Documentation

Server 3.x

Upgrade Ubuntu 22.04 to Ubuntu 24.04#

This document will describe step-by-step how to update your eduVPN / Let’s Connect! 3.x server from Ubuntu 22.04 to Ubuntu 24.04.

Official Ubuntu release upgrade instructions can be found here. You SHOULD review them carefully.

If you have the opportunity, you SHOULD make a snapshot of your system, e.g. through your VM platform so you can rollback immediately if the upgrade doesn’t work.

Step by Step#

On a typical system, the below instructions will upgrade your server without having to read through the release upgrade instructions linked above. Please look at every line and make sure you understand it. This ONLY works for systems that were installed with deploy_debian.sh and are fairly standard clean Ubuntu installations. If your organization (heavily) modifies standard Ubuntu you MAY run into trouble! You have been warned! :-)

Preparation#

First, make sure your Ubuntu 22.04 system is fully up to date:

$ sudo vpn-maint-update-system

You SHOULD also make sure all configuration is applied to the WireGuard/OpenVPN processes:

$ sudo vpn-maint-apply-changes

Next, reboot:

$ sudo reboot

Make sure everything (portal, apps, connecting to VPN) still works as expected before continuing. If not, you should fix that first.

If you installation still uses iptables, for example because you installed your VPN server before 2023-09-08, you MAY want to consider switching to nftables first. We only tested the upgrade process with nftables.

Upgrade#

The Ubuntu upgrade process asks a lot of questions and disable the VPN package repository. However, there is nothing to worry about if you follow the instructions carefully and answer the questions the upgrade tool asks in the right way. Sorry, we wish it would be easier with less chance of “doing it wrong”.

NOTE: if you didn’t make a full backup / snapshot, now is the time to reconsider!

We start by running the Ubuntu upgrade tool, read below on how to answer some of the questions it will ask you:

$ sudo do-release-upgrade

When performing the upgrade over SSH, the installer will offer to run SSH on an additional port and suggest to upgrade the firewall. Feel free to take this advice.

When you proceed, you’ll get a message like this:

62 packages are going to be removed. 168 new packages are going to be 
installed. 534 packages are going to be upgraded. 

In case you review the list and you’ll notice that vpn-user-portal will be deleted. This is not a big deal as we can easily reinstall it later after the upgrade (without data loss). It should thus be safe to continue.

During the actual upgrade process the upgrade tool will ask a number of times if you want to replace configuration files. It is okay to review them and manually merge the changes in your existing configuration file, but it is much better to do that AFTER the upgrade process. You MUST not, under any circumstance, blindly accept the new configuration file. It WILL break your system!

Configuration files that were offered to be updated during our testing are /etc/nftables.conf and /etc/apache2/mods-available/ssl.conf. In your case, there might be more. Make sure you answer with N, i.e. “keep your currently-installed version”, which is also the default.

At the end of the upgrade process, the tool asks again if you want to delete the packages. You can answer with y as we’ll restore the required packages later anyway.

During the removal process you’ll notice an error regarding php8.3-intl. We’ll also fix that later.

At the end, it will offer to reboot, which is a good idea at this stage. After the reboot we need to perform some additional steps to get the VPN server up and running again.

As a start, you MUST enable the VPN package repository again:

$ curl -s https://repo.eduvpn.org/v3/deb/repo+v3@eduvpn.org.gpg | sudo tee /usr/share/keyrings/repo+v3@eduvpn.org.gpg >/dev/null
$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/repo+v3@eduvpn.org.gpg] https://repo.eduvpn.org/v3/deb $(/usr/bin/lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/eduVPN_v3.list >/dev/null

Follow these steps:

$ sudo apt update
$ sudo apt --fix-broken install
$ sudo apt -y dist-upgrade
$ sudo apt -y install vpn-user-portal
$ sudo a2enconf vpn-user-portal
$ sudo a2enconf php8.3-fpm
$ sudo systemctl restart php8.3-fpm
$ sudo systemctl restart apache2

We tuned the PHP variables during the initial deploy, and you SHOULD copy them from the old PHP version to the new one:

$ sudo cp /etc/php/8.1/fpm/pool.d/www_vpn.conf /etc/php/8.3/fpm/pool.d/www_vpn.conf 
$ sudo systemctl restart php8.3-fpm

This should get everything up and running again. Now we’ll delete some stuff no longer needed:

$ sudo apt autoremove
$ sudo apt purge "~c"
$ sudo apt purge "~o"

Perform the following steps, to make sure you are in a good state:

$ sudo vpn-maint-update-system
$ sudo vpn-maint-apply-changes

Make sure the firewall is still active:

$ sudo nft list ruleset

If all looks good and nothing gives any errors anymore, reboot one more time:

$ sudo reboot

After rebooting, make sure everything works, i.e. the portal and connecting to the VPN. All done!