How to Install and Configure OpenVPN Server on Zentyal 3.4 PDC?

OpenVPN is a popular open-source VPN solution that provides secure remote access to network resources. Zentyal 3.4 is a Linux-based server platform designed for small and medium-sized businesses. This guide explains how to install and configure an OpenVPN server on a Zentyal 3.4 Primary Domain Controller (PDC).

Step 1: Install OpenVPN

First, update the system and install OpenVPN on your Zentyal server

sudo apt-get update
sudo apt-get install openvpn

Step 2: Generate Certificates and Keys

OpenVPN uses Public Key Infrastructure (PKI) for authentication. Generate the required certificates and keys using the EasyRSA script

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
sudo ./clean-all
sudo ./build-ca
sudo ./build-key-server server
sudo ./build-dh

These commands clean existing keys, generate the Certificate Authority (CA), create server certificates, and build Diffie-Hellman parameters for secure key exchange.

Step 3: Configure OpenVPN Server

Copy the certificates to the OpenVPN directory and create the server configuration file

sudo mkdir -p /etc/openvpn/keys
sudo cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/{ca.crt,server.crt,server.key,dh1024.pem} /etc/openvpn/keys/
sudo nano /etc/openvpn/server.conf

Add the following configuration to server.conf

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Step 4: Configure Firewall

Enable the firewall and allow OpenVPN traffic through UDP port 1194

sudo ufw allow 1194/udp
sudo ufw enable

Step 5: Enable IP Forwarding

Enable IP forwarding to allow VPN clients to access network resources

echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Step 6: Start OpenVPN Service

Start and enable the OpenVPN service

sudo service openvpn start
sudo chkconfig openvpn on

Step 7: Generate Client Certificates

Generate certificates for VPN clients

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
sudo ./build-key client1

Clients require these files for authentication

• ca.crt Certificate Authority file

• client1.crt Client certificate

• client1.key Client private key

Configuration Parameters Explained

Security Best Practices

Enhance OpenVPN security by implementing these measures

Restrict Access by IP

Configure firewall rules to allow connections only from specific IP ranges using Zentyal's web interface under Security ? Firewall.

Enable Two-Factor Authentication

Add 2FA support by installing authentication plugins and updating the server configuration

auth-user-pass-optional
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login

Monitoring and Troubleshooting

Monitor OpenVPN performance using these key metrics

• Connection logs Check /var/log/openvpn.log for errors

• Active connections View openvpn-status.log for connected clients

• Bandwidth usage Monitor network traffic and latency

• System resources Check CPU and memory usage

Client Configuration

Create a client configuration file client.ovpn

client
dev tun
proto udp
remote your-server-ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

Import this configuration and the certificate files into any OpenVPN client software to establish a connection.

Conclusion

Installing and configuring OpenVPN on Zentyal 3.4 PDC provides secure remote access to your network resources. The combination of certificate-based authentication, proper firewall configuration, and monitoring ensures a robust VPN solution. Regular maintenance and security updates are essential for optimal performance and protection.