During the configuration of the VPN cluster, the certificates used for authentication and establishing SSL connections are issued by our internal certificate authority, GATEWAY_EJBCA. When a certificate—either the one directly issued or any within its certificate chain—approaches its expiration, it must be renewed to maintain secure operations.

There are two possible scenarios:

1. The issued certificate itself is nearing expiry.
2. One or more certificates in the chain (such as the SUBCA or ROOTCA) are expiring. (SRE team will be renewing these)

In both cases, administrators has to perform the steps below to reconfigure their VPN configuration and generate a new certificate. This document provides the steps on updating the VPN configuration after the renewal of certificates. This affects only customers who have the Cloud Extender VPN module configured.

Steps

Updating certificate in standalone VPN configuration:

1. Log in to the Cloud Extender server, where VPN is configured.
2. Open MaaS360 Config Utility, go to VPN tile, the cluster will be visible.
   
   
   
   
3. Click on Edit icon as highlighted in above screen shot, below screen will appear.
   
   
   
4. Make sure to note down all the configuration details from the "Cluster Details" screen.
   
   
   
5. Click Next and then click Cancel, you will come back to VPN configuration cluster page.
   
   
   
6. Click on the VPN configuration again and delete the existing cluster.
   
   
   
7. Create a new cluster from the configuration copied from Step #4 (above) and make sure the "Test" while configuring the VPN is successful.
8. Navigate to the directory "C:\ProgramData\MaaS360\Cloud Extender\AR\DATA\VPN" and check for newly created certificate file (details below)
   
   
   
   

Updating certificate in VPN cluster configuration:

1. Follow steps mentioned above in one Cloud Extender server.
2. Export the newly generated certificate from the Cloud Extender by copying ca.crt and server.crt from C:\ProgramData\MaaS360\Cloud Extender\AR\DATA\VPN. And import it to another Cloud Extender server by pasting in the file in the same location.

Portal Changes to update VPN configuration:

1. Login to the portal and navigate to Policies.
2. Click on the policy (which is configured to use VPN) and edit the policy.
3. Edit the VPN Connection name (to identify that the cluster configuration is changed)
4. Make sure to select the updated cluster name (the one configured above) under the dropdown "Select VPN server".
   
   
   
   
5. Save and publish the policy.

Impact of Verbose Logging on VPN Performance

Recently, it has been observed that some customers have enabled verbose logging for debugging purposes. While this can be helpful for troubleshooting, it has also led to significant performance degradation on devices connecting to the VPN.

Before enabling verbose logging, it is essential to understand the various logging levels available and the potential consequences of using higher verbosity settings. The following section provides an overview of these logging levels and their implications.

Understanding Verbosity Levels in OpenVPN Server Logging

OpenVPN offers robust logging capabilities to assist administrators in troubleshooting, monitoring, and auditing VPN connections. A key parameter that controls the level of detail in the logs is the verb (verbosity) level.

What is the verb Parameter?

The verb parameter in the OpenVPN server (and client) configuration file determines the verbosity level of the logs. This discussion focuses specifically on the OpenVPN server logs.

The verb setting controls how much information OpenVPN writes to the log file or console. The value can range from 0 to 11, where: