I ended up writing another little init script that sleeps 2 minutes and calls the initial openvpn init scrip. It looks like this:
#!/bin/bash
### BEGIN INIT INFO
# Provides: scriptname
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Delayed OpenVPN startup
# Description: Enable service provided by daemon.
### END INIT INFO
sleep 2m
/etc/init.d/openvpn start
Which works just fine. Also I'd thought I'd post my openvpn config for anyone interested in getting OpenVPN working with the internal Zentyal LDAP. Here is my server.conf
port 1194
ca ca.crt
cert server.crt
key server.key
proto udp
dev tap0
up "/etc/init.d/bridge-up br1 tap0 1500"
down "/etc/init.d/bridge-down br1 tap0"
mode server
tls-server
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.63 255.255.255.0 192.168.1.223 192.168.1.248
push "dhcp-option DNS 192.168.1.17"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 6
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
client-cert-not-required
Here's the ldap.conf in "/etc/openvpn/auth/ldap.conf":
<LDAP>
URL ldap://127.0.0.1:389
BindDN cn=ebox,dc=<fill in your base here from the ldap Zentyal settings>
Password <fill in your password from ldap Zentyal settings>
Timeout 15
TLSEnable no
FollowReferrals yes
TLSCACertFile /usr/local/etc/ssl/ca.pem
TLSCACertFile /usr/local/etc/ssl/ca.pem
TLSCACertDir /etc/ssl/certs
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
</LDAP>
<Authorization>
BaseDN "ou=Users,dc=<Zentyal base again here>"
#IMPORTANT, I added a "initials" attribute to determine whether a user has access or not
#I set this via adding an attribute to the ldap user via phpLdapAdmin. Users must have this attribute to connect
#This is hacky but it works!
SearchFilter "(&(uid=%u)(initials=vpn))"
RequireGroup false
<Group>
BaseDN "ou=Groups,dc=<Zentyal base...>"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
</Group>
</Authorization>
Here's the bridge startup script:
#!/bin/sh
BR=$1
DEV=$2
MTU=1500
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/usr/sbin/brctl addif $BR $DEV
Here's the bridge down script:
#!/bin/sh
BR=$1
DEV=$2
/sbin/ip link set "$DEV" down
/usr/sbin/brctl delif $BR $DEV
Some notes from above: I made a user, OpenVPN that has no home dir or login to run. I chown'ed the /etc/openvpn dir as this user. Make sure to edit the Zentyal stub from the above post so that /etc/default/openvpn doesn't keep getting destroyed. In order to run the start_openvpn delay script above, I called sudo update-rc.d start_openvpn defaults
after making the script executable.
While I was having issues on startup, this was working well overall from a connectivity standpoint. The real issue here is that I know Zentyal incorporates OpenVPN in a way and I feel like I'm stepping on its toes. That said, @Zentyal devs, would it be possible to build this functionality directly into the Zentyal server? All the pieces are there they just need to be connected. Really the only thing that would need to be flushed out is my hack that uses the initials to determine if someone has access or not. I actually look at it and there is a way to build a .schema file and include it in OpenLDAP so that you could have a VPN boolean, but after fighting to get OpenVPN for the first time I was out of steam at that point. Finally, if anyone has any suggestions in helping me cleaning anything up please let me know. Thanks in advance.