How to Install and Configure OpenVPN Server on Zentyal 3.4 PDC – Part 12

OpenVPN is an Open Source and free program based on Secure Socket Layer protocol that runs over Virtual Private Networks which is designed to offer secure connections to your Central Organization Network over Internet, independent of what platform or Operating System you are using it, being as universal as possible (it runs on Linux, UNIX, Windows, Mac OS X and Android). Also it can run as a client and server the same time creating an encrypted virtual tunnel on endpoints based on cryptographic keys and certificates using TAP/TUN devices.

Install OpenVPN in Zentyal
Install OpenVPN in Zentyal

This tutorial guides you through installing and configuring OpenVPN Server on Zentyal 3.4 PDC so you can access your domain securely from other Internet destinations than your Local Network using OpenVPN clients on Windows based machines.

Requirements

  1. The former Zentyal 3.4 as a PDC Install Guide

Step 1: Install OpenVPN Server

1. Logon to Zentyal 3.4 Web Administration Tool pointing the browser to Zentyal IP address or domain name (https://domain_name ).

2. Go to Software Management -> Zentyal Components, choose VPN Service and hit on Install button.

Install VPN Service in Zentyal
Install VPN Service

3. After the OpenVPN package successfully installs navigate to Module Status and check VPN to enable the module.

Enable OpenVPN in Zentyal
Enable OpenVPN Module

4. Accept the new pop-up which allows you to visualize system modifications then go up on page and hit Save Changes to apply new settings.

Save System Changes
Save System Changes

Step 2: Configure OpenVPN Server

5. Now it’s time to configure Zentyal OpenVPN Server. Navigate to Infrastructure -> VPN -> Servers than click on Add New.

Configure Zentyal OpenVPN Server
Configure Zentyal OpenVPN Server
Add New VPN Server in Zentyal
Add New VPN Server

6. Choose a descriptive name for your VPN server, check Enabled and hit Add.

Enter New VPN Name
Enter New VPN Name

7. The newly created VPN server should appear on Server’s list so hit on Configurations button to setup this service.

Setup VPN Server
Setup VPN Server

8. Edit Server configuration with the following settings and when you finish hit on Change.

  1. Server Port = UDP protocol, Port 1194 –default OpenVPN protocol and port (UDP works fast than TCP due to its connectionless state).
  2. VPN Address = 10.10.10.0/24 – here you can choose whatever private space network address you like but make sure your system does not use the same network address space.
  3. Server Certificate = your server name certificate – When you first add a new VPN server automatically an Certificate is issued with your VPN Server name.
  4. Client authorization by common name = choose Zentyal self explanatory.
  5. Check TUN interface – simulates a network layer device and operates at layer 3 of OSI model (if not checked TAP type interface is used, similar to a Layer 2 bridge).
  6. Check Network Address Translation – self explanatory.
  7. Check Allow client-to-client connections – From remote endpoints you can see your other machines that resides on your Local Network.
  8. Interface to listen on = select All network Interfaces.
  9. Check Redirect Gateway – self explanatory.
  10. First and Second Name Servers = add your Zentyal Name Servers IPs.
  11. Search domain = add your domain name.
VPN Server Configuration
VPN Server Configuration
VPN Server Configuration Details
VPN Server Configuration Details

9. If you have defined other Internal Networks that Zentyal knows about in Network -> Objects click on Advertised networks filed, select and add your internal networks.

Add New Internal Network
Add New Internal Network
List of VPN Servers
List of VPN Servers
List of Advertised Networks
List of Advertised Networks

10. After all configurations are made to VPN Server hit on upper Save Changes button to apply new settings.

Step 3: Open Firewall Ports

11. Before actually opening firewall to OpenVPN traffic the service must initially be defined for Zentyal Firewall. Navigate to Network -> Services -> Add New.

Open VPN Port on Firewall
Open VPN Port on Firewall

12. Enter a descriptive name for this service to remind you that is configured for OpenVPN and choose a Description then hit on Add.

