Zentyal (formerly eBox) is an Ubuntu based small business server with a vast amount of functionality – including an OpenVPN server. Of course you can install OpenVPN without installing Zentyal, but Zentyal will give you web-based management of your server (which makes setting up and administering your VPN much simpler). At the time of writing Zentyal is based on Ubuntu 10.4 (Lucid).
You can download and install Zentyal from their .iso image – or you can manually install the modules that you want on Ubuntu Server. I chose to do the later.
First I Installed a minimal virtual machine from the Ubuntu Server 10.4 Lucid CD. I gave the virtual machine one virtual NIC and a static IP address on my local network.
To install Zentyal modules we need to add their repository to our /etc/apt/sources.list (we will also install the nano text editor):
sudo apt-get update
sudo apt-get install nano
sudo nano /etc/apt/sources.list
Add the following line at the end of /etc/apt/sources.list:
deb http://ppa.launchpad.net/zentyal/2.0/ubuntu lucid main
Save sources.list and then import the puiblic key to authenticate the packages from the Zentyal PPA:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys
Update your repositories and then install the open-vpn module from Zentyal (formerly eBox):
sudo apt-get update
sudo apt-get install ebox-openvpn
Accept the default port (443) for the Zentyal HTTPS server:
As my ISP does not provide me with a static internet address I chose to use DynDNS as my dynamic DNS provider (a basic account is free):
Enter your DynDNS username and password when prompted.
For the ddclient configuration I chose Yes as my router provides Network Address Translation (NAT):
For the DynDNS fully qualified domain name (FQDN) I entered the full host-name that I created on the DynDNS site:
At this point you will need to wait a few minutes for Zentyal for configure itself – once this is done you will be able to log in at https://<your-server-ip> using Firefox (Internet Explorer is not currently supported).
Log in with the credentials that you used when installing Ubuntu Server:
The first page that you will see once you have logged in to Zentyal is Package Selection. As I am only interested in setting up an OpenVPN Server I clicked on the Skip install button at the bottom of the page.
On the main Zentyal dashboard under Module Status you will see that the VPN module is currently disabled:
Click Module Status on the left hand panel and you will see that we need to enable the Network module before we can enable the VPN module:
Check the Network module check-box and then click the Accept button to allow Zentyal to make configuration changes. Click the big red Save changes button at the top right corner of the screen.
Once this is complete click on the VPN module check-box and repeat the process. You should now see that the VPN module is running.
Now that the VPN service is running we can create our Certification Authority. Click the Certification Authority link in the left hand panel of the dashboard, complete the fields as required and click the Create button:
Next create a certificate for your VPN server using the external host-name for the common name – for me this is the host-name that I configured at DynDNS:
Note: Do not set your expiration date too high (past 2032) see here for details.
Repeat this process with user-names as the Common Name to create user certificates for each user that will connect to the VPN.
Now we have to configure our VPN server. On the left hand panel click the Servers link under the VPN heading. Click the Add new link:
Un-check the Enabled check-box, enter a name for the VPN server and then click the Add button:
Click the Configuration icon to configure the server:
The default server port is 1194, which you can change if you so desire. I don’t see any real need to change the default VPN address. For the server certificate select the external host-name certificate. Leave Network Address Translation checked (for a single NIC). If you want VPN client machines to be able to see each other then check the Allow client-to-client connections check-box. Click the Change button to commit these settings.
Note: whatever port you define as the server port must be forwarded in your router to the local IP address of your OpenVPN server. See portforward.com for details on how to do this.
Click VPN and then Servers in the left hand panel and then click on the icon for Advertised Networks. Click Add new.
To allow clients on your VPN network (192.168.160.0) you will need to enter your Local Area Network address in the Advertised network field. My router address is 192.168.0.1 so my advertised network address is 192.168.0.0. Click the Add button.
Click the Save changes button.
Now that the VPN server is configured we can enable it.
Click VPN and then Servers in the left hand panel and check the Enabled check-box. Click Save changes.
I chose to also enable the Firewall module – click Module Status in the left hand panel and then check the Firewall check-box and Save changes. Make sure that the Network, Firewall and VPN modules are all enabled before proceeding.
With the server configured and running we can configure client machines to connect to the VPN. Click VPN and Server in the left hand panel and then click on the Download client bundle icon.
First select the client type from the drop-down menu – the choices are Windows, Linux, Mac OS X and Zentyal to Zentyal tunnel. For my Ubuntu laptop I selected Linux and the chose the user certificate that I created earlier. For the server address enter your external host-name. Click the Download button and save the file.
Extract the downloaded file.
For Ubuntu clients install OpenVPN Client as follows:
sudo apt-get install openvpn network-manager-openvpn
Click the Network Manager applet in the top panel, then VPN Connections and Configure VPN.
Click the Import button and browse to the location of the client bundle that you extracted earlier and select the .conf file.
This will automatically populate your settings like the screen-shot below (I have omitted the external address to my VPN server in the screen-shot):
Click the Apply button and then the Close button.
To connect to your VPN click the Network Manager applet in the top panel, then VPN Connections followed by your VPN connection name.
Once you are successfully connected to your VPN you will see a padlock on your Network Manager icon:
I have to say that I am quite impressed with Zentyal / OpenVPN so far and it worked without me having to troubleshoot anything.