Setting Up OpenVPN on Windows Server 2025

Last updated: Sep 24, 2024

This tutorial explains how to set up an OpenVPN server on Microsoft Windows Server 2025.

OpenVPN is a powerful VPN solution that offers several advantages:
- It is free and Open Source
- Compatible with most operating systems
- Reliable, with a responsive community
- Easy to implement
- Highly configurable.

Network diagram

OpenVPN setup diagram showing a Windows Server 2025 with IP 192.168.0.200 connected to a client via a router and VPN configuration.

OpenVPN Server

OpenVPN Server Properties:
- OS: Windows Server 2025
- Role: OpenVPN Server
- IP: 192.168.0.254

Prerequisites

OpenSSL

To create the certificates used for authentication, we'll need to install the OpenSSL software library. In Microsoft environments, I use the packages provided by this website: https://slproweb.com.

Download OpenSSL

Download the latest version of OpenSSL Light.

Screenshot of OpenSSL download page showing different versions of Win32/Win64 OpenSSL, with an arrow pointing to the Win64 OpenSSL v3.3.2 Light installer option.

Install OpenSSL

Accept the agreement:

OpenSSL 64-bit installer License Agreement window with 'I accept the agreement' option selected during setup.

Select destination location:

OpenSSL 64-bit installer window showing the destination folder selection with default path set to Program Files.

Select start menu folder:

OpenSSL 64-bit installer window showing the Start Menu folder selection with 'OpenSSL' as the default option.

Select the OpenSSL binaries directory:

OpenSSL 64-bit installer window showing additional tasks with 'The OpenSSL binaries (bin) directory' option selected.

Click to install:

OpenSSL 64-bit installer ready to install window showing destination location, Start Menu folder, and additional tasks summary.

Click Finish to exit (and make a donation if you can to support the project 😊):

OpenSSL 64-bit setup wizard completion window with donation options and Finish button.

Add OpenSSL in Environment Variables

We need to add the OpenSSL path to the environment variables.

Run SystemPropertiesAdvanced to open System Properties:

Windows Run dialog box with 'SystemPropertiesAdvanced' entered to open advanced system properties with administrative privileges

Click on Environment Variables…:

Windows System Properties window with the Environment Variables button highlighted for accessing system environment settings.

Modify Path:

Windows Environment Variables window with the Path variable highlighted and Edit button selected under System variables.

Click on New and add %ProgramFiles%\OpenSSL-Win64\bin:

Edit environment variable window with a new path for OpenSSL added under Program Files, and the New button highlighted.

Open a new Windows command and check that you can run this openssl command:

PowerShell window showing the 'openssl version' command executed with OpenSSL version 3.3.2 output.

Windows Firewall

We need to open port 1194 udp to allow OpenVPN client connections.

To do this, use the Windows Firewall Management Console or this command in an Administrator command-line console.

C:\Windows\system32>netsh advfirewall firewall add rule name="OpenVPN" dir=in localport=1194 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any

Or with PowerShell:

PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN" -Direction Inbound -Protocol UDP -LocalPort 1194 -Action Allow

Installing OpenVPN

Go to the official OpenVPN website here: https://openvpn.net and download the latest installer.

OpenVPN 2.6.12 release page with an arrow pointing to the Windows 64-bit MSI installer download link.

Since we are setting up a server, we will choose Customize:

OpenVPN setup window with an arrow pointing to the 'Customize' option under 'Choose setup type.

We enable the OpenVPN Service to run on startup:

OpenVPN custom installation window with 'Enable OpenVPN Pre-Logon Access Provider' option selected under OpenVPN Service.

We install EasyRsa to create certificates for the server and clients:

OpenVPN custom installation window with 'EasyRSA 3 Certificate Management Scripts' selected under OpenSSL Utilities and the 'Install Now' button highlighted.

Finally, click on Close:

OpenVPN installation completed window with the 'Close' button highlighted.

