How To set up OpenVPN Server on Windows

Last updated: Jan 27, 2022

We will see here how to set up a OpenVPN server under Microsoft Windows Server.

OpenVPN is a very powerfull VPN which has several advantages : it is free, compatible with most operating systems, easy to implement and highly configurable.

Network diagram

Server configuration

OpenVPN Server :
- OS : Windows Server 2016
- Role : OpenVPN Server
- IP : 192.168.0.200

Prerequisites

In order to create the connection certificates, we will have to install OpenSSL software library. I personnaly use the slproweb.com packages.

Download OpenSSL

Download the latest OpenSSL Light version.

Install OpenSSL

Accept the agreement :

OpenSSL installation | License agreement

Select destination location :

OpenSSL installation | Destination location

Select start menu folder :

OpenSSL installation | Select Start Menu Folder

Select OpenSSL binaries directory :

OpenSSL installation | OpenSSL DLLs location

Click to install :

Click Finish to exit (and make a donation if you can :)) :

OpenSSL installation | Donation to windows

Add OpenSSL in Environment Variables

We will add OpenSSL inside the environment variables.

Run SystemPropertiesAdvanced to open System Properties :

Click Environment Variables… :

Edit Path :

Click New and add %ProgramFiles%\OpenSSL-Win64\bin :

Open a new Windows command and check that you can run openssl command :

Installing OpenVPN

Go to OpenVPN official website here to download last installer.

As we want to install OpenVPN as server we will choose Customize :

We enable OpenVPN Service in order to make it work at boot :

And we install EasyRsa in order to be able to create server and clients certificates :

Once done click Close :

Setting up Certificate Authority (CA) and generating certificates and keys for server and clients

Here we will set up a pki to be able to create our server and clients certificates.

Open a Command Prompt as administrator :

And type the following commands to enter inside EasyRSA shell :

C:\Windows\system32>cd C:\Program Files\OpenVPN\easy-rsa

C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat

Remove existing configuration, just for good measure :

# ./easyrsa clean-all

Initialize pki, and type yes to confirm :

# ./easyrsa init-pki

OpenVPN on Windows Easy RSA Shell init-pki

Build certificate authority :

# ./easyrsa build-ca nopass
[…]
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn

Build server certificate and key :

# ./easyrsa build-server-full server nopass

Generate Diffie Hellman parameters :

# ./easyrsa gen-dh

Generating client certificates :

# ./easyrsa build-client-full client01 nopass

Certificates

Put this files (from C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private) :

ca.crt
dh.pem
server.crt
server.key

To C:\Program Files\OpenVPN\config-auto and C:\Program Files\OpenVPN\config folders.

Add a Windows Firewall Rule

We need to open 1194 udp port to allow OpenVPN clients connections. Use the Windows Firewall Management Console or this command inside a Administrator command line console to do that.

C:\Windows\system32>netsh advfirewall firewall add rule name="OpenVPN" dir=in localport=1194 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any

C:\Program Files\OpenVPN\config-auto\server.ovpn

As administrator, edit C:\Program Files\OpenVPN\config-auto\server.ovpn file :

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log

verb 3

Then, restart the OpenVPN service :

From, services management console :

Right click OpenVPNService then Restart :

Windows services management console, restart openvpnservice.

Or from an administrator Command Prompt :

C:\Windows\system32>net stop openvpnservice

C:\Windows\system32>net start openvpnservice

Client configuration

OpenVPN Client :
- OS : Windows 10
- Role : OpenVPN Client

Installing OpenVPN

We will download the same package, and here install with default parameters.

Copy certificates from the Server

From the Server get the following files (from C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private) :

ca.crt
client01.crt
client01.key

And paste them to C:\Program Files\OpenVPN\config.

C:\Program Files\OpenVPN\config\client.ovpn

Edit the client.ovpn file with administrator rights :

client

dev tun

proto udp

remote OPENVPN_IP 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client01.crt
key client01.key

comp-lzo

verb 3

Establishing the connection

Run as administrator

Start the connection

A pop-up will confim that we are connected

Server Access

To join the server we will use the 10.50.8.1 IP Address

⚠️ Troubleshooting : After a Windows Update, I couldn't have access to the server share anymore (OpenVPN was able to connect though). To make it work again, I had to repair (available when relaunching setup program) the OpenVPN program on the server side.

Computing

Music

Misc

How To set up OpenVPN Server on Windows

Network diagram

Server configuration

Prerequisites

Download OpenSSL

Install OpenSSL

Add OpenSSL in Environment Variables

Installing OpenVPN

Setting up Certificate Authority (CA) and generating certificates and keys for server and clients

Certificates

Add a Windows Firewall Rule

C:\Program Files\OpenVPN\config-auto\server.ovpn

Client configuration

Installing OpenVPN

Copy certificates from the Server

Establishing the connection

Server Access