Setting Up a VPN Server on a Linux System

Virtual Private Networks (VPNs) offer a reliable solution to enhance privacy and security by encrypting data transmitted over the internet. A VPN creates a secure tunnel between a user’s device and the internal network, ensuring safe access to sensitive resources from anywhere in the world.

For Linux users, setting up a VPN can be streamlined using Zentyal, a comprehensive Linux server management platform. Zentyal simplifies the process of configuring VPNs and managing other essential network services such as firewalls, domain controllers, and email servers. The platform integrates OpenVPN, one of the most secure and widely-used VPN protocols, enabling you to easily set up a Linux-based VPN server.

This guide will walk you through the process of setting up a VPN server on a Linux system using Zentyal. Whether you’re an IT professional managing a company’s network or a small business owner looking for secure remote access solutions, this article will help you configure a VPN with minimal hassle.

Zentyal offers several advantages:

User-friendly Interface: Zentyal’s intuitive web-based interface makes configuring and managing a VPN straightforward, even for those unfamiliar with Linux command-line tools.
All-in-One Solution: Beyond VPN services, Zentyal provides an integrated firewall, domain controller, file sharing, and network infrastructure services, making it ideal for small to medium-sized businesses.
OpenVPN Integration: OpenVPN is known for its high security, flexibility, and compatibility with multiple devices. Zentyal’s seamless integration with OpenVPN ensures a stable and reliable VPN setup.

Prerequisites

Before we begin setting up the VPN server, it’s important to ensure that you have the necessary resources and a basic understanding of the setup process. Here’s what you’ll need:

VPS or Physical Machine with Zentyal Installed:
- You will need either a Virtual Private Server (VPS) or a physical machine running Zentyal as your server environment. Zentyal is compatible with a wide range of VPS providers, and it can also be installed on a dedicated Linux machine. If you haven’t installed Zentyal yet, it can be easily set up by downloading the ISO from the official Zentyal website and following their installation guide.
Basic Understanding of Linux:
- While Zentyal simplifies the process of server management through its web-based interface, having a basic knowledge of Linux can be helpful for troubleshooting and performing additional configurations. Familiarity with basic Linux commands like file management (cp, mv, rm), system updates (apt-get), and network configuration will ensure a smoother setup process.
Administrative Access to the Server:
- To install and configure Zentyal, you must have root or sudo administrative privileges on the server. Administrative access is necessary to make changes to the system configuration, install modules, and set up networking and security services. If you’re using a VPS, ensure you have SSH access to the server with administrative permissions.

Once these prerequisites are met, you’re ready to begin the process of configuring a VPN server on your Linux system with Zentyal.

Also Check: Top 100 Linux Commands Every Sysadmin Should Know

Step-by-Step Guide to Setting Up the VPN Server

1. Installing Zentyal

To begin, you’ll need Zentyal installed on your Linux server. Here’s a quick guide to getting it up and running:

Update Your Linux System: Start by ensuring your Linux server is up-to-date. Open a terminal and run the following commands:

sudo apt update && sudo apt upgrade

This will ensure that your system has the latest security patches and software versions.
Download Zentyal ISO: Visit the official Zentyal website and download the Zentyal ISO image. You can then either burn it onto a bootable USB or directly use it if you’re installing Zentyal on a virtual machine.
Install Zentyal: Boot your server from the Zentyal ISO and follow the on-screen installation prompts. During the installation process, you’ll configure basic network settings, choose the packages to install, and set the admin password. Once the installation completes, reboot the server, and Zentyal will be ready to configure.

Accessing Zentyal Web Interface: Zentyal provides a user-friendly web interface for managing the server. Once installed, you can access the interface by navigating to:

https://[your-server-ip]:8443

Log in using the admin credentials you set during installation. This interface will serve as the hub for all VPN setup and configuration.

