How To set up OpenVPN Server on Windows

OpenVPN Logo

We will see here how to set up a OpenVPN server under Microsoft Windows Server.

OpenVPN is a very powerfull VPN which has several advantages : it is free, compatible with most operating systems, easy to implement and highly configurable.

Network diagram

Windows OpenVPN Network Scheme

Server configuration

  • OpenVPN Server : Windows Server Logo
    • OS : Windows Server 2016
    • Role : OpenVPN Server
    • IP : 192.168.0.200

Prerequisites

In order to create the connection certificates, we will have to install OpenSSL software library. I personnaly use the slproweb.com packages.

Download OpenSSL

Download the latest OpenSSL Light version.

slproweb website Download OpenSSL

Install OpenSSL

  • Accept the agreement :
OpenSSL installation | License agreement
  • Select destination location :
OpenSSL installation | Destination location
  • Select start menu folder :
OpenSSL installation | Select Start Menu Folder
  • Select OpenSSL binaries directory :
OpenSSL installation | OpenSSL DLLs location
  • Click to install :
OpenSSL installation | Ready to install
  • Click Finish to exit (and make a donation if you can :)) :
OpenSSL installation | Donation to windows

Add OpenSSL in Environment Variables

We will add OpenSSL inside the environment variables.

  • Run SystemPropertiesAdvanced to open System Properties :
Run SystemPropertiesAdvanced
  • Click Environment Variables… :
System Properties Window
  • Edit Path :
Environment Variables Window
  • Click New and add %ProgramFiles%\OpenSSL-Win64\bin :
Edit environment variable
  • Open a new Windows command and check that you can run openssl command :
openssl version test

Installing OpenVPN

Go to OpenVPN official website here to download last installer.

OpenVPN Download Webpage
  • As we want to install OpenVPN as server we will choose Customize :
OpenVPN Windows Installer
  • We enable OpenVPN Service in order to make it work at boot :
OpenVPN Windows Installer
  • And we install EasyRsa in order to be able to create server and clients certificates :
OpenVPN Windows Installer
  • Once done click Close :
OpenVPN Windows Installer

Setting up Certificate Authority (CA) and generating certificates and keys for server and clients

Here we will set up a pki to be able to create our server and clients certificates.

  • Open a Command Prompt as administrator :
Windows command run as administrator
  • And type the following commands to enter inside EasyRSA shell :
C:\Windows\system32>cd C:\Program Files\OpenVPN\easy-rsa
C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat
  • Remove existing configuration, just for good measure :
# ./easyrsa clean-all
  • Initialize pki, and type yes to confirm :
# ./easyrsa init-pki
OpenVPN on Windows Easy RSA Shell init-pki
  • Build certificate authority :
# ./easyrsa build-ca nopass
[…]
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn
  • Build server certificate and key :
# ./easyrsa build-server-full server nopass
  • Generate Diffie Hellman parameters :
# ./easyrsa gen-dh
  • Generating client certificates :
# ./easyrsa build-client-full client01 nopass

Certificates

  • Put this files (from C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private) :
    • ca.crt
    • dh.pem
    • server.crt
    • server.key
  • To C:\Program Files\OpenVPN\config-auto and C:\Program Files\OpenVPN\config folders.
OpenVPN on Windows config-auto folder

Add a Windows Firewall Rule

We need to open 1194 udp port to allow OpenVPN clients connections. Use the Windows Firewall Management Console or this command inside a Administrator command line console to do that.

C:\Windows\system32>netsh advfirewall firewall add rule name="OpenVPN" dir=in localport=1194 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any

C:\Program Files\OpenVPN\config-auto\server.ovpn

As administrator, edit C:\Program Files\OpenVPN\config-auto\server.ovpn file :

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log

verb 3

Then, restart the OpenVPN service :

  • From, services management console :
Windows Run, services.msc
  • Right click OpenVPNService then Restart :
Windows services management console, restart openvpnservice.
  • Or from an administrator Command Prompt :
C:\Windows\system32>net stop openvpnservice
C:\Windows\system32>net start openvpnservice

Client configuration

Windows Client Logo
  • OpenVPN Client :
    • OS : Windows 10
    • Role : OpenVPN Client

Installing OpenVPN

We will download the same package, and here install with default parameters.

Copy certificates from the Server

  • From the Server get the following files (from C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private) :
    • ca.crt
    • client01.crt
    • client01.key
  • And paste them to C:\Program Files\OpenVPN\config.
Windows 10, OpenVPN certificates.
  • C:\Program Files\OpenVPN\config\client.ovpn

Edit the client.ovpn file with administrator rights :

client

dev tun

proto udp

remote OPENVPN_IP 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client01.crt
key client01.key

comp-lzo

verb 3

Establishing the connection

  • Run as administrator
Windows 10, OpenVPN certificates.
  • Start the connection
Windows 10, OpenVPN certificates.
  • A pop-up will confim that we are connected
Windows 10, OpenVPN certificates.

Server Access

To join the server we will use the 10.50.8.1 IP Address

Windows 10, OpenVPN certificates.

⚠️ Troubleshooting : After a Windows Update, I couldn't have access to the server share anymore (OpenVPN was able to connect though). To make it work again, I had to repair (available when relaunching setup program) the OpenVPN program on the server side.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :