Let me try to explain.
VPN server is a service running on Zentyal server and listening on port 1194 UDP (default value).
This means that incoming connection, from internet, will reach this port on external interface. Thus there is not need to forward incoming connection to internal interface.
Of course, and your concern is somewhat correct here, you have to ensure that FW is configured to
accept incoming connection on external interface but when you enable VPN service, Zentyal is supposed to do this on your behalf (otherwise this would be useless to use Zentyal compared to fully manual configuration isn't it ?
)
Now let's put it in perspective:
From internet to you LAN, you will have
- internet -> your ISP -> your public IP -> your external (edge) router -> external Zentyal IP -> Zentyal server -> VPN server -> internal Zentyal IP -> your LAN
above description might be however slightly different depending on how you configure your edge router.
- Either there is NAT and you public IP is on one side of the router while there is another segment between your router and Zentyal (external interface)
- or there is no routing (nor NAT) but gateway: your public IP is directly at your Zentyal external interface
Does it clarify the mater ?