How To set up OpenVPN Server on Windows

OpenVPN Logo

We will see here how to set up a OpenVPN server under Microsoft Windows Server.

This is a continuation of the previous "How To" that I wrote here but with Windows 2019 (which doesn't change much) and the addition of setting up routing to be able to access LAN from our remote client.

OpenVPN is a very powerfull VPN which has several advantages : it is free, compatible with most operating systems, easy to implement and highly configurable.

Network diagram

Windows OpenVPN Network Scheme

OpenVPN Server

  • OpenVPN Server Properties :
    • OS : Windows Server 2019
    • Role : OpenVPN Server
    • IP : 192.168.0.254

Prerequisites

OpenSSL

OpenSSL Logo

In order to create the connection certificates, we will have to install OpenSSL software library. I personnaly use the slproweb.com packages.

Download OpenSSL

Download the latest OpenSSL Light version.

slproweb website Download OpenSSL
Install OpenSSL
  • Accept the agreement :
OpenSSL installation | License agreement
  • Select destination location :
OpenSSL installation | Destination location
  • Select start menu folder :
OpenSSL installation | Select Start Menu Folder
  • Select OpenSSL binaries directory :
OpenSSL installation | OpenSSL DLLs location
  • Click to install :
OpenSSL installation | Ready to install
  • Click Finish to exit (and make a donation if you can 😊) :
OpenSSL installation | Donation to windows
Add OpenSSL in Environment Variables

We need to add OpenSSL inside the environment variables.

  • Run SystemPropertiesAdvanced to open System Properties :
Run SystemPropertiesAdvanced
  • Click Environment Variables… :
System Properties Window
  • Edit Path :
Environment Variables Window
  • Click New and add %ProgramFiles%\OpenSSL-Win64\bin :
Edit environment variable
  • Open a new Windows command and check that you can run openssl command :
openssl version test

Windows Firewall

Windows Firewall logo

We need to open 1194 udp port to allow OpenVPN clients connections.

  • Use the Windows Firewall Management Console or this command inside a Administrator command line console to do that.
C:\Windows\system32>netsh advfirewall firewall add rule name="OpenVPN" dir=in localport=1194 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any
  • Or with PowerShell :
PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN" -Direction Inbound -Protocol UDP -LocalPort 1194 -Action Allow

Installing OpenVPN

Go to OpenVPN official website here to download last installer.

OpenVPN Download Webpage
  • As we want to install OpenVPN as server we will choose Customize :
OpenVPN Windows Installer
  • We enable OpenVPN Service in order to make it work at boot :
OpenVPN Windows Installer
  • And we install EasyRsa in order to be able to create server and clients certificates :
OpenVPN Windows Installer
  • Once done click Close :
OpenVPN Windows Installer

Certificates

Setting up Certificate Authority (CA) and generating certificates and keys for server and clients

Here we will set up a pki to be able to create our server and clients certificates.

  • Open a Command Prompt as administrator :
Windows command run as administrator
  • And type the following commands to enter inside EasyRSA shell :
C:\Windows\system32>cd C:\Program Files\OpenVPN\easy-rsa
C:\Program Files\OpenVPN\easy-rsa>EasyRSA-Start.bat
  • Remove existing configuration, just for good measure :
# ./easyrsa clean-all
  • Initialize pki, and type yes to confirm :
# ./easyrsa init-pki
OpenVPN on Windows Easy RSA Shell init-pki
  • Build certificate authority :
# ./easyrsa build-ca nopass
[…]
Enter PEM pass phrase:MyPassW0rd
Verifying - Enter PEM pass phrase:MyPassW0rd
[…]
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn
  • Build server certificate and key :
# ./easyrsa build-server-full server nopass
[…]
Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd
  • Generate Diffie Hellman parameters :
# ./easyrsa gen-dh
  • Generating client certificates :
# ./easyrsa build-client-full client01 nopass
[…]
Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd

Move certificates to the correct folders

  • Put this files (from C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private) :
    • ca.crt
    • dh.pem
    • server.crt
    • server.key
  • To C:\Program Files\OpenVPN\config-auto and C:\Program Files\OpenVPN\config folders.
OpenVPN on Windows config-auto folder

Configuration File

  • As administrator, edit C:\Program Files\OpenVPN\config-auto\server.ovpn file :
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log

verb 3

Restart OpenVPN Service

The OpenVPN service must be restarted for the configuration file to be taken into account.