2. Enabling the VPN Module

After installing Zentyal, the next step is to enable the VPN module:

Navigate to the Module Configuration: In the Zentyal web interface, go to Software Management > Zentyal Components. From the list of available components, select the VPN module and click Install. This module uses OpenVPN to provide secure VPN functionality.
Confirm Module Installation: Once the VPN module is installed, you should see a new section called VPN under the Network tab in the web interface. This is where you’ll configure and manage the VPN server.

3. Configuring OpenVPN

Now that the VPN module is installed, you can set up OpenVPN to serve your needs:

Create a New VPN Instance: In the Network > VPN section, click on Add VPN Server. You’ll need to configure a few settings here:
- Interface: Choose the network interface on which the VPN will listen (typically your external interface or IP address).
- Protocol: Select UDP for better performance, but TCP is also available if needed.
- Port: The default VPN port for OpenVPN is 1194, which is recommended unless your network configuration requires a different port.
- Encryption: Use the default 256-bit encryption to ensure strong security for your VPN traffic.
Configure DNS for VPN Clients: Decide whether VPN clients will use the local DNS server (if you have one running) or an external DNS server for name resolution. If you’re unsure, you can use external DNS like Google’s public DNS (8.8.8.8).
Save the VPN Configuration: Once you’ve configured these options, save the changes. Zentyal will automatically generate the necessary configuration files for the server.

4. Generating Client Certificates

Each client that connects to your VPN will need a unique certificate for authentication:

Navigate to Certification Authority: In the Zentyal interface, go to Certification Authority. Here, you can create client certificates to securely authenticate each device that connects to the VPN.
Generate a New Certificate: Click on Create New Certificate, specify the client’s name (e.g., the device or person), and download the generated certificate and key files. These files will later be distributed to VPN users.

5. Configuring Zentyal Firewall

To ensure VPN traffic can pass through your server, you need to allow VPN connections on the firewall:

Open the VPN Port: Go to Firewall > Packet Filter and make sure the VPN port (typically 1194) is open for both external and internal traffic. You can also customize rules to restrict access based on specific IP addresses or networks if needed.

6. Downloading and Distributing VPN Configuration Files

Zentyal makes it easy to distribute the necessary VPN configuration files to clients:

Export the Configuration File: From the VPN > Server section, you can download the OpenVPN configuration file that clients will use to connect. This file includes all necessary settings and certificates to authenticate with the VPN server.
Install OpenVPN on Client Devices: Distribute the configuration files to your remote users. They will need to install the OpenVPN client on their devices, which is available for Linux, Windows, macOS, and even mobile devices.

Must Read: Why Linux is the Ultimate Alternative to Windows Server

7. Testing the VPN Server

Once everything is set up, it’s time to test your VPN server:

Install OpenVPN Client: On a remote device (client), install the OpenVPN software and import the configuration file you generated.
Connect to the VPN: Use the OpenVPN client to connect to the server. Once connected, verify that the connection works by checking the IP address or trying to access internal network resources through the VPN tunnel.

8. Advanced Configuration (Optional)

For users who require more advanced features or customizations, Zentyal provides additional VPN configuration options. Here are some common advanced configurations you may want to consider:

8.1 Setting Up a Site-to-Site VPN

A site-to-site VPN is useful when you want to securely connect two or more different networks. This setup is commonly used to connect branch offices to the main office over the internet.

Create a New VPN Server Instance: Follow the steps in the previous sections to create a new VPN server on each network that needs to be connected.
Configure Site-to-Site Routing:
- On each VPN server, configure the appropriate routing settings to allow traffic to pass between the two networks.
- Add the remote network’s subnet to the routing table on both VPN instances to ensure seamless communication.
Firewall Rules: Ensure that the Zentyal firewall is configured to allow traffic between the two sites. This can be done by adding specific rules to allow VPN traffic to pass between the subnets of both networks.

