Due to restrictions imposed on free movement during the coronavirus pandemic, the use of the OpenVPN module is increasing to facilitate remote working. That is why we would like to point out some aspects about its use for Zentyal Server administrators.
Analyse the situation and the needs
The first step would be to analyse the situation and evaluate the real needs of your users. In this sense, we would recommend you to start with the following:
- Analyse which users really need access to server resources.
- Try to distribute the accesses in different VPN connections, for example, by type of resources (administration, human resources, etc.).
- Create different certificates for VPN connections.
- Advertise only the networks that users need to access.
- Analyse whether you force Zentyal to become the DNS server of the clients connected to the VPN. This is especially useful for clients to resolve DNS entries for the domain.
Monitor the server
Another critical point to keep in mind is the possible saturation of the system. To this end, it is extremely important to monitor the server. You should also evaluate the actions you can take that help to reduce the traffic, such as:
- Work with documents locally and upload changes to the shared resource from time to time.
- Upload heavy files at times when the workload is not so high, such as lunchtime.
- Disconnect from the VPN when its use is not required.
Reduce the workload of the server
If – despite the previous recommendations, the server is constantly saturated due to the number of users who access the shared resources, evaluate alternatives. You could consider at least the following options until the users return to work from the office:
- Use another Zentyal Server and configure it to also manage shared resources.
- Use an Ubuntu Server 18.04 in a cloud provider to manage the shared resources.
- Implement NextCloud in a cloud provider.
All of the above mentioned options should significantly reduce the workload of your main Zentyal Server: Zentyal would act, above all, as an authentication server and gateway, while the other systems would take on managing shared resources.
Few final tips & Further information
Keep in mind that some other modules may have dependencies on the VPN module. This means that when you want to apply certain configuration changes, Zentyal needs to restart the VPN module to make the changes effective. This will cause VPN connections to reboot for a short period of time, causing a slight service outage. Therefore, we recommend that you plan configuration changes at times when there is less user activity.
Finally, our last recommendation is that you carefully analyse the users and groups configured in the shared resources. This is to avoid users having access to multiple shared resources that they do not really need. If their device becomes infected for example with ransomware, it might seriously damage your whole network.
For further information, please remember to check out the Official Zentyal Documentation. We believe that the documentation regarding How to configure OpenVPN Server with Zentyal and File Sharing are specially helpful topics. In the Official Zentyal Forum you can also find complementary information that is very useful, like for example this thread on how to create VPN certificates in bulk from the command line.
If you have any questions, do not hesitate to contact us.