Add New VPN Service in Zentyal
Add New VPN Service

13. After you newly service appears in Services List hit on Configuration button to edit settings then hit on Add New on next screen.

Configure New VPN Service
Configure New VPN Service

14. Use the following settings on vpn service configuration and when you’re done hit on Add.

  1. Protocol = UDP (if on VPN Server configuration you selected TCP protocol make sure you add a new service here with same port on TCP).
  2. Source Port = Any.
  3. Destination Port = 1194.
Add a New VPN Service
Add a New VPN Service
List of Services
List of Services

15. After you added the required services click on upper Save Changes button to apply settings.

16. Now it’s time to open Zentyal Firewall for OpenVPN connections. Go to Firewall -> Packet Filter– > Filer rules from Internal Network to ZentyalConfigure Rules and hit on Add New.

Configure Rules on Zentyal Firewall
Configure Rules on Firewall
Add New Rules on Firewall
Add New Rules on Firewall

17. On the newly rule make the following settings and when you finished hit on Add.

  1. Decision = Accept
  2. Source = Any
  3. Service = your vpn service rule just configured
Enter New Rules
Enter New Rules

18. Repeat the steps with Filtering rules from External Networks to Zentyal then save and apply changes by hitting upper Save Changes button.

Now your OpenVPN Server is fully configured and Zentyal can receive secure connections through SSL tunnels from internal or external OpenVPN clients, the only thing remaining to do is to configure Windows OpenVPN clients.

Step 4: Configure OpenVPN clients on Windows

19. Zentyal OpenVPN offers among file configuration, server certificate and key needed for a vpn client the software necessary for Windows based machines to authenticate to VPN Server. To download the OpenVPN software and clients configurations files (keys and certificates) navigate again to Infrastructure -> VPN -> Servers and go to Download Client Bundle button of the sever you want to access.

Download Client Bundle
Download Client Bundle

20. On the Download Client Bundle of your server use the following settings for a Windows machine then Download the client package.

  1. Client Type = Windows (you can also choose Linux or Mac OS X)
  2. Client’s Certificate = Zentyal
  3. Check Add OpenVPN installer to bundle (this will include OpenVPN software installer)
  4. Connection Strategy = Random
  5. Server Address = Zentyal public Internet IP Address (or valid DNS host name)
  6. Additional Server Address = only if you have other publicIP Address
  7. Second Additional Server Address = same as Additional Server Address
Configure Client Bundle for Windows
Configure Client Bundle for Windows
Download OpenVPN Client for Windows
Download OpenVPN Client for Windows

21. After the Client Bundle is downloaded or transferred using a secure procedure on your remote Windows machines, extract the zip archive and install OpenVPN software and make sure you also install Windows TAP drivers.

Install OpenVPN Client on Windows
Install OpenVPN Client on Windows
Choose OpenVPN Components
Choose OpenVPN Components
Click on Install OpenVPN
Click on Install OpenVPN

22. After the OpenVPN software successfully installs on Windows copy all Certificates, Keys and client file configuration from extracted archive to the following locations.

For 32-bit Windows
C:\Program Files\OpenVPN\config\
For 64-bit Windows
C:\Program Files (x86)\OpenVPN\config\
Copy Certificates, Keys & Client
Copy Certificates, Keys & Client

23. Click on your OpenVPN GUI Desktop icon to start the program then go to Taskbar on left OpenVPN icon and hit on Connect.

Connect to OpenVPN GUI
Connect to OpenVPN GUI

24. A pop-up window with your connection should appear on your desktop and after the connection successfully establishes on both tunnel endpoints a window bubble will inform of this fact and show your VPN IP Address.

OpenVPN Connect Confirmation
OpenVPN Connect Confirmation

25. Now you can test your connection by pinging Zentyal VPN Server address or open a browser and check your domain name or VPN Server address in URL.

