En/2.2/Virtual private network (VPN) service with OpenVPN

From Zentyal Linux Small Business Server
Jump to: navigation, search


Introduction to the virtual private networks (VPN)

Zentyal integrates OpenVPN (2) PPTP and IPsec to configure and manage virtual private networks. In this section you will see how to configure OpenVPN, the default VPN protocol in Zentyal. In the following section you will find out how to configure PPTP and IPsec.

OpenVPN has the following advantages:

  • Authentication using public key infrastructure.
  • SSL-based encryption technology.
  • Clients available for Windows, Mac OS and Linux.
  • Easier to install, configure and maintain than IPSec, another

open source VPN alternative.

  • Allows to use network applications transparently.

Configuration of an OpenVPN client

Configuration of a OpenVPN server with Zentyal

Zentyal can be configured to support remote clients (sometimes known as road warriors). This means a Zentyal server acting as a gateway and VPN server with a local area network (LAN) behind it allows external clients (the road warriors) to connect to the local network via the VPN service.

The following figure can give a more accurate view:

Zentyal and remote VPN clients

The goal is to connect the data server with other 2 remote clients (sales person and CEO) and also the remote clients to each other.

First, you need to create a Certification Authority and certificates for the remote clients. Note that you also need a certificate for the VPN server. However, Zentyal will create this certificate automatically when you create a new VPN server. In this scenario, Zentyal acts as a Certification Authority.

Once you have the certificates, then configure the Zentyal VPN server by selecting Create a new server. The only value you need to enter to create a new server is the name. Zentyal ensures the task of creating a VPN server is easy and it sets the necessary values automatically.

The following configuration parameters are added automatically and can be changed if necessary: port/protocol, certificate (Zentyal will create one automatically using the VPN server name) and network address. The VPN network addresses are assigned both to the server and the clients. If you need to change the network address you must make sure that there is no conflict with a local network. In addition, you will automatically be notified of local network detail, i.e. the networks connected directly to the network interfaces of the host, through the private network.

As you can see, the VPN server will be listening on all external interfaces. Therefore, you must set at least one of your interfaces as external at Network ‣ Interfaces. In this scenario only two interfaces are required, one internal for LAN and one external for Internet.

If you want the clients to connect between themselves by using their VPN addresses, you must enable the option Allow connections among clients.

You can leave the rest of the configuration options with their default values.

VPN server configuration

After having created the VPN server, you must enable the service and save the changes. Later you must check in Dashboard that the VPN server is running.

After this, you must establish networks, i.e. routes between VPN networks and between VPN networks and other networks known by your server. These networks will be accessible by authorised VPN clients. Keep in mind that Zentyal will advertise all internal networks automatically. Obviously, you can add or remove the necessary routes. In this scenario a local network will automatically be added to ensure the 3rd client is visible to the other two clients.

Once you have done this, it is time to configure the clients. The easiest way to configure a VPN client is by using the Zentyal bundles - installation packages that include the VPN configuration file specific to each user and optionally, an installation program. These are available in the table at VPN ‣ Servers, by clicking the icon in the column Download client bundle. You can create bundles for Windows, Mac OS and Linux clients. When you create a bundle select those certificates that will be used by the clients and set the external IP addresses to which the VPN clients must connect. Moreover, if the selected system is Windows, you can also add an OpenVPN installer. The Zentyal administrator will download the configuration bundles to the clients using the most appropriate method.

Download client bundle

A bundle includes the configuration file and the necessary files to start a VPN connection.

You now have access to the data server from both remote clients. If you want to use the local Zentyal DNS service through the private network, you need to configure these clients to use Zentyal as name server. Otherwise, it will not be possible to access services by the hosts in the LAN by name, but only by IP address. Also, to browse shared files from the VPN (3) you must explicitly allow the broadcast of traffic from the Samba server.

[3] For additional information about file sharing go to section

File sharing and authentication service

You can see the users currently connected to the VPN service in the Zentyal Dashboard.

If you need a VPN server that is not the gateway of the local network, i.e., the host does not have any external interfaces, then you need to use the Port redirection with Zentyal. As this is one of the firewall options, you must ensure that the firewall module is enabled, otherwise you can not enable this option. With this option, the VPN server will act on behalf of the VPN clients within the local network. In reality, it will act on behalf of all the advertised networks in order to ensure that it receives all the response packages that it will later forward through the private network to its clients. This is best explained by the following image:

Connection from a VPN client to the LAN with VPN by using NAT

Configuration of a VPN server for interconnecting networks

Practical examples

Proposed exercises

Personal tools


Zentyal Wiki

Zentyal Doc