rss logo
Computing
Home
How To
Music
The Band
Tracks
Misc
Links
French Flag Fr

How To set up OpenVPN Server on Windows

OpenVPN Logo

We will see here how to set up a OpenVPN server under Microsoft Windows Server.

OpenVPN is a very powerfull VPN which has several advantages : it is free, compatible with most operating systems, easy to implement and highly configurable.

Network diagram

Windows OpenVPN Network Scheme

Server configuration

  • OpenVPN Server : Windows Server Logo
    • OS : Windows Server 2019
    • Role : OpenVPN Server
    • IP : 192.168.0.254

Prerequisites

In order to create the connection certificates, we will have to install OpenSSL software library. I personnaly use the slproweb.com packages.

Download OpenSSL

Download the latest OpenSSL Light version.

slproweb website Download OpenSSL

Install OpenSSL

  • Accept the agreement :
OpenSSL installation | License agreement
  • Select destination location :
OpenSSL installation | Destination location
  • Select start menu folder :
OpenSSL installation | Select Start Menu Folder
  • Select OpenSSL binaries directory :
OpenSSL installation | OpenSSL DLLs location
  • Click to install :
OpenSSL installation | Ready to install
  • Click Finish to exit (and make a donation if you can :)) :
OpenSSL installation | Donation to windows

Add OpenSSL in Environment Variables

We will add OpenSSL inside the environment variables.

  • Run SystemPropertiesAdvanced to open System Properties :
Run SystemPropertiesAdvanced
  • Click Environment Variables… :
System Properties Window
  • Edit Path :
Environment Variables Window
  • Click New and add %ProgramFiles%\OpenSSL-Win64\bin :
Edit environment variable
  • Open a new Windows command and check that you can run openssl command :
openssl version test

Installing OpenVPN

Go to OpenVPN official website here to download last installer.

OpenVPN Download Webpage
  • As we want to install OpenVPN as server we will choose Customize :
OpenVPN Windows Installer
  • We enable OpenVPN Service in order to make it work at boot :
OpenVPN Windows Installer
  • And we install EasyRsa in order to be able to create server and clients certificates :
OpenVPN Windows Installer
  • Once done click Close :
OpenVPN Windows Installer

Setting up Certificate Authority (CA) and generating certificates and keys for server and clients

Here we will set up a pki to be able to create our server and clients certificates.

  • Open a Command Prompt :
Windows command prompt from start menu
  • And type the following commands to enter inside EasyRSA shell :
C:\Windows\system32>cd C:\Program Files\OpenVPN\easy-rsa C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat
  • Remove existing configuration, just for good measure :
# ./easyrsa clean-all
  • Initialize pki, and type yes to confirm :
# ./easyrsa init-pki OpenVPN on Windows Easy RSA Shell init-pki
  • Build certificate authority :
# ./easyrsa build-ca nopass […] Enter PEM pass phrase:PEMpa$$td Verifying - Enter PEM pass phrase:PEMpa$$td […] Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn
  • Build server certificate and key :
# ./easyrsa build-server-full server nopass […] Enter pass phrase for C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key:PEMpa$$td
  • Generate Diffie Hellman parameters :
# ./easyrsa gen-dh

Create clients certificates

  • If previously closed or to add new clients, open an EasyRSA shell :
C:\Users\Administrator>cd C:\Program Files\OpenVPN\easy-rsa C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat
  • Generating client certificates :
# ./easyrsa build-client-full client01 nopass […] Enter pass phrase for C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key:PEMpa$$td

Certificates

  • Put this files (from C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private) :
    • ca.crt
    • dh.pem
    • server.crt
    • server.key
  • To C:\Program Files\OpenVPN\config-auto and C:\Program Files\OpenVPN\config folders.
OpenVPN on Windows config-auto folder

Add a Windows Firewall Rule

The Windows firewall logo
  • We need to create two firewall rules :
    • One to open port 1194 in udp to allow OpenVPN clients connections
    • Another one to authorize the 10.50.8.0/24 network so that the clients can talk with the services present on the server (ping, file sharing etc…).
Note : here the rule allows all services for the network 10.50.8.0/24. We can use more restrictive rules by allowing only the necessary services.

To do this, use the Windows Firewall Management Console or these two commands inside an Administrator's PowerShell console.

  • Create the rule to allow incoming connections on port 1194 udp :
PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN" -Direction Inbound -Protocol UDP -LocalPort 1194 -Action Allow
  • Create the rule to allow all incoming connections from the 10.50.8.0/24 network :
PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN_Network" -Direction Inbound -RemoteAddress 10.50.8.0/24 -Action Allow

The server.ovpn configuration file

As administrator, create the C:\Program Files\OpenVPN\config-auto\server.ovpn file :

port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.50.8.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3

Restart the OpenVPN service

Then, restart the OpenVPN service :

  • From, services management console :
Windows Run, services.msc
  • Right click OpenVPNService then Restart :
Windows services management console, restart openvpnservice.
  • Or from an administrator Command Prompt :
C:\Windows\system32>net stop openvpnservice C:\Windows\system32>net start openvpnservice
  • Or from PowerShell :
C:\ PS> Restart-Service OpenVPNService

Client configuration

Windows Client Logo
  • OpenVPN Client :
    • OS : Windows 11
    • Role : OpenVPN Client

Installing OpenVPN

We will download the same package, and here install with default parameters.

OpenVPN installation windows where we have the choice between install now or customize installation

Copy certificates from the Server

  • From the Server get the following files (from C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private) :
    • ca.crt
    • client01.crt
    • client01.key
  • And paste them to C:\Program Files\OpenVPN\config.
Windows 11, OpenVPN certificates.
  • C:\Program Files\OpenVPN\config\client.ovpn

Edit the client.ovpn file with administrator rights :

client dev tun proto udp remote OPENVPN_IP 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client01.crt key client01.key comp-lzo verb 3

Establishing the connection

  • Run as administrator
windows to open OpenVPN with administrator rights.
  • Start the connection
OpenVPN menu to establish a vpn connection.
  • A pop-up will confim that we are connected
OpenVPN pop up to notify the user that the connection has been established

Server Access

To contact the server we will use the 10.50.8.1 IP Address

a ping in a dos prompt with a windows explorer window

⚠️ Troubleshooting : After a Windows Update, I couldn't have access to the server share anymore (OpenVPN was able to connect though). To make it work again, I had to repair (available when relaunching setup program) the OpenVPN program on the server side.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address