Virtual private network (VPN) service with OpenVPN

Introduction to the virtual private networks (VPN)

Zentyal integrates OpenVPN [2] PPTP and IPsec to configure and manage virtual private networks. In this section you will see how to configure OpenVPN, the default VPN protocol in Zentyal. In the following section you will find out how to configure PPTP and IPsec.

OpenVPN has the following advantages:

  • Authentication using public key infrastructure.
  • SSL-based encryption technology.
  • Clients available for Windows, Mac OS and Linux.
  • Easier to install, configure and maintain than IPSec, another open source VPN alternative.
  • Allows to use network applications transparently.

Configuration of a OpenVPN server with Zentyal

Zentyal can be configured to support remote clients (sometimes known as road warriors). This means a Zentyal server acting as a gateway and VPN server with a local area network (LAN) behind it allows external clients (the road warriors) to connect to the local network via the VPN service.

The following figure can give a more accurate view:

Zentyal and remote VPN clients

Zentyal and remote VPN clients

The goal is to connect the data server with other 2 remote clients (sales person and CEO) and also the remote clients to each other.

First, you need to create a Certification Authority and certificates for the remote clients. Note that you also need a certificate for the VPN server. However, Zentyal will create this certificate automatically when you create a new VPN server. In this scenario, Zentyal acts as a Certification Authority.

Once you have the certificates, then configure the Zentyal VPN server by selecting Create a new server. The only value you need to enter to create a new server is the name. Zentyal ensures the task of creating a VPN server is easy and it sets the necessary values automatically.

The following configuration parameters are added automatically and can be changed if necessary: port/protocol, certificate (Zentyal will create one automatically using the VPN server name) and network address. The VPN network addresses are assigned both to the server and the clients. If you need to change the network address you must make sure that there is no conflict with a local network. In addition, you will automatically be notified of local network detail, i.e. the networks connected directly to the network interfaces of the host, through the private network.

As you can see, the VPN server will be listening on all external interfaces. Therefore, you must set at least one of your interfaces as external at Network ‣ Interfaces. In this scenario only two interfaces are required, one internal for LAN and one external for Internet.

If you want the clients to connect between themselves by using their VPN addresses, you must enable the option Allow connections among clients.

You can leave the rest of the configuration options with their default values.


VPN server configuration

After having created the VPN server, you must enable the service and save the changes. Later you must check in Dashboard that the VPN server is running.

After this, you must establish networks, i.e. routes between VPN networks and between VPN networks and other networks known by your server. These networks will be accessible by authorised VPN clients. Keep in mind that Zentyal will advertise all internal networks automatically. Obviously, you can add or remove the necessary routes. In this scenario a local network will automatically be added to ensure the 3rd client is visible to the other two clients.

Once you have done this, it is time to configure the clients. The easiest way to configure a VPN client is by using the Zentyal bundles - installation packages that include the VPN configuration file specific to each user and optionally, an installation program. These are available in the table at VPN ‣ Servers, by clicking the icon in the column Download client bundle. You can create bundles for Windows, Mac OS and Linux clients. When you create a bundle select those certificates that will be used by the clients and set the external IP addresses to which the VPN clients must connect. Moreover, if the selected system is Windows, you can also add an OpenVPN installer. The Zentyal administrator will download the configuration bundles to the clients using the most appropriate method.


Download client bundle

A bundle includes the configuration file and the necessary files to start a VPN connection.

You now have access to the data server from both remote clients. If you want to use the local Zentyal DNS service through the private network, you need to configure these clients to use Zentyal as name server. Otherwise, it will not be possible to access services by the hosts in the LAN by name, but only by IP address. Also, to browse shared files from the VPN [3] you must explicitly allow the broadcast of traffic from the Samba server.

[3]For additional information about file sharing go to section File sharing and authentication service

You can see the users currently connected to the VPN service in the Zentyal Dashboard.

If you need a VPN server that is not the gateway of the local network, i.e., the host does not have any external interfaces, then you need to use the Port redirection with Zentyal. As this is one of the firewall options, you must ensure that the firewall module is enabled, otherwise you can not enable this option. With this option, the VPN server will act on behalf of the VPN clients within the local network. In reality, it will act on behalf of all the advertised networks in order to ensure that it receives all the response packages that it will later forward through the private network to its clients. This is best explained by the following image:

Connection from a VPN client to the LAN with VPN by using NAT

Connection from a VPN client to the LAN with VPN by using NAT

Configuration of a VPN server for interconnecting networks

In this scenario two offices in different networks need to be connected via private network. To do this, you will use Zentyal as a gateway in both networks. One will act as a VPN client and the other as a server. The following image clarifies the scenario:

Zentyal as VPN server vs. Zentyal as a VPN client

Zentyal as VPN server vs. Zentyal as a VPN client

The goal is to connect the client 1 on the LAN 1 with client 2 on the LAN 2 as if they were in the same local network. Therefore, you must configure a VPN server as previously explained.

However, you need to make two small changes. First, enable the Allow Zentyal-to-Zentyal tunnels to exchange routes between Zentyal servers. And then, introduce a Password for Zentyal-to Zentyal tunnels to establish the connection between the two offices in a safer environment. You should bear in mind that the LAN 1 network must be advertised in the Advertised networks.

You can configure Zentyal as a VPN client at VPN ‣ Clients. You must give a name to the client and enable the service. You can configure the client manually or automatically by using the bundle provided by the VPN server. If you do not use the bundle, you must introduce the IP address and protocol-port for the server accepting requests. The tunnel password and certificates used by the client will also be required. These certificates must have been created by the same certification authority the server uses.


Client configuration

When you Save changes in the Dashboard, you can see a new OpenVPN daemon in the LAN 2 running as a client and the object connection towards another Zentyal server within the LAN 1.


Dashboard of a Zentyal server configured as a VPN client

When the connection is complete, the host with the server role has access to all routes of the client hosts through the VPN. However, the hosts with client roles will only have access to those routes the server has explicitly advertised.