Verify VPN Connection
Verify VPN Connection
Login to Zentyal PDC Web
Login to Zentyal PDC Web

By all means your remote Windows station now access the Internet through Zentyal VPN Server (you can check your Windows public IP address and see that it has changed with Zentyal IP) and all traffic between Windows and Zentyal is encrypted on both tunnel heads, fact you can check by running a tracert command from your machine upon any IP internet address or domain.

OpenVPN offers a controlled safe solution for road warriors and remote users to access your internal company network resources, which is free of cost, easy to setup and runs on all major OS platforms.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Matei Cezar
I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

14 Comments

Leave a Reply
  1. Hi Matei, good afternoon.

    Very helpful tutorial, but do you know how to have this vpn for android clients?

    Thanks for your help.

    Reply
  2. Hi,

    I have been using Pfsense OpenVPN server, in pfsense i can create user based certificate which is required on the client machine for authentication.

    Does same can be archive in Zentyal? Because in here if my certificate is been stolen anyone can login to the server, while in pfsense i can reset or revoke the user’s certificate so that he no longer can get access to the server.

    I am thinking to shift to zentyal because zentyal package contains Windows AD as well as Firewall. Just needed to clear up the above mention thing so i hope you help me with this.

    Thanks & Regards,
    Manthan Patel.

    Reply
  3. Hi,

    When I connected to the open VPN server i am unable to browse and the connection is failed when i am browsing kindly assist me waiting for your reply.
    thanks

    Reply
  4. Hello, mr.Cezar!

    Your tutorial is one of the best tutorials about Zentyal VPN settings, in my opinion, but I have problem. After connecting to VPN (connection is success) I need to connect to my work notebook via RDP in 172.16.224.0/24 subnet.

    What should I do?
    I have: 2 network cards (wan,lan) lan ip 172.16.234.1 /25 mask

    VPN Server is configured with ip 172.16.234.128 /25 mask

    After connecting to vpn command “ipconfig” shows me 172.16.234.131,132 etc.

    In VPN Server I advertised 172.16.234.0/24 subnet and 172.16.224.0/24 subnet.

    Thanks, Hope you can help)

    Best regards,
    Stanislav

    Reply
    • As long as Allow client-to-client connections is enabled in openvpn server you should be able to access any host from internal LAN. Check if those two LAN networks directly attached to your machine as I understand (except OpenVPN network) can see each other, meaning a router actually forwards packets from one network to another.

      What I am actually saying: with no VPN whatsoever connected, from 172.16.234.1/25 network can you reach 172.16.224.0/24 network (ping a host)? If that is true on your LAN and on VPN server side, then any connected VPN client should be able to reach both networks.

      Reply
  5. Hello, excuse my English Matei
    I am trying to configure vpn in zentyal 3.5 interoffice I have been guided by this guide but I can not ping from my office

    network 1
    eth0 public IP
    eth1 192.168.0.1
    VPN subnet 192.168.161.0/255.255.255.0
    tap2
    Address of the VPN interface 192.168.161.1/24

    Red 2
    network 1
    eth0 DHCP (192.168.0.14)
    eth1 192.168.5.1
    VPN subnet 192.168.161.0/255.255.255.0
    tap2
    Address of the VPN interface 192.168.161.1/24

    Additionally configure the rules in the firewall and networks advertised, I appreciate any help you can give me.

    Reply
  6. Hello Mr. Cezar,

    thanks so much for the great tutorials. I have learned a lot from them.
    Will you be doing a tutorial about Openchange any time soon?

    Thanks again and best wishes.

    Yum

    Reply
  7. After reading your posts,these zentyal tutorials are really easy to perform in VM environments.

    Looking forward for these posts.

    1: How to integrate with LDAP ?
    After integration i want to bind the LDAP with my Firewall for website restriction .

    Is there any other way, to restrict the specific users for allowing only few websites/blocking websites ?

    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.