Is There a Way to Automate F5 BIG-IP VPN Connections?

1. Automation Use Cases & High-Level Architecture

Before diving into code, clarify what you want to automate:

A complete automation pipeline typically looks like:

1. Infrastructure Provisioning (e.g., AWS VPC, BIG-IP instances)
2. VPN Configuration via AS3 or REST API
3. Credential Management with Vault or Secrets Manager
4. Client-side Scripts to invoke f5fpc or PowerShell
5. Monitoring & Alerting for connection health

Let’s start with automating the server-side deployments.

2. Server-Side VPN Configuration Automation

2.1. Infrastructure as Code with Terraform

Eric Chen’s “Example of F5 VPN Automation” showcases using Terraform to:

• Spin up an AWS VPC and a pair of BIG-IP (APM) devices in Active/Standby
• Deploy a backend host for testing split-tunnel connectivity
• Generate AS3 declarations to configure the VPN objects
• Use HashiCorp Vault to issue client certificates for mutual-TLS authentication

A simplified workflow:

hcl
provider "aws" { ... }
module "bigip" {
  source  = "F5Networks/bigip/aws"
  version = "x.y.z"
  # VPC, subnets, instance size, etc.
}
resource "vault_pki_secret_backend" "vpn" { ... }
resource "vault_pki_secret_backend_cert" "vpn_client" {
  backend = vault_pki_secret_backend.vpn.path
  common_name = "vpn-user"
}

Once the infrastructure is ready, Terraform outputs—such as the BIG-IP mgmt IP and Vault CA URL—seed the AS3 declaration for the VPN:

json
{
  "class": "AS3",
  "action": "deploy",
  "declaration": {
    "VPN_ASM": {
      "class": "Tenant",
      "VPN_App": {
        "class": "Application",
        "template": "f5.atm.vpn.AccessPolicy",
        "policyEndpoint": "https://<BIGIP>/mgmt/cm/device/tasks/vpn/tunnel",
        "clientCert": {
          "cert": "${vault_pki_secret_backend_cert.vpn_client.certificate_pem}",
          "key":  "${vault_pki_secret_backend_cert.vpn_client.private_key_pem}"
        },
        ...
      }
    }
  }
}

Running terraform apply here will push the AS3 declaration—creating access profiles, portal pages, AAA servers, and SSL profiles—directly into your BIG-IP instances.

2.2. Securing Credentials with HashiCorp Vault

Hard-coding passwords or keys in Terraform is risky. Instead, use Vault to:

1. Dynamically generate client certificates (vault_pki_secret_backend_cert).
2. Store VPN-user passwords in KV secrets (vault_generic_secret).
3. Fetch these at plan/apply time via the Terraform Vault provider.

This ensures no sensitive data land in Git history—and you can rotate credentials independently of your IaC code.

3. Client-Side VPN Session Automation

Once your BIG-IP APM is configured, you still need to connect clients. F5 provides the f5fpc Linux CLI client and a Windows installer with PowerShell support.

3.1. Automating with f5fpc (Linux/macOS)

After installing the client package (.deb or .rpm), a typical connect script looks like:

bash
#!/usr/bin/env bash
F5_HOST="vpn.acme.com"
USER="jdoe"
PASS=$(vault kv get -field=password secret/vpn/jdoe)
CERT="/etc/vpn/certs/jdoe.crt"
KEY="/etc/vpn/certs/jdoe.key"

f5fpc \
  --target "https://${F5_HOST}" \
  --username "${USER}" \
  --password "${PASS}" \
  --cert "${CERT}" \
  --key "${KEY}" \
  --start \
  --split-tunnel

• --start: initiates the SSL VPN.
• --split-tunnel: directs only corporate traffic through the tunnel.
• Error handling: check exit codes and retry logic in your script.

Place this script in /usr/local/bin/connect-vpn.sh and add it to systemd or a login hook for automatic connections at startup.

3.2. PowerShell Automation (Windows)

On Windows, after installing the BIG-IP APM client, you can use PowerShell:

powershell
$vpnServer = "vpn.acme.com"
$username  = "jdoe"
$password  = (Get-Secret -Name "vpn/jdoe" -Vault "Vault01")
$f5cliPath = "C:\Program Files\F5 Networks\F5 VPN\f5fpc-client.exe"

# Build argument list
$args = @(
  "-t", "https://$vpnServer",
  "-u", $username,
  "-p", $password,
  "--start"
)

# Execute and log
& $f5cliPath $args 2>&1 | Out-File "$env:USERPROFILE\vpn-connect.log"
if ($LASTEXITCODE -ne 0) {
  Write-Error "VPN connection failed with code $LASTEXITCODE"
}

You can then schedule this script via Task Scheduler to run at logon or on network-up events.

4. End-to-End CI/CD Integration

To achieve fully automated deployments:

1. Git: Store Terraform, AS3 declarations, and scripts in a Git repo.
2. Pipeline: Use Jenkins/GitLab CI/GitHub Actions to:
   • Validate Terraform plan
   • Apply to non-prod on merge to develop
   • Run end-to-end tests (e.g., automated f5fpc --check connectivity)
3. Approvals: Gate production deploys behind manual approvals.
4. Secrets: Integrate Vault tokens into your CI environment securely (e.g., using Vault Agent Injector or Jenkins credentials plugin).
5. Monitoring: After deployment, use BIG-IQ or Prometheus exporters to verify VPN session counts and health.

This pipeline ensures consistent, auditable, and rapid roll-outs of both configuration and connectivity.

5. Troubleshooting & Best Practices

• Idempotency: Always design Terraform and AS3 declarations to be safe on re-apply—avoid resource name collisions.
• Staging Mode: When rolling out new portal pages or policies, use “staged” or “audit” modes in APM to catch errors before enforcement.
• Logging: Increase verbosity (-v) on f5fpc during testing, and capture logs in CI artifacts.
• Retry Logic: Network hiccups happen; build exponential-backoff retries into your client scripts.
• Vault Renewal: Monitor Vault lease TTLs and auto-renew certificates before expiry.
• Version Compatibility: Align your AS3 version with BIG-IP TMOS releases—mismatches can cause declaration failures.

Please follow and like us: