How to Install and Configure OpenVPN Server on Zentyal 3.4 PDC?

OpenVPN is a popular and widely used open-source VPN solution that allows secure remote access to your network resources. Zentyal 3.4 is a Linux distribution that provides a complete server platform for small and medium-sized businesses. In this article, we will discuss how to install and configure the OpenVPN server on a Zentyal 3.4 PDC.

Step 1: Install OpenVPN

The first step is to install OpenVPN on your Zentyal server. Open the terminal and type the following command −

sudo apt-get update
sudo apt-get install openvpn

Step 2: Generate Certificates and Keys

OpenVPN uses certificates and keys to authenticate the clients and the server. To generate these certificates and keys, we will use the EasyRSA script provided with OpenVPN.

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
sudo ./clean-all
sudo ./build-ca
sudo ./build-key-server server

The first command changes the directory to the location of the EasyRSA script. The second command cleans any existing keys and certificates. The third command generates the certificate authority. Finally, the fourth command generates the server certificate and key.

Step 3: Configure OpenVPN

The next step is to configure OpenVPN. Create a new configuration file with the following command −

sudo nano /etc/openvpn/server.conf

Add the following lines to the file −

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Save the file and exit.

Step 4: Configure Firewall

The next step is to configure the firewall to allow OpenVPN traffic. You need to open UDP port 1194. To do this, run the following commands −

sudo ufw allow 1194/udp
sudo ufw enable

Step 5: Start OpenVPN

Start the OpenVPN service with the following command −

sudo service openvpn start

Step 6: Configure Client

The final step is to configure the client to connect to the OpenVPN server. To do this, you need to provide the client with the following files −

ca.crt
client.crt
client.key

You can use any OpenVPN client software to connect to the server. Simply import the files into the client software and connect to the server using the server's IP address.

Configure OpenVPN (in more detail)

Let's take a closer look at the options we added to the server.conf file in Step 3 −

• port 1194 − This specifies the port that OpenVPN will use for incoming connections. By default, OpenVPN uses UDP port 1194.

• proto udp − This specifies that OpenVPN should use the UDP protocol for data transfer. UDP is often preferred over TCP for VPN traffic because it has lower overhead and is less likely to be blocked by firewalls.

• dev tun − This specifies that OpenVPN should use a virtual tunnel interface instead of a physical network interface.

• ca /etc/openvpn/keys/ca.crt − This specifies the location of the certificate authority file that we generated in Step 2. The certificate authority is used to verify the authenticity of the server and client certificates.

• cert /etc/openvpn/keys/server.crt − This specifies the location of the server certificate that we generated in Step 2. The server certificate is used to authenticate the server to clients.

• key /etc/openvpn/keys/server.key − This specifies the location of the server's private key, which is used to decrypt incoming VPN traffic.

• dh /etc/openvpn/keys/dh1024.pem − This specifies the location of the Diffie-Hellman parameter file, which is used for key exchange during the initial connection.

• server 10.8.0.0 255.255.255.0 − This specifies the IP address and subnet mask of the virtual network that will be used for VPN clients. In this example, we're using the 10.8.0.0/24 subnet.

• ifconfig-pool-persist ipp.txt − This specifies the file where OpenVPN will store the assigned IP addresses for clients.

• keepalive 10 120 − This specifies the interval at which OpenVPN will send keepalive packets to clients to ensure that the connection is still active.

• comp-lzo − This enables compression of VPN traffic to reduce bandwidth usage.

• persist-key − This tells OpenVPN to persist the server's private key across restarts.

• persist-tun − This tells OpenVPN to persist the virtual tunnel interface across restarts.

• status openvpn-status.log − This specifies the file where OpenVPN will log connection and performance information.

• verb 3 − This sets the verbosity level for OpenVPN's logging output. A higher value means more detailed logs.

Configure Client (in more detail)

To connect to the OpenVPN server, the client needs to import the following files −

• ca.crt − This is the certificate authority file that was generated in Step 2. It is used to verify the authenticity of the server and client certificates.

• client.crt − This is the client certificate that was generated in Step 2. It is used to authenticate the client to the server.

• client.key − This is the client's private key, which is used to encrypt outgoing VPN traffic.

Most OpenVPN client software will have a way to import these files and configure the connection settings. Some clients may also require additional configuration options such as the server's IP address and port number.

Securing OpenVPN with Firewall Rules

We configured the firewall to allow incoming traffic on UDP port 1194, which is used by OpenVPN. However, it's important to ensure that the firewall is properly configured to restrict access to only authorized users and devices.

One way to do this is to set up firewall rules that allow incoming traffic only from known IP addresses or subnets. For example, you could create a rule that allows incoming OpenVPN traffic only from your company's office IP address.

To set up firewall rules on Zentyal, you can use the web-based admin interface. Go to "Security" > "Firewall" and click "Add new rule" to create a new rule. You can specify the source IP address or subnet, the destination port (1194 for OpenVPN), and the action to take (allow or deny).

Once you've created the rule, be sure to apply it to the appropriate network interface or zone (e.g., "External" if you're accepting incoming connections from the Internet).

Enabling Two-Factor Authentication

Another way to enhance the security of your OpenVPN connection is to enable two-factor authentication (2FA). This requires users to provide a second form of authentication in addition to their username and password, such as a one-time code generated by a smartphone app or a physical token.

To enable 2FA on your OpenVPN server, you'll need to use a plugin or module that supports your chosen 2FA method. For example, the OpenVPN Access Server includes built-in support for Google Authenticator and other 2FA methods.

Once you've installed and configured the 2FA plugin, you'll need to update the OpenVPN server configuration to require 2FA for client connections. This typically involves adding an additional configuration option to the server.conf file, such as −

auth-user-pass-optional
auth-token

This tells OpenVPN to require both a username/password and a 2FA token for authentication. You'll also need to update the client configuration to include the 2FA token.

Monitoring OpenVPN Performance

Finally, it's important to monitor the performance of your OpenVPN connection to ensure that it's meeting your needs and to troubleshoot any issues that arise.

OpenVPN includes built-in logging and monitoring features, such as the status log and real-time statistics. You can also use third-party monitoring tools to collect and analyze OpenVPN performance metrics.

Some useful performance metrics to monitor include −

• Connection speed and latency

• Bandwidth usage

• Concurrent connections

• Error rates and error messages

• Server and client CPU and memory usage

By monitoring these metrics, you can identify and address performance issues before they impact users or cause downtime.

Conclusion

In this article, we have discussed how to install and configure the OpenVPN server on a Zentyal 3.4 PDC. OpenVPN is a powerful and flexible VPN solution that provides secure remote access to your network resources. With the steps outlined in this article, you can easily set up your own OpenVPN server on a Zentyal server.