Certificates

Setting up Certificate Authority (CA) and generating certificates and keys for server and clients

Here, we're going to set up a pki to create our server and client certificates.

Open a Command Prompt:

Windows search result for 'Terminal' with the Command Prompt option highlighted.

Then type the following commands to enter the EasyRSA shell:

C:\Windows\system32> cd "C:\Program Files\OpenVPN\easy-rsa"

C:\Program Files\OpenVPN\easy-rsa> .\EasyRSA-Start.bat

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.

Invoke 'easyrsa' to call the program. Without commands, help is displayed.

Using directory: C:/Program Files/OpenVPN/easy-rsa


EasyRSA Shell
#

Delete the existing configuration, just for good measure:

# ./easyrsa clean-all

Initialize pki, and type yes to confirm:

# ./easyrsa init-pki

OpenVPN on Windows Easy RSA Shell init-pki

Building the certificate authority:

# ./easyrsa build-ca
[…]
Enter PEM pass phrase:MyPassW0rd
Verifying - Enter PEM pass phrase:MyPassW0rd
[…]
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn

Building the server certificate and key:

# ./easyrsa build-server-full server nopass
[…]
Confirm request details: yes
[…]
Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd

Generate Diffie-Hellman parameters:

# ./easyrsa gen-dh

Generate client certificates:

# ./easyrsa build-client-full client01 nopass
[…]
Confirm request details: yes
[…]
Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd

Move certificates to the correct folders

Place these files (from « C:\Program Files\OpenVPN\easy-rsa\pki », « C:\Program Files\OpenVPN\easy-rsa\pki\issued » and « C:\Program Files\OpenVPN\easy-rsa\pki\private ») :
- ca.crt
- dh.pem
- server.crt
- server.key
In the « C:\Program Files\OpenVPN\config-auto » and « C:\Program Files\OpenVPN\config » folders.

Configuration File

As administrator, edit the « C:\Program Files\OpenVPN\config-auto\server.ovpn » file:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt

keepalive 10 120

#comp-lzo

persist-key
persist-tun

status openvpn-status.log

verb 3

Restart OpenVPN Service

The OpenVPN service must be restarted for the configuration file to take effect.

Open the service management console:

Windows Run dialog box with 'services.msc' entered to open the services management console.

Right click on OpenVPNService then Restart:

Windows Services management console showing OpenVPNService with the Restart option selected.

Alternatively, use an administrator command prompt:

C:\Windows\system32>net stop openvpnservice

C:\Windows\system32>net start openvpnservice

Or with PowerShell:

PS C:> Restart-Service OpenVPNService -PassThru

Windows client configuration

Installing OpenVPN

We need to download the same package as for the server, but this time install it with the default settings.

Copy certificates from the Server

From the server, we need to copy the following files:
- ca.crt: C:\Program Files\OpenVPN\easy-rsa\pki
- client01.crt: C:\Program Files\OpenVPN\easy-rsa\pki\issued
- client01.key: C:\Program Files\OpenVPN\easy-rsa\pki\private

And paste them to the C:\Program Files\OpenVPN\config directory of our Windows client.

You should see this client files:

Windows Explorer showing the OpenVPN config folder with files ca.crt, client.ovpn, client01.crt, and client01.key highlighted.

Edit the C:\Program Files\OpenVPN\config\client.ovpn file:

client

dev tun

proto udp

remote OPENVPN_IP 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client01.crt
key client01.key

#comp-lzo

verb 3

Open OpenVPN with administrator rights (otherwise the routing rules, if any have been set up, will not work) and connect:

System tray showing OpenVPN icon with the Connect option selected from the context menu.

A pop-up window will confim that we are connected:

Notification confirming the VPN tunnel is active with assigned IP 10.50.8.6, and the OpenVPN icon in the system tray.

To reach the server, we'll use the IP address 10.50.8.1:

Windows PowerShell window showing ping results for IP 10.50.8.1, alongside a file explorer window accessing the same IP address.