Virtual private network (VPN) service with OpenVPN

Introduction to the virtual private networks (VPN)

Zentyal integrates OpenVPN [2] PPTP and IPsec to congure and manage virtual private networks. In this section you will see how to congure OpenVPN, the default VPN protocol in Zentyal. In the following section you will nd out how to congure PPTP and IPsec. OpenVPN has the following advantages: Authentication using public key infrastructure. SSL-based encryption technology. Clients available for Windows, Mac OS and Linux. Easier to install, congure and maintain than IPSec, another open source VPN alternative. Allows to use network applications transparently. [2] http://openvpn.net/

Configuration of a OpenVPN server with Zentyal

Zentyal can be congured to support remote clients (sometimes known as road warriors). This means a Zentyal server acting as a gateway and VPN server with a local area network (LAN) behind it allows external clients (the road warriors) to connect to the local network via the VPN service. The following gure can give a more accurate view:

Zentyal and remote VPN clients

The goal is to connect the data server with other 2 remote clients (sales person and CEO) and also the remote clients to each other. First, you need to create a Certication Authority and certicates for the remote clients. Note that you also need a certicate for the VPN server. However, Zentyal will create this certicate automatically when you create a new VPN server. In this scenario, Zentyal acts as a Certication Authority. Once you have the certicates, then congure the Zentyal VPN server by selecting Create a new server. The only value you need to enter to create a new server is the name. Zentyal ensures the task of creating a VPN server is easy and it sets the necessary values automatically. The following conguration parameters are added automatically and can be changed if necessary: port/protocol, certicate (Zentyal will create one automatically using the VPN server name) and network address. The VPN network addresses are assigned both to the server and the clients. If you need to change the network address you must make sure that there is no conict with a local network. In addition, you will automatically be notied of local network detail, i.e. the networks connected directly to the network interfaces of the host, through the private network. As you can see, the VPN server will be listening on all external interfaces. Therefore, you must set at least one of your interfaces as external at Network Interfaces. In this scenario only two interfaces are required, one internal for LAN and one external for Internet. If you want the clients to connect between themselves by using their VPN addresses, you must enable the option Allow connections among clients. You can leave the rest of the conguration options with their default values.

VPN server conguration

After having created the VPN server, you must enable the service and save the changes. Later you must check in Dashboard that the VPN server is running. After this, you must establish networks, i.e. routes between VPN networks and between VPN networks and other networks known by your server. These networks will be accessible by authorised VPN clients. Keep in mind that Zentyal will advertise all internal networks automatically. Obviously, you can add or remove the necessary routes. In this scenario a local network will automatically be added to ensure the 3rd client is visible to the other two clients. Once you have done this, it is time to congure the clients. The easiest way to congure a VPN client is by using the Zentyal bundles - installation packages that include the VPN conguration le specic to each user and optionally, an installation program. These are available in the table at VPN Servers, by clicking the icon in the column Download client bundle. You can create bundles for Windows, Mac OS and Linux clients. When you create a bundle select those certicates that will be used by the clients and set the external IP addresses to which the VPN clients must connect. Moreover, if the selected system is Windows, you can also add an OpenVPN installer. The Zentyal administrator will download the conguration bundles to the clients using the most appropriate method.

Download client bundle

A bundle includes the conguration le and the necessary les to start a VPN connection. You now have access to the data server from both remote clients. If you want to use the local Zentyal DNS service through the private network, you need to congure these clients to use Zentyal as name server. Otherwise, it will not be possible to access services by the hosts in the LAN by name, but only by IP address. Also, to browse shared les from the VPN [3] you must explicitly allow the broadcast of trac from the Samba server. [3] For additional information about le sharing go to section File sharing and authentication service You can see the users currently connected to the VPN service in the Zentyal Dashboard. If you need a VPN server that is not the gateway of the local network, i.e., the host does not have any external interfaces, then you need to use the Port redirection with Zentyal. As this is one of the rewall options, you must ensure that the rewall module is enabled, otherwise you can not enable this option. With this option, the VPN server will act on behalf of the VPN clients within the local network. In reality, it will act on behalf of all the advertised networks in order to ensure that it receives all the response packages that it will later forward through the private network to its clients. This is best explained by the following image:

Connection from a VPN client to the LAN with VPN by using NAT

Configuration of a VPN server for interconnecting networks

In this scenario two oces in dierent networks need to be connected via private network. To do this, you will use Zentyal as a gateway in both networks. One will act as a VPN client and the other as a server. The following image claries the scenario:

Zentyal as VPN server vs. Zentyal as a VPN client

The goal is to connect the client 1 on the LAN 1 with client 2 on the LAN 2 as if they were in the same local network. Therefore, you must congure a VPN server as previously explained. However, you need to make two small changes. First, enable the Allow Zentyal-to-Zentyal tunnels to exchange routes between Zentyal servers. And then, introduce a Password for Zentyal-to Zentyal tunnels to establish the connection between the two oces in a safer environment. You should bear in mind that the LAN 1 network must be advertised in the Advertised networks. You can congure Zentyal as a VPN client at VPN Clients. You must give a name to the client and enable the service. You can congure the client manually or automatically by using the bundle

congure the client manually or automatically by using the bundle provided by the VPN server. If you do not use the bundle, you must introduce the IP address and protocol-port for the server accepting requests. The tunnel password and certicates used by the client will also be required. These certicates must have been created by the same certication authority the server uses.

Client conguration

When you Save changes in the Dashboard, you can see a new OpenVPN daemon in the LAN 2 running as a client and the object connection towards another Zentyal server within the LAN 1.

Dashboard of a Zentyal server congured as a VPN client

When the connection is complete, the host with the server role has access to all routes of the client hosts through the VPN. However, the hosts with client roles will only have access to those routes the server has explicitly advertised.