We will see here how to set up a OpenVPN server under Microsoft Windows Server.
This is a continuation of the previous "How To" that I wrote here but with Windows 2019 (which doesn't change much) and the addition of setting up routing to be able to access LAN from our remote client.
OpenVPN is a very powerfull VPN which has several advantages : it is free, compatible with most operating systems, easy to implement and highly configurable.
In order to create the connection certificates, we will have to install OpenSSL software library. I personnaly use the slproweb.com packages.
Download the latest OpenSSL Light version.
We need to add OpenSSL inside the environment variables.
We need to open 1194 udp port to allow OpenVPN clients connections.
C:\Windows\system32>netsh advfirewall firewall add rule name="OpenVPN" dir=in localport=1194 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any
PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN" -Direction Inbound -Protocol UDP -LocalPort 1194 -Action Allow
Go to OpenVPN official website here to download last installer.
Here we will set up a pki to be able to create our server and clients certificates.
C:\Windows\system32>cd C:\Program Files\OpenVPN\easy-rsa
C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat
# ./easyrsa clean-all
# ./easyrsa init-pki
# ./easyrsa build-ca nopass […] Enter PEM pass phrase:MyPassW0rd Verifying - Enter PEM pass phrase:MyPassW0rd […] Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn
# ./easyrsa build-server-full server nopass
[…]
Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd
# ./easyrsa gen-dh
# ./easyrsa build-client-full client01 nopass
[…]
Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.50.8.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3
The OpenVPN service must be restarted for the configuration file to be taken into account.
C:\Windows\system32>net stop openvpnservice
C:\Windows\system32>net start openvpnservice
PS C:> Restart-Service OpenVPNService -PassThru
We will download the same package, and here install with default parameters.
client
dev tun
proto udp
remote OPENVPN_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client01.crt
key client01.key
comp-lzo
verb 3
To join the server we will use the 10.50.8.1 IP Address
⚠️ Troubleshooting : After a Windows Update, I couldn't have access to the server share anymore (OpenVPN was able to connect though). To make it work again, I had to repair (available when relaunching setup program) the OpenVPN program on the server side.
At this point we have an operational OpenVPN server that is reachable from our remote client. But how to reach the server on its private ip (192.168.0.254 here) or other computers (192.168.0.200 here) on the local network? That's what we will see here by enabling routing on our Windows OpenVPN server.
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.50.8.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.0.0 255.255.255.0" push "dhcp-option DNS 192.168.0.200" keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3
PS C:> Restart-Service OpenVPNService -PassThru
PS C:> Install-WindowsFeature -Name Routing -IncludeManagementTools
Contact :