8.2 Split Tunneling vs. Full Tunneling

Full Tunneling: By default, VPNs route all traffic through the VPN server, ensuring complete privacy and security for users. This is known as full tunneling. It forces all internet and network traffic to be routed through the VPN server.
Split Tunneling: In some cases, you may want to configure split tunneling, where only certain traffic (e.g., access to internal resources) goes through the VPN, while other traffic (e.g., web browsing) bypasses the VPN and uses the client’s local internet connection.
- To enable split tunneling, configure the VPN server to route only specific traffic through the VPN. You’ll need to modify the client configuration file to exclude internet-bound traffic from going through the VPN tunnel.

8.3 Static IP Addresses for VPN Clients

By default, VPN clients will be assigned dynamic IP addresses when they connect. However, in some scenarios (e.g., for better control or access restrictions), you may want to assign static IP addresses to VPN clients.

Static IP Assignment: In the VPN > Server section, you can configure static IP addresses for each client based on their certificate or connection profile. This can help you implement stricter firewall rules or track individual users’ activity.

8.4 VPN Logging and Monitoring

Monitoring VPN connections is critical for security and performance optimization.

Enable Logging: In the Zentyal web interface, you can enable logging for the VPN server. This provides detailed logs of connection attempts, successful connections, and any potential issues such as disconnections or failed authentication.

Review Logs: You can access logs under the Logs section of Zentyal, or you can monitor real-time connections through the command line using:

tail -f /var/log/openvpn.log

9. Troubleshooting Common Issues

Even with proper configuration, issues may arise. Here are some common VPN issues and their solutions:

9.1 VPN Client Cannot Connect

Check Firewall Configuration: Ensure that the firewall is properly configured to allow traffic on the VPN port (default is 1194). Make sure both external and internal rules are in place to permit VPN connections.

Verify OpenVPN Service: Use the following command to ensure that OpenVPN is running:

sudo systemctl status openvpn

If the service isn’t running, try restarting it:

sudo systemctl restart openvpn

Check Client Certificate and Key: Ensure that the client is using the correct certificate and key files. Mismatched or missing certificates are common causes of connection failures.

9.2 DNS Issues for VPN Clients

If connected VPN clients cannot resolve domain names, you may need to adjust DNS settings:

Configure DNS Servers in Zentyal: In the VPN Server Settings, ensure that the correct DNS servers (either local or external) are configured for the VPN clients. You can use public DNS servers like Google’s (8.8.8.8) if needed.

9.3 Slow VPN Performance

Several factors can affect the speed of a VPN connection:

Check Server Load: Ensure that your server has sufficient resources (CPU, RAM) to handle VPN connections, especially if many clients are connected simultaneously.
Optimize Encryption Settings: While strong encryption like 256-bit is recommended for security, it can sometimes introduce overhead. Depending on your use case, you may experiment with less resource-intensive encryption algorithms if security is less of a priority.
Network Bandwidth: The VPN performance can also be affected by the available bandwidth on the server’s network. Check if other services or traffic are overloading the network.

9.4 VPN Disconnects Frequently

Frequent disconnects can be caused by various network or configuration issues:

Check Network Stability: Ensure that the server’s network connection is stable. VPNs rely on a constant connection, so any network dropouts can cause disconnects.
Adjust Keep-Alive Settings: In some cases, adjusting the OpenVPN keep-alive settings can help maintain the connection during periods of inactivity. These settings can be modified in the server configuration file.

Get a 15-day free trial of Zentyal!

Conclusion

Setting up a VPN server on a Linux system using Zentyal offers a powerful, secure, and user-friendly solution for remote access needs. With OpenVPN’s robust security and Zentyal’s intuitive web interface, you can easily create a VPN that suits your business or personal requirements. Whether you’re connecting remote employees or securing communication between multiple offices, this guide has provided the essential steps to get you started. As with any network service, ongoing monitoring and maintenance will ensure the continued reliability and security of your VPN.

By following these steps, you will have a fully functional Linux VPN server that can be scaled or customized based on your needs.