rss logo

How to Set Up an OpenVPN Server on Windows

Logo OpenVPN

Here, I'll explain in detail how to set up an OpenVPN server on Microsoft Windows.

OpenVPN is a very powerful VPN whith several advantages: it's free, compatible with a very large number of operating systems, easy to set up (especially when you have this excellent tutorial at hand 😌) and highly configurable.

Network diagram

Windows OpenVPN Network Scheme

Server configuration

  • OpenVPN Server: Windows Server Logo
    • OS: Windows Server 2019
    • Role: OpenVPN Server
    • IP: 192.168.0.254

Prerequisites

In order to create the connection certificates, we need to install OpenSSL library. I personaly use the slproweb.com packages.

Download OpenSSL

Download the latest version of OpenSSL Light.

slproweb website Download OpenSSL

Install OpenSSL

  • Accept the license agreement:
OpenSSL installation | License agreement
  • Select destination location:
OpenSSL installation | Destination location
  • Select start menu folder:
OpenSSL installation | Select Start Menu Folder
  • Select the OpenSSL binaries directory:
OpenSSL installation | OpenSSL DLLs location
  • Click on install:
OpenSSL installation | Ready to install
  • Click on Finish to exit (and donate if you can, it helps the project! 🥰):
OpenSSL installation | Donation to windows

Add OpenSSL in Environment Variables

We'll add OpenSSL to the environment variables.

  • Run SystemPropertiesAdvanced to open the System Properties:
Run SystemPropertiesAdvanced
  • Click on Environment Variables…:
System Properties Window
  • Select Path and click on Edit…:
Environment Variables Window
  • Click on New and add the line %ProgramFiles%\OpenSSL-Win64\bin:
Edit environment variable
  • Open a new Windows command prompt and check that you can run this openssl command:
openssl version test

Installing OpenVPN

Go to the official OpenVPN website: https://openvpn.net/ to download the lastest installer.

OpenVPN Download Webpage
  • As we want to install OpenVPN as a server, we will choose Customize:
OpenVPN Windows Installer
  • We enable the OpenVPN Service to run on startup:
OpenVPN Windows Installer
  • We install EasyRsa to create certificates for the server and clients:
OpenVPN Windows Installer
  • Finally, click on Close:
OpenVPN Windows Installer

Set up a Certificate Authority (CA) and generate certificates and keys for server and clients

Here we're going to set up a pki to create our server and client certificates.

  • Open a Command Prompt:
Windows command prompt from start menu
  • Type the following commands to enter the EasyRSA command interpreter:
C:\Windows\system32>cd C:\Program Files\OpenVPN\easy-rsa C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat
  • Delete the existing configuration, just in case:
# ./easyrsa clean-all
  • Initialize pki, and type yes to confirm:
# ./easyrsa init-pki
OpenVPN on Windows Easy RSA Shell init-pki
  • Create the certificate authority:
# ./easyrsa build-ca nopass […] Enter PEM pass phrase:PEMpa$$td Verifying - Enter PEM pass phrase:PEMpa$$td […] Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn
  • Generate server certificate and key:
# ./easyrsa build-server-full server nopass […] Enter pass phrase for C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key:PEMpa$$td
  • Generate Diffie Hellman parameters:
# ./easyrsa gen-dh

Create clients certificates

  • If it has been closed previously or to add new clients, open an EasyRSA shell:
C:\Users\Administrator>cd C:\Program Files\OpenVPN\easy-rsa C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat
  • Generate client certificates:
# ./easyrsa build-client-full client01 nopass […] Enter pass phrase for C:/Program Files/OpenVPN/easy-rsa/pki/private/ca.key:PEMpa$$td

Certificates

  • Move these files (from C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private):
    • ca.crt
    • dh.pem
    • server.crt
    • server.key
  • In the folders C:\Program Files\OpenVPN\config-auto and C:\Program Files\OpenVPN\config.
OpenVPN on Windows config-auto folder

Add a Windows Firewall Rule

The Windows firewall logo
  • We need to create two firewall rules:
    • One to open port 1194 in udp to allow OpenVPN clients connections
    • Another to authorize the 10.50.8.0/24 network, so that clients can communique with the services present on the server (ping, file sharing etc…).
Note: here, the rule authorizes all services for the 10.50.8.0/24 network. We can use more restrictive rules, authorizing only the services you need.

To do this, use the Windows Firewall Management Console or these two commands in an administrator's PowerShell console.

  • Create the rule to allow incoming connections on port 1194 udp:
PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN" -Direction Inbound -Protocol UDP -LocalPort 1194 -Action Allow
  • Create the rule to allow all incoming connections from the 10.50.8.0/24 network:
PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN_Network" -Direction Inbound -RemoteAddress 10.50.8.0/24 -Action Allow

The server.ovpn configuration file

As administrator, create the file C:\Program Files\OpenVPN\config-auto\server.ovpn:

port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.50.8.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 #comp-lzo #Deactivated because it is now considered a vulnerability. persist-key persist-tun status openvpn-status.log verb 3

Restart the OpenVPN service

Then, restart the OpenVPN service:

  • From the service management console:
Windows Run, services.msc
  • Right-click on the OpenVPNService and select Restart:
Windows services management console, restart openvpnservice.
  • Or from an administrator's command prompt:
C:\Windows\system32>net stop openvpnservice C:\Windows\system32>net start openvpnservice
  • Or from a PowerShell console:
C:\ PS> Restart-Service OpenVPNService

Client configuration

Windows Client Logo
  • OpenVPN Client:
    • OS: Windows 11
    • Role: OpenVPN Client

Installing OpenVPN

We're going to download the same package as for the server, and install it with the default settings.

OpenVPN installation windows where we have the choice between install now or customize installation

Copy certificates from the Server

  • From the server, retrieve the following files (from C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private):
    • ca.crt
    • client01.crt
    • client01.key
  • And paste them into C:\Program Files\OpenVPN\config.
Windows 11, OpenVPN certificates.
  • Edit C:\Program Files\OpenVPN\config\client.ovpn file with administrator rights:
client dev tun proto udp remote OPENVPN_IP 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client01.crt key client01.key #comp-lzo #Deactivated because it is now considered a vulnerability. verb 3

Establishing the connection

  • Right-click on the OpenVPN desktop icon and select Run as administrator:
windows to open OpenVPN with administrator rights.
  • Right-click on the OpenVPN icon next to the Windows clock and click on Connect:
OpenVPN menu to establish a vpn connection.
  • A pop-up window confims that we are connected:
OpenVPN pop up to notify the user that the connection has been established

Server Access

To reach the server, we'll use the IP address 10.50.8.1.

a ping in a dos prompt with a windows explorer window

⚠️ Troubleshooting: After a Windows Update, I no longer had access to the server share (OpenVPN could connect, however). For this to work again, I had to repair (available by re-running the installer) the OpenVPN program on the server.