How to Install and Configure OpenVPN Server on Zentyal 3.4 PDC – Part 12

OpenVPN is an Open Source and free program based on Secure Socket Layer protocol that runs over Virtual Private Networks which is designed to offer secure connections to your Central Organization Network over Internet, independent of what platform or Operating System you are using it, being as universal as possible (it runs on Linux, UNIX, Windows, Mac OS X and Android). Also it can run as a client and server the same time creating an encrypted virtual tunnel on endpoints based on cryptographic keys and certificates using TAP/TUN devices.

Install OpenVPN in Zentyal

Install OpenVPN in Zentyal

This tutorial guides you through installing and configuring OpenVPN Server on Zentyal 3.4 PDC so you can access your domain securely from other Internet destinations than your Local Network using OpenVPN clients on Windows based machines.

Requirements

  1. The former Zentyal 3.4 as a PDC Install Guide

Step 1: Install OpenVPN Server

1. Logon to Zentyal 3.4 Web Administration Tool pointing the browser to Zentyal IP address or domain name (https://domain_name ).

2. Go to Software Management -> Zentyal Components, choose VPN Service and hit on Install button.

Install VPN Service in Zentyal

Install VPN Service

3. After the OpenVPN package successfully installs navigate to Module Status and check VPN to enable the module.

Enable OpenVPN in Zentyal

Enable OpenVPN Module

4. Accept the new pop-up which allows you to visualize system modifications then go up on page and hit Save Changes to apply new settings.

Save System Changes

Save System Changes

Step 2: Configure OpenVPN Server

5. Now it’s time to configure Zentyal OpenVPN Server. Navigate to Infrastructure -> VPN -> Servers than click on Add New.

Configure Zentyal OpenVPN Server

Configure Zentyal OpenVPN Server

Add New VPN Server in Zentyal

Add New VPN Server

6. Choose a descriptive name for your VPN server, check Enabled and hit Add.

Enter New VPN Name

Enter New VPN Name

7. The newly created VPN server should appear on Server’s list so hit on Configurations button to setup this service.

Setup VPN Server

Setup VPN Server

8. Edit Server configuration with the following settings and when you finish hit on Change.

  1. Server Port = UDP protocol, Port 1194 –default OpenVPN protocol and port (UDP works fast than TCP due to its connectionless state).
  2. VPN Address = 10.10.10.0/24 – here you can choose whatever private space network address you like but make sure your system does not use the same network address space.
  3. Server Certificate = your server name certificate – When you first add a new VPN server automatically an Certificate is issued with your VPN Server name.
  4. Client authorization by common name = choose Zentyal self explanatory.
  5. Check TUN interface – simulates a network layer device and operates at layer 3 of OSI model (if not checked TAP type interface is used, similar to a Layer 2 bridge).
  6. Check Network Address Translation – self explanatory.
  7. Check Allow client-to-client connections – From remote endpoints you can see your other machines that resides on your Local Network.
  8. Interface to listen on = select All network Interfaces.
  9. Check Redirect Gateway – self explanatory.
  10. First and Second Name Servers = add your Zentyal Name Servers IPs.
  11. Search domain = add your domain name.
VPN Server Configuration

VPN Server Configuration

VPN Server Configuration Details

VPN Server Configuration Details

9. If you have defined other Internal Networks that Zentyal knows about in Network -> Objects click on Advertised networks filed, select and add your internal networks.

Add New Internal Network

Add New Internal Network

List of VPN Servers

List of VPN Servers

List of Advertised Networks

List of Advertised Networks

10. After all configurations are made to VPN Server hit on upper Save Changes button to apply new settings.

Step 3: Open Firewall Ports

11. Before actually opening firewall to OpenVPN traffic the service must initially be defined for Zentyal Firewall. Navigate to Network -> Services -> Add New.

Open VPN Port on Firewall

Open VPN Port on Firewall

12. Enter a descriptive name for this service to remind you that is configured for OpenVPN and choose a Description then hit on Add.

Add New VPN Service in Zentyal

Add New VPN Service

13. After you newly service appears in Services List hit on Configuration button to edit settings then hit on Add New on next screen.

Configure New VPN Service

Configure New VPN Service

14. Use the following settings on vpn service configuration and when you’re done hit on Add.

  1. Protocol = UDP (if on VPN Server configuration you selected TCP protocol make sure you add a new service here with same port on TCP).
  2. Source Port = Any.
  3. Destination Port = 1194.
Add a New VPN Service

Add a New VPN Service

List of Services

List of Services

15. After you added the required services click on upper Save Changes button to apply settings.

16. Now it’s time to open Zentyal Firewall for OpenVPN connections. Go to Firewall -> Packet Filter– > Filer rules from Internal Network to ZentyalConfigure Rules and hit on Add New.

Configure Rules on Zentyal Firewall

Configure Rules on Firewall

Add New Rules on Firewall

Add New Rules on Firewall

17. On the newly rule make the following settings and when you finished hit on Add.

  1. Decision = Accept
  2. Source = Any
  3. Service = your vpn service rule just configured
Enter New Rules

Enter New Rules

18. Repeat the steps with Filtering rules from External Networks to Zentyal then save and apply changes by hitting upper Save Changes button.

Now your OpenVPN Server is fully configured and Zentyal can receive secure connections through SSL tunnels from internal or external OpenVPN clients, the only thing remaining to do is to configure Windows OpenVPN clients.

Step 4: Configure OpenVPN clients on Windows

19. Zentyal OpenVPN offers among file configuration, server certificate and key needed for a vpn client the software necessary for Windows based machines to authenticate to VPN Server. To download the OpenVPN software and clients configurations files (keys and certificates) navigate again to Infrastructure -> VPN -> Servers and go to Download Client Bundle button of the sever you want to access.

Download Client Bundle

Download Client Bundle

20. On the Download Client Bundle of your server use the following settings for a Windows machine then Download the client package.

  1. Client Type = Windows (you can also choose Linux or Mac OS X)
  2. Client’s Certificate = Zentyal
  3. Check Add OpenVPN installer to bundle (this will include OpenVPN software installer)
  4. Connection Strategy = Random
  5. Server Address = Zentyal public Internet IP Address (or valid DNS host name)
  6. Additional Server Address = only if you have other publicIP Address
  7. Second Additional Server Address = same as Additional Server Address
Configure Client Bundle for Windows

Configure Client Bundle for Windows

Download OpenVPN Client for Windows

Download OpenVPN Client for Windows

21. After the Client Bundle is downloaded or transferred using a secure procedure on your remote Windows machines, extract the zip archive and install OpenVPN software and make sure you also install Windows TAP drivers.

Install OpenVPN Client on Windows

Install OpenVPN Client on Windows

Choose OpenVPN Components

Choose OpenVPN Components

Click on Install OpenVPN

Click on Install OpenVPN

22. After the OpenVPN software successfully installs on Windows copy all Certificates, Keys and client file configuration from extracted archive to the following locations.

For 32-bit Windows
C:\Program Files\OpenVPN\config\
For 64-bit Windows
C:\Program Files (x86)\OpenVPN\config\
Copy Certificates, Keys & Client

Copy Certificates, Keys & Client

23. Click on your OpenVPN GUI Desktop icon to start the program then go to Taskbar on left OpenVPN icon and hit on Connect.

Connect to OpenVPN GUI

Connect to OpenVPN GUI

24. A pop-up window with your connection should appear on your desktop and after the connection successfully establishes on both tunnel endpoints a window bubble will inform of this fact and show your VPN IP Address.

OpenVPN Connect Confirmation

OpenVPN Connect Confirmation

25. Now you can test your connection by pinging Zentyal VPN Server address or open a browser and check your domain name or VPN Server address in URL.

Verify VPN Connection

Verify VPN Connection

Login to Zentyal PDC Web

Login to Zentyal PDC Web

By all means your remote Windows station now access the Internet through Zentyal VPN Server (you can check your Windows public IP address and see that it has changed with Zentyal IP) and all traffic between Windows and Zentyal is encrypted on both tunnel heads, fact you can check by running a tracert command from your machine upon any IP internet address or domain.

OpenVPN offers a controlled safe solution for road warriors and remote users to access your internal company network resources, which is free of cost, easy to setup and runs on all major OS platforms.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

12 Responses

  1. Renato Fonseca says:

    Hi Matei, good afternoon.

    Very helpful tutorial, but do you know how to have this vpn for android clients?

    Thanks for your help.

  2. Manthan Patel says:

    Hi,

    I have been using Pfsense OpenVPN server, in pfsense i can create user based certificate which is required on the client machine for authentication.

    Does same can be archive in Zentyal? Because in here if my certificate is been stolen anyone can login to the server, while in pfsense i can reset or revoke the user’s certificate so that he no longer can get access to the server.

    I am thinking to shift to zentyal because zentyal package contains Windows AD as well as Firewall. Just needed to clear up the above mention thing so i hope you help me with this.

    Thanks & Regards,
    Manthan Patel.

  3. sravan kiran says:

    Hi,

    When I connected to the open VPN server i am unable to browse and the connection is failed when i am browsing kindly assist me waiting for your reply.
    thanks

  4. Stanislav says:

    Hello, mr.Cezar!

    Your tutorial is one of the best tutorials about Zentyal VPN settings, in my opinion, but I have problem. After connecting to VPN (connection is success) I need to connect to my work notebook via RDP in 172.16.224.0/24 subnet.

    What should I do?
    I have: 2 network cards (wan,lan) lan ip 172.16.234.1 /25 mask

    VPN Server is configured with ip 172.16.234.128 /25 mask

    After connecting to vpn command “ipconfig” shows me 172.16.234.131,132 etc.

    In VPN Server I advertised 172.16.234.0/24 subnet and 172.16.224.0/24 subnet.

    Thanks, Hope you can help)

    Best regards,
    Stanislav

    • Matei Cezar says:

      As long as Allow client-to-client connections is enabled in openvpn server you should be able to access any host from internal LAN. Check if those two LAN networks directly attached to your machine as I understand (except OpenVPN network) can see each other, meaning a router actually forwards packets from one network to another.

      What I am actually saying: with no VPN whatsoever connected, from 172.16.234.1/25 network can you reach 172.16.224.0/24 network (ping a host)? If that is true on your LAN and on VPN server side, then any connected VPN client should be able to reach both networks.

  5. Nitin says:

    i have install vpn but not clients install

  6. Jorge Enrique Muñoz says:

    Hello, excuse my English Matei
    I am trying to configure vpn in zentyal 3.5 interoffice I have been guided by this guide but I can not ping from my office

    network 1
    eth0 public IP
    eth1 192.168.0.1
    VPN subnet 192.168.161.0/255.255.255.0
    tap2
    Address of the VPN interface 192.168.161.1/24

    Red 2
    network 1
    eth0 DHCP (192.168.0.14)
    eth1 192.168.5.1
    VPN subnet 192.168.161.0/255.255.255.0
    tap2
    Address of the VPN interface 192.168.161.1/24

    Additionally configure the rules in the firewall and networks advertised, I appreciate any help you can give me.

  7. Matei Cezar says:

    @Yum Kaax: I think I will …..!

  8. Yum Kaax says:

    Hello Mr. Cezar,

    thanks so much for the great tutorials. I have learned a lot from them.
    Will you be doing a tutorial about Openchange any time soon?

    Thanks again and best wishes.

    Yum

  9. Shankar M says:

    After reading your posts,these zentyal tutorials are really easy to perform in VM environments.

    Looking forward for these posts.

    1: How to integrate with LDAP ?
    After integration i want to bind the LDAP with my Firewall for website restriction .

    Is there any other way, to restrict the specific users for allowing only few websites/blocking websites ?

Leave a Reply to Shankar M Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.