  • From, services management console :
Windows Run, services.msc
  • Right click OpenVPNService then Restart :
Windows services management console, restart openvpnservice.
  • Or from an administrator Command Prompt :
C:\Windows\system32>net stop openvpnservice
C:\Windows\system32>net start openvpnservice
  • Or with PowerShell :
PS C:> Restart-Service OpenVPNService -PassThru

OpenVPN Client

  • OpenVPN Client :
    • OS : Windows 10
    • Role : OpenVPN Client

Installing OpenVPN

We will download the same package, and here install with default parameters.

Copy certificates from the Server

  • From the Server get the following files (from C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private) :
    • ca.crt
    • client01.crt
    • client01.key
  • And paste them to C:\Program Files\OpenVPN\config.
Windows 10, OpenVPN certificates.

Configuration File

  • Edit C:\Program Files\OpenVPN\config\client.ovpn file with administrator rights :
client

dev tun

proto udp

remote OPENVPN_IP 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client01.crt
key client01.key

comp-lzo

verb 3

Establishing the connection

  • Run OpenVPN client as administrator :
Windows 10, OpenVPN certificates.
  • Establish the connection :
Windows 10, OpenVPN certificates.
  • A pop-up will confim that we are connected :
Windows 10, OpenVPN certificates.

Server Access

To join the server we will use the 10.50.8.1 IP Address

Windows 10, OpenVPN certificates.

⚠️ Troubleshooting : After a Windows Update, I couldn't have access to the server share anymore (OpenVPN was able to connect though). To make it work again, I had to repair (available when relaunching setup program) the OpenVPN program on the server side.

Enabling Routing

At this point we have an operational OpenVPN server that is reachable from our remote client. But how to reach the server on its private ip (192.168.0.254 here) or other computers (192.168.0.200 here) on the local network? That's what we will see here by enabling routing on our Windows OpenVPN server.

Windows OpenVPN with routing Network Scheme

OpenVPN Server

Configuration File

  • As administrator, edit C:\Program Files\OpenVPN\config-auto\server.ovpn file and add push "route add 192.168.0.0 255.255.255.0" line to announce the network to the remote client :
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.200"

keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log

verb 3
  • Restart OpenVPNService, example here with PowerShell :
PS C:> Restart-Service OpenVPNService -PassThru

Installing Routing Feature

  • As administrator, open a PowerShell prompt and type this command to install routing functionality :
PS C:> Install-WindowsFeature -Name Routing -IncludeManagementTools

Configuring Routing

  • Open Routing and Remote Access Console by running rrasmgmt.msc :
Windows | run rrasmgmt.msc
  • Right click to your server name > Configure and Enable Routing and Remote Access :
Windows | Routing and remote access console, Configure and Enabme Routing and Remote Access
  • Click Next :
Windows | Routing and remote access console, Welcome Wizard
  • Choose Custom configuration :
Windows | Routing and remote access console, Custom configuration
  • Select NAT and LAN routing :
Windows | Routing and remote access console, selecting NAT and LAN routing configuration
  • Finally, click Finish :
Windows | Routing and remote access console, Finish Wizard
  • Then Start service, at this point Remote Client should be able to ping LAN interface (192.168.0.254 here) :
Windows | Routing and remote access console, Start the service box
  • To be able to reach our entire LAN network we need to create NAT rule :
Windows | Routing and remote access console, NAT, New interface
  • Select the LAN Network Interface (192.168.0.254 here) and click OK :
Windows | Routing and remote access console, selecting NAT interface
  • Select Public interface connected to the internet and check Enable NAT on this interface option before validating by clicking on OK :
Windows | Routing and remote access console, configuring NAT interface

OpenVPN Client

  • As administrator, open a command prompt and run route print command to check that the 192.168.0.0 route has correctly been pushed :
Windows | route print output
  • Check you can reach your network :
Windows | ping on two commands prompt
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :