Upgrade from 123 while running a VPN

Im currently version 123 with a VPN setup to another ipfire client. I want to update to the latest version but have worries of the link degrading or the certificates failing after the update. Both client and server have the same version currently. I set this up a while ago but want to upgrade to the latest version and add additional 5 x clients using OpenVPN.

  1. What is the best process to undertake the upgrade?
  2. can i use the same certificate for the other 5 x clients?

Hi,

now that is outdated. Please try to stick to the latest Core Update. :slight_smile:

Anyway, I do not overlook the change history until that version. Normally, VPN services should be automatically restarting after an update was successful.

You might want to open up SSH of the remote machine temporarily (create a firewall rule matching to your current public IP address only) so you will be able to debug or recover if anything goes wrong.

Thanks, and best regards,
Peter Müller

Thanks Peter,
Should i upgrade the remote firewall first or the host?

Hi,

why don’t you take this as an opportunity to create new certificates for your clients (perhaps they are still signed using SHA1, or use weak cryptography otherwise)?

Regarding (2): Technically, yes, but I strongly recommend using one certificate for one VPN client.

Should i upgrade the remote firewall first or the host?

What is the “host” in your scenario?

Thanks, and best regards,
Peter Müller

Hi,
Host being at our office as the other ipfirewall that links to our office is in another country and i recall the office ipfirewall we used to generate the certificate. Just didn’t want to undertake the update and break the link if undertaken in the wrong order as i am unsure if running different versions would cause issues.

Hi,

it might be easier to update your local IPFire machine then (create a backup before doing so!) and see if anything is going wrong. If not, you might do the same for the remote system.

Thanks, and best regards,
Peter Müller

I agree with @pmueller. Locally you can manage a lot better any kind of issue, @pingumasta.

Only… prepare a remote full access to the remote system before starting the update.