to a stand-alone VPN server, click the Remove icon to remove one of the two existing subnets.
   • To use a different subnet, click the subnet's Edit icon .

   For example:

   

5. Review the cost summary, then click Save to save your changes.

Upgrading to an HA VPN server from the CLI

Before you begin, set up your CLI environment.

To upgrade to an HA VPN server from the CLI, enter the following command:

ibmcloud is vpn-server-update VPN_SERVER_ID [--vpc VPC] [--subnet SUBNET]
[--client-ip-pool CLIENT_IP_POOL] [--cert CERT]
[--client-auth-methods certificate | username | certificate,username | username,certificate]
[--client-ca CLIENT_CA] [--client-crl CLIENT_CRL] [--client-dns CLIENT_DNS]
[--client-idle-timeout CLIENT_IDLE_TIMEOUT] [--enable-split-tunnel false | true]
[--port PORT] [--protocol udp | tcp] [--name NEW_NAME] [--output JSON] [-q, --quiet]

Where:

• VPN_SERVER_ID - ID or name of the VPN server.
• --vpc - ID or name of the VPC. This option is only required to specify the unique resource by name inside this VPC.
• --subnet - Comma-separated IDs or names of the subnets to provision this VPN server. Use two subnets in different zones for high availability. At most, two subnets can be set.
• --client-ip-pool - The VPN client IPv4 address pool, expressed in CIDR format. The request must not overlap with any existing address prefixes in the VPC or any of the following reserved address ranges: 127.0.0.0/8 (IPv4 loopback addresses), 161.26.0.0/16 (IBM services), 166.8.0.0/14 (Cloud Service Endpoints), 169.254.0.0/16 (IPv4 link-local addresses), 224.0.0.0/4 (IPv4 multicast addresses). The prefix length of the client IP address pool's CIDR must be between /9 (8,388,608 addresses) and /22 (1024 addresses). A CIDR block that contains twice the number of IP addresses that are required to enable the maximum number of concurrent connections is recommended.
• --cert - The certificate instance CRN for this VPN server.
• --client-auth-methods - Comma-separated client authentication methods. One of:
  • certificate
  • username
  • certificate,username
  • username,certificate
• --client-ca - The CRN of the certificate instance to use for the VPN client certificate authority (CA).
• --client-crl - CRL | @CRL-file. The certificate revocation list contents, encoded in PEM format.
• --client-dns - Comma-separated of DNS server addresses that is provided to VPN clients connected to this VPN server. Two DNS servers can be set at most.
• --client-idle-timeout - The seconds a VPN client can be idle before this VPN server will disconnect it. Specify 0 to prevent the server from disconnecting idle clients.
• --enable-split-tunnel - Indicates whether the split tunneling is enabled on this VPN server. One of: false, true (default: false).
• --port - The port number to use for this VPN server.
• --protocol - The transport protocol to use for this VPN server. One of: udp, tcp.
• --name - New name of the VPN server.
• --output - Specify output format, only JSON is supported. One of: JSON.
• -q, --quiet - Suppress verbose output.

Upgrading to an HA VPN server with the API

To upgrade to an HA VPN server with the API, follow these steps:

1. Set up your API environment with the correct variables.

2. Find the VPN server that you want to upgrade:

   Add | json_pp or | jq after the curl command to get a readable JSON string.

   curl -X GET "$vpc_api_endpoint/v1/vpn_servers?version=$api_version&generation=2" \
        -H "Authorization:$iam_token"
   

   Save the ID of the VPN server in a variable so that you can use it later, for example:

   VpnServer="r006-cb67562d-626c-488d-8c56-35879e238274"
   

3. Find the subnets that you want to attach to the VPN server:

   curl -X GET "$vpc_api_endpoint/v1/subnets?version=$api_version&generation=2" \
      -H "Authorization:$iam_token"
   

   Save the ID of the subnets in a variable so that you can use it later, for example:

   SubnetId1="0716-08b770a6-e5e8-4e59-ad0c-9f517914f5a6"
   SubnetId2="0717-aa067949-e947-435f-bdcd-1ec84815513d"
   

   SubnetId1 and SubnetId2 must be in the same VPC as the VPN server, but in different zones.

4. Get the ETag of the VPN server:

   curl -X GET -i "$vpc_api_endpoint/v1/vpn_servers/$VpnServer?version=$api_version&generation=2" \
        -H "Authorization:$iam_token"
   

   Save the ETag of the VPN server (included in the response header) in a variable so that you can use it later, for example:

   ETag="0366003158c0be829d0727e80325406145eaa682955c1703642eaab2c655d609"
   

5. When all variables are initiated, upgrade the VPN server to HA by adding a second subnet:

      curl -X PATCH "$vpc_api_endpoint/v1/vpn_servers/$VpnServer?version=$api_version&generation=2" \
        -H "Authorization: $iam_token" \
        -H "If-Match: $ETag" \
        -d '{
           "subnets": [
              {
               "id": "'$SubnetId1'"
               },
               {
               "id": "'$SubnetId2'"
               }
               ]
         }'