Virtual private network (VPN) service¶
Introduction to the virtual private networks (VPN)¶
Zentyal integrates OpenVPN [2] to configure and manage virtual private networks. OpenVPN has the following advantages:
- Authentication using public key infrastructure.
- SSL-based encryption technology.
- Clients available for Windows, Mac OS and Linux.
- Easier to install, configure and maintain than IPSec, another open source VPN alternative.
- Allows to use network applications transparently.
| [2] | http://openvpn.net/ |
Configuration of a VPN server with Zentyal¶
Zentyal can be configured to support remote clients (known as road warriors). This means a Zentyal server acting as a gateway and VPN server with a local area network (LAN) behind, allowing external clients (the road warriors) to connect to the local network via VPN service.
The following figure can give a more accurate view:
Zentyal and remote VPN clients
The goal is to connect the data server with other 2 remote clients (sales person and CEO) and also the remote clients among themselves.
Therefore, you need to create a Certification Authority and certificates for the remote clients. Note that you also need a certificate for the VPN server. However, Zentyal will create this certificate automatically when you create a new VPN server. In this scenario, Zentyal acts as a Certification Authority.
Once you have the certificates, you should configure the Zentyal VPN server by selecting Create a new server. The only value you need to enter to create a new server is the name. Zentyal makes the task of creating a VPN server easy as it sets values automatically.
The following configuration parameters are added automatically and can be changed if necessary: port/protocol, certificate (Zentyal will create one automatically using the VPN server name) and network address. The VPN network addresses are assigned both to the server and the clients. If you need to change the network address you must make sure that there isn’t any conflict with a local network. In addition, you will be informed automatically of the local networks, i.e. the networks connected directly to the network interfaces of the host, through the private network.
As you can see, the VPN server will be listening on all external interfaces. Therefore, you must set at least one of your interfaces as external at Network ‣ Interfaces. In this scenario only two interfaces are required, one internal for LAN and one external for Internet.
If you want the clients to be able to connect among themselves by using their VPN addresses, you must enable the option Allow connections among clients.
You can leave the rest of the configuration options with their default values.
VPN server configuration
After having created the VPN server, you must enable the service and save the changes. Later you must check in Dashboard that the VPN server is running.
After this, you must establish networks, i.e. routes between VPN networks and between VPN networks and other networks known by your server. These networks will be accessible by authorized VPN clients. Keep in mind that Zentyal will advertise all internal networks automatically. Obviously, you can add or remove the necessary routes. In this scenario a local network will be added automatically to make visible the client number 3 to the two other clients.
Once you have done this, it’s time to configure the clients. The easiest way to configure a VPN client is by using the Zentyal bundles, installation packages that include the VPN configuration file specific to each user and, optionally, an installation program. These are available in the table at VPN ‣ Servers, by clicking the icon in the column Download client bundle. You can create bundles for Windows, Mac OS and Linux clients. When you create a bundle you select those certificates that will be given to clients and set the external IP addresses to which the VPN clients must connect. Moreover, if the selected system is Windows, you can also add OpenVPN installer. The Zentyal administrator will download the configuration bundles to the clients by using the most appropriate ways.
Download client bundle
A bundle includes the configuration file and the necessary files to start a VPN connection.
You now have access to the data server from both remote clients. If you want to use the local Zentyal DNS service through the private network, you need to configure these clients to use Zentyal as name server. Otherwise, it won’t be possible to access services of the hosts in the LAN by name, but only by IP address. Also, to browse shared files from the VPN [3] you must explicitly allow the broadcast traffic of the Samba server.
| [3] | For additional information about file sharing go to section File sharing and authentication service |
You can see the users currently connected to the VPN service in the Zentyal Dashboard
If you want to have a VPN server that is no the gateway of the local network, i.e., the host doesn’t have any external interfaces, then you need to use the Port redirection with Zentyal. As this is one of the firewall options, you must make sure that the firewall module is enabled, otherwise you can’t enable this option. With this option, the VPN server will act on behalf of the VPN clients within the local network. In reality, it will act on behalf of all the advertised networks in order to ensure that it receives all the response packages that it will later forward through the private network to its clients. This is best explained by the following image:
Connection from a VPN client to the LAN with VPN by using NAT
Configuration of a VPN server for interconnecting networks with Zentyal¶
In this scenario you have two offices in different networks that need to be connected via private network. To do this, you will use Zentyal as a gateway in both networks. One will act as a VPN client and the other as a server. The following image clarifies the situation:
Zentyal as VPN server vs. Zentyal as a VPN client
The goal is to connect the client 1 on the LAN 1 with the client 2 on the LAN 2 as if they were in the same local network. Therefore, you must configure a VPN server as explained before.
However, you need to do two small changes. First, to enable the Allow Zentyal-to-Zentyal tunnels to exchange routes between Zentyal servers. And then, introduce a Password for Zentyal-to Zentyal tunnels to establish the connection between the two offices in a safer environment. You have to bear in mind that you must advertise the LAN 1 network in the :guilabel: Advertised networks.
You can configure Zentyal as a VPN client at VPN ‣ Clients. You must give a name to the client and enable the service. You can configure the client manually or automatically by using the bundle given by the VPN server. If you don’t use the bundle, you must introduce the IP address and protocol-port where the server is accepting requests. The tunnel password and certificates used by the client will also be required. These certificates must have been created by the same certification authority that the server uses.
Client configuration
When you save the changes in the Dashboard, you can see a new OpenVPN daemon in the LAN 2 running as a client the the object connection towards another Zentyal within the LAN 1.
Dashboard of a Zentyal server configured as a VPN client
When the connection is complete, the host with the server role has access to all routes of the client hosts through the VPN. However, the hosts with client roles will only have access to those routes the server has explicitly advertised.