How to Set Up an OpenVPN Server on Windows
- Last updated: Oct 15, 2024
Here, I'll explain in detail how to set up an OpenVPN server on Microsoft Windows.
OpenVPN is a very powerful VPN whith several advantages: it's free, compatible with a very large number of operating systems, easy to set up (especially when you have this excellent tutorial at hand 😌) and highly configurable.
Network diagram

Server configuration
- OpenVPN Server:
- OS: Windows Server 2019
- Role: OpenVPN Server
- IP: 192.168.0.254
Prerequisites
In order to create the connection certificates, we need to install OpenSSL library. I personaly use the slproweb.com packages.
Download OpenSSL
Download the latest version of OpenSSL Light.

Install OpenSSL
- Accept the license agreement:

- Select destination location:

- Select start menu folder:

- Select the OpenSSL binaries directory:

- Click on install:

- Click on Finish to exit (and donate if you can, it helps the project! 🥰):

Add OpenSSL in Environment Variables
We'll add OpenSSL to the environment variables.
- Run SystemPropertiesAdvanced to open the System Properties:

- Click on Environment Variables…:

- Select Path and click on Edit…:

- Click on
New
and add the line%ProgramFiles%\OpenSSL-Win64\bin
:

- Open a new Windows command prompt and check that you can run this
openssl
command:

Installing OpenVPN
Go to the official OpenVPN website: https://openvpn.net/ to download the lastest installer.

- As we want to install OpenVPN as a server, we will choose Customize:

- We enable the OpenVPN Service to run on startup:

- We install EasyRsa to create certificates for the server and clients:

- Finally, click on Close:

Set up a Certificate Authority (CA) and generate certificates and keys for server and clients
Here we're going to set up a pki to create our server and client certificates.
- Open a Command Prompt:

- Type the following commands to enter the EasyRSA command interpreter:
C:\Windows\system32>cd C:\Program Files\OpenVPN\easy-rsa
C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat
- Delete the existing configuration, just in case:
# ./easyrsa clean-all
- Initialize PKI, and type
yes
to confirm:
# ./easyrsa init-pki

- Create the certificate authority:
# ./easyrsa build-ca nopass
[…]
Enter PEM pass phrase:PEMpa$$td
Verifying - Enter PEM pass phrase:PEMpa$$td
[…]
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn
- Generate server certificate and key:
# ./easyrsa build-server-full server nopass
[…]
Enter pass phrase for C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key:PEMpa$$td
- Generate Diffie Hellman parameters:
# ./easyrsa gen-dh
Create clients certificates
- If it has been closed previously or to add new clients, open an EasyRSA shell:
C:\Users\Administrator>cd C:\Program Files\OpenVPN\easy-rsa
C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat
- Generate client certificates:
# ./easyrsa build-client-full client01 nopass
[…]
Enter pass phrase for C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key:PEMpa$$td
Certificates
- Move these files (from
C:\Program Files\OpenVPN\easy-rsa\pki
,C:\Program Files\OpenVPN\easy-rsa\pki\issued
andC:\Program Files\OpenVPN\easy-rsa\pki\private
):ca.crt
dh.pem
server.crt
server.key
- In the folders
C:\Program Files\OpenVPN\config-auto
andC:\Program Files\OpenVPN\config
.

Add a Windows Firewall Rule

- We need to create two firewall rules:
- One to open port 1194 in udp to allow OpenVPN clients connections
- Another to authorize the
10.50.8.0/24
network, so that clients can communique with the services present on the server (ping, file sharing etc…).
10.50.8.0/24
network. We can use more restrictive rules, authorizing only the services you need.
To do this, use the Windows Firewall Management Console or these two commands in an administrator's PowerShell console.
- Create the rule to allow incoming connections on port 1194 udp:
PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN" -Direction Inbound -Protocol UDP -LocalPort 1194 -Action Allow
- Create the rule to allow all incoming connections from the
10.50.8.0/24
network:
PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN_Network" -Direction Inbound -RemoteAddress 10.50.8.0/24 -Action Allow
The server.ovpn configuration file
As administrator, create the file C:\Program Files\OpenVPN\config-auto\server.ovpn
:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
#comp-lzo #Deactivated because it is now considered a vulnerability.
persist-key
persist-tun
status openvpn-status.log
verb 3
Restart the OpenVPN service
Then, restart the OpenVPN service:
- From the service management console:

- Right-click on the OpenVPNService and select Restart:

- Or from an administrator's command prompt:
C:\Windows\system32>net stop openvpnservice
C:\Windows\system32>net start openvpnservice
- Or from a PowerShell console:
C:\ PS> Restart-Service OpenVPNService
Client configuration
- OpenVPN Client:
- OS: Windows 11
- Role: OpenVPN Client
Installing OpenVPN
We're going to download the same package as for the server, and install it with the default settings.

Copy certificates from the Server
- From the server, retrieve the following files (from
C:\Program Files\OpenVPN\easy-rsa\pki
,C:\Program Files\OpenVPN\easy-rsa\pki\issued
andC:\Program Files\OpenVPN\easy-rsa\pki\private
):ca.crt
client01.crt
client01.key
- And paste them into
C:\Program Files\OpenVPN\config
.

- Edit
C:\Program Files\OpenVPN\config\client.ovpn
file with administrator rights:
client
dev tun
proto udp
remote OPENVPN_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client01.crt
key client01.key
#comp-lzo #Deactivated because it is now considered a vulnerability.
verb 3
Establishing the connection
- Right-click on the OpenVPN desktop icon and select Run as administrator:

- Right-click on the OpenVPN icon next to the Windows clock and click on Connect:

- A pop-up window confims that we are connected:

Server Access
To reach the server, we'll use the IP address 10.50.8.1
.

⚠️ Troubleshooting: After a Windows Update, I no longer had access to the server share (OpenVPN could connect, however). For this to work again, I had to repair (available by re-running the installer) the OpenVPN program on the server.