Choosing the Right VPN for Univention Corporate Server

Univention Corporate Server (UCS) is a Debian-based distribution tailored for enterprise environments, offering Active Directory–compatible domain services via the Univention Management Console (UMC). Administrators typically interact through a web UI or SSH, with package management handled by apt. Although UCS doesn’t ship a heavy desktop by default, you can install GNOME or KDE if needed. Given its focus on integration, security and automation, your VPN solution should:

• Install cleanly via apt and integrate with systemd
• Support CLI- or API-based configuration to fit with UMC scripts
• Offer kernel-level performance or enterprise-grade IPsec
• Work with UCS’s AD-style authentication or allow certificate-based auth

Based on these criteria, the most suitable VPN solutions for UCS are:

• WireGuard – A streamlined, high-performance tunnel that’s shipped in recent Debian kernels.
• OpenVPN – The de-facto standard, with client and server packages readily available in Debian/Univention repositories.
• strongSwan – An enterprise-grade IPsec stack ideal for site-to-site tunnels and certificate-based authentication.

Quick Comparison

Installation and Configuration

1. WireGuard

WireGuard’s simplicity and performance make it a top pick. Follow these steps on your UCS master or member server:

# Update apt and install WireGuard
apt update
apt install -y wireguard wireguard-tools

# Generate server private and public keys
umask 077
wg genkey  tee /etc/wireguard/server.key  wg pubkey > /etc/wireguard/server.pub

# Create the config file
cat gt /etc/wireguard/wg0.conf ltltEOF
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = (cat /etc/wireguard/server.key)

# Example peer
#[Peer]
#PublicKey = 
#AllowedIPs = 10.0.0.2/32
EOF

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
echo net.ipv4.ip_forward=1 gtgt /etc/sysctl.conf

# Start and enable the service
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

After starting, distribute each client’s keypair and add a [Peer] block. You can automate peer creation with simple scripts or with UMC user attributes.

2. OpenVPN

OpenVPN remains highly adaptable, especially if you’re using certificate authentication or pushing routes to UCS-bound clients.

# Install OpenVPN and easy-RSA
apt update
apt install -y openvpn easy-rsa

# Set up the PKI
make-cadir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
openvpn --genkey --secret ta.key

# Copy certs
cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem ta.key /etc/openvpn

# Create server config
cat gt /etc/openvpn/server.conf ltltEOF
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
server 10.8.0.0 255.255.255.0
push route 172.16.0.0 255.255.0.0
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
EOF

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
echo net.ipv4.ip_forward=1 gtgt /etc/sysctl.conf

# Start the server
systemctl enable openvpn@server
systemctl start openvpn@server

Clients will need client.conf or an .ovpn bundle with ca.crt, their own .crt/.key and ta.key. You can integrate certificate distribution with UCS’s file share or UMC.

3. strongSwan (IPsec)

For site-to-site or when you require IKEv2 with certificates, strongSwan is a robust choice. You’ll manage /etc/ipsec.conf and /etc/ipsec.secrets and can hook into UCS’s LDAP for user certificates. The steps mirror those of Debian’s strongSwan guide, with attention to UMC service management.

With these three options, you can tailor your VPN strategy to your UCS environment—whether you prioritise speed with WireGuard, flexibility with OpenVPN, or enterprise IPsec with strongSwan.