How to Set Up an OpenVPN Server on Windows

Network diagram

Server configuration

• OpenVPN Server:
  • OS: Windows Server 2019
  • Role: OpenVPN Server
  • IP: 192.168.0.254

Prerequisites

In order to create the connection certificates, we need to install OpenSSL library. I personaly use the slproweb.com packages.

Download OpenSSL

Download the latest version of OpenSSL Light.

Install OpenSSL

• Accept the license agreement:

• Select destination location:

• Select start menu folder:

• Select the OpenSSL binaries directory:

• Click on install:

• Click on Finish to exit (and donate if you can, it helps the project! 🥰):

Add OpenSSL in Environment Variables

We'll add OpenSSL to the environment variables.

• Run SystemPropertiesAdvanced to open the System Properties:

• Click on Environment Variables…:

• Select Path and click on Edit…:

• Click on New and add the line %ProgramFiles%\OpenSSL-Win64\bin:

• Open a new Windows command prompt and check that you can run this openssl command:

Installing OpenVPN

Go to the official OpenVPN website: https://openvpn.net/ to download the lastest installer.

• As we want to install OpenVPN as a server, we will choose Customize:

• We enable the OpenVPN Service to run on startup:

• We install EasyRsa to create certificates for the server and clients:

• Finally, click on Close:

Set up a Certificate Authority (CA) and generate certificates and keys for server and clients

Here we're going to set up a pki to create our server and client certificates.

• Open a Command Prompt:

• Type the following commands to enter the EasyRSA command interpreter:

C:\Windows\system32>cd C:\Program Files\OpenVPN\easy-rsa

C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat

• Delete the existing configuration, just in case:

# ./easyrsa clean-all

• Initialize PKI, and type yes to confirm:

# ./easyrsa init-pki

• Create the certificate authority:

# ./easyrsa build-ca nopass
[…]
Enter PEM pass phrase:PEMpa$$td
Verifying - Enter PEM pass phrase:PEMpa$$td
[…]
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn

• Generate server certificate and key:

# ./easyrsa build-server-full server nopass
[…]
Enter pass phrase for C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key:PEMpa$$td

• Generate Diffie Hellman parameters:

# ./easyrsa gen-dh

Create clients certificates

• If it has been closed previously or to add new clients, open an EasyRSA shell:

C:\Users\Administrator>cd C:\Program Files\OpenVPN\easy-rsa

C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat

• Generate client certificates:

# ./easyrsa build-client-full client01 nopass
[…]
Enter pass phrase for C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key:PEMpa$$td

Certificates

• Move these files (from C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private):
  • ca.crt
  • dh.pem
  • server.crt
  • server.key
• In the folders C:\Program Files\OpenVPN\config-auto and C:\Program Files\OpenVPN\config.

Add a Windows Firewall Rule

• We need to create two firewall rules:
  • One to open port 1194 in udp to allow OpenVPN clients connections
  • Another to authorize the 10.50.8.0/24 network, so that clients can communique with the services present on the server (ping, file sharing etc…).

To do this, use the Windows Firewall Management Console or these two commands in an administrator's PowerShell console.

• Create the rule to allow incoming connections on port 1194 udp:

PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN" -Direction Inbound -Protocol UDP -LocalPort 1194 -Action Allow

• Create the rule to allow all incoming connections from the 10.50.8.0/24 network:

PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN_Network" -Direction Inbound -RemoteAddress 10.50.8.0/24 -Action Allow

The server.ovpn configuration file

As administrator, create the file C:\Program Files\OpenVPN\config-auto\server.ovpn:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt

keepalive 10 120

#comp-lzo #Deactivated because it is now considered a vulnerability.

persist-key
persist-tun

status openvpn-status.log

verb 3

Restart the OpenVPN service

Then, restart the OpenVPN service:

• From the service management console:

• Right-click on the OpenVPNService and select Restart:

• Or from an administrator's command prompt:

C:\Windows\system32>net stop openvpnservice

C:\Windows\system32>net start openvpnservice

• Or from a PowerShell console:

C:\ PS> Restart-Service OpenVPNService

Client configuration

• OpenVPN Client:
  • OS: Windows 11
  • Role: OpenVPN Client

Installing OpenVPN

We're going to download the same package as for the server, and install it with the default settings.

Copy certificates from the Server

• From the server, retrieve the following files (from C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private):
  • ca.crt
  • client01.crt
  • client01.key
• And paste them into C:\Program Files\OpenVPN\config.

• Edit C:\Program Files\OpenVPN\config\client.ovpn file with administrator rights:

client

dev tun

proto udp

remote OPENVPN_IP 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client01.crt
key client01.key

#comp-lzo #Deactivated because it is now considered a vulnerability.

verb 3

Establishing the connection

• Right-click on the OpenVPN desktop icon and select Run as administrator:

• Right-click on the OpenVPN icon next to the Windows clock and click on Connect:

• A pop-up window confims that we are connected:

Server Access

To reach the server, we'll use the IP address 10.50.8.1.

⚠️ Troubleshooting: After a Windows Update, I no longer had access to the server share (OpenVPN could connect, however). For this to work again, I had to repair (available by re-running the installer) the OpenVPN program on the server.