Case study: how to interconnect sites using Zentyal VPN

[c4rdinal]

Hi Christian,

I red your Case Study on Zentyal OpenVPN and would like to thank you for sharing it. I have a question though.

After Enabling the OpenVPN Service in both sides (Zentyal Central Office and Zentyal Client), I'm assuming the Zentyal Client will get a VPN IP address from the Server as it is usually the case, right? Because this doesn't happen on my deployment.

In the Dashboard it says VPN Interface Address: Not active.

I'm looking for the logs but don't see anything. How can I verify that the VPN was established with the Remote Zentyal Client?

Thanks and looking forward for your answer.

[christian]

Do you mean document I posted in HowTo section ?

How did you set up your "client"? Using bundle or manually?

Edit: I just read again what I posted months ago  there is a lot of typo and sentences hardly understandable  I do need to work on it again 

[c4rdinal]

Do you mean document I posted in HowTo section ?

How did you set up your "client"? Using bundle or manually?

Edit: I just read again what I posted months ago  there is a lot of typo and sentences hardly understandable  I do need to work on it again 

Thanks for the reply.

Yes, the Howto section and I used the bundle...

No worries, you have done a great job and the Howto is very helpful. 

[Escorpiom]

C4rdinal, if you somehow succeed in connecting the remote sites, it would be fantastic if you could share your findings.
I'm about to "deploy" a Zentyal 3.0 server with a company here, and they absolutely need VPN...
It's always a good thing to be prepared for possible pitfalls.

Cheers.

[christian]

what if you restart VPN client side ?

[Sam Graf]

In the case of 2.0 at least is was possible to add a dashboard widget on the server end that would display the status of a VPN connection, including letting you know if there were no users connected. That widget could provide at-a-glance confirmation of a connection at the server end.

But if the client machine is showing "VPN Interface address: Not active," I'm pretty sure that there is no connection. There should be an IP address from the VPN address space for that VPN server in that section. For example, "VPN interface address 192.168.2.2/24" at the client end, where you have "VPN interface address 192.168.2.1/24" at the server end.

[c4rdinal]

what if you restart VPN client side ?

Already restarted several times but it doesn't help.

From the Main Office I have 2 WAN Connections. I notice in the Firewall log that there were traffic Sourced from WAN2 IP Address and is being DROPPED. It OpenVPN should be routed back using WAN1 which is the CONNECTED TARGET.

I created a MultiWAN policy to route traffic:

SOURCE: ANY
DESTINATION: ANY
SERVICE: OPENVPN (UDP 1194)
GATEWAY: WAN1

However, I see that the traffic coming out my WAN2 using OPENVPN Service still go on... I don't know why.

[c4rdinal]

C4rdinal, if you somehow succeed in connecting the remote sites, it would be fantastic if you could share your findings.
I'm about to "deploy" a Zentyal 3.0 server with a company here, and they absolutely need VPN...
It's always a good thing to be prepared for possible pitfalls.

Cheers.

I have succeeded configuring Zentyal and remote Clients. I already posted the complete process on my post here: http://forum.zentyal.org/index.php/topic,11987.0.html

And if anybody have any questions on other details, I'll be more than glad to share them.

My Zentyal-to-Zentyal VPN experiment is almost complete, I will share the complete setup when it's done.

Thanks

[c4rdinal]

In the case of 2.0 at least is was possible to add a dashboard widget on the server end that would display the status of a VPN connection, including letting you know if there were no users connected. That widget could provide at-a-glance confirmation of a connection at the server end.

But if the client machine is showing "VPN Interface address: Not active," I'm pretty sure that there is no connection. There should be an IP address from the VPN address space for that VPN server in that section. For example, "VPN interface address 192.168.2.2/24" at the client end, where you have "VPN interface address 192.168.2.1/24" at the server end.

Yes, this is also what I'm expecting... the client should have acquired an IP coming from the Zentyal VPN Server (by default 192.168.160.0). I'm expecting this will be displayed on the OpenVPN Daemon at the Dashboard.

In the logs I see:

Fri Sep 14 11:38:33 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Sep 14 11:38:33 2012 TLS Error: TLS handshake failed
Fri Sep 14 11:38:33 2012 TCP/UDP: Closing socket
Fri Sep 14 11:38:33 2012 SIGUSR1[soft,tls-error] received, process restarting
Fri Sep 14 11:38:33 2012 Restart pause, 2 second(s)
Fri Sep 14 11:38:35 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Sep 14 11:38:35 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Sep 14 11:38:35 2012 Re-using SSL/TLS context
Fri Sep 14 11:38:35 2012 LZO compression initialized
Fri Sep 14 11:38:35 2012 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Sep 14 11:38:35 2012 Socket Buffers: R=[262144->131072] S=[262144->131072]
Fri Sep 14 11:38:35 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Sep 14 11:38:35 2012 Local Options hash (VER=V4): 'd79ca330'
Fri Sep 14 11:38:35 2012 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Sep 14 11:38:35 2012 UDPv4 link local: [undef]
Fri Sep 14 11:38:35 2012 UDPv4 link remote: [AF_INET]115.84.224.36:1194

I'll try to work it out and post the any progress....

[c4rdinal]

UPDATE..

Finally, I was successful with Zentyal-to-Zentyal VPN. I shall post the procedure as soon as I find time.

Cheers!