rss logo
Computing
Home
How To
Music
The Band
Tracks
Misc
Links
🇫🇷 Fr

How to Set Up OpenVPN Server with Routing on Windows Server 2019

OpenVPN Logo

Here we'll look at how to set up an OpenVPN server on Microsoft Windows Server.

This is a continuation of the previous "How To" I wrote, see here, but with Windows 2019 (which doesn't change much). However, I'd also mention the possibility of enabling routing to be able to access LAN machines from our remote clients.

OpenVPN is a very powerful VPN with several advantages: it's free, compatible with most operating systems, easy to implement and highly configurable.

Network diagram

Diagram showing network connection between OpenVPN server and client with IP configurations and connection paths

OpenVPN Server

  • OpenVPN Server Properties:
    • OS: Windows Server 2019
    • Role: OpenVPN Server
    • IP: 192.168.0.254

Prerequisites

OpenSSL

OpenSSL Logo

In order to create connection certificates, we need to install the OpenSSL software library. I personally use the https://slproweb.com packages.

Download OpenSSL

Download the latest OpenSSL Light version.

Table showing download options for Win64 OpenSSL installers, with an arrow pointing to the EXE link for version 3.0.1 Light
Install OpenSSL
  • Accept the agreement:
OpenSSL installation window showing the license agreement with the option to accept the agreement selected
  • Select destination location:
OpenSSL installation window prompting to select the destination location for the installation on Windows
  • Select start menu folder:
OpenSSL installation window prompting to select the Start Menu folder for program shortcuts on Windows
  • Select the OpenSSL binaries directory:
OpenSSL installation window asking to select additional tasks, with the option to copy binaries to the OpenSSL bin directory selected
  • Click to install:
OpenSSL installation window showing summary of settings and ready to install prompt on Windows
  • Click Finish to exit (and make a donation if you can to support the project 😊):
OpenSSL setup wizard completion window with options for donations and a Finish button
Add OpenSSL in Environment Variables

We need to add the OpenSSL path to the environment variables.

  • Run SystemPropertiesAdvanced to open System Properties:
Windows Run dialog box with 'SystemPropertiesAdvanced' entered to open advanced system properties with administrative privileges
  • Click on Environment Variables…:
Windows System Properties window with the Environment Variables button highlighted for accessing system environment settings.
  • Edit Path system variable:
Environment Variables window in Windows showing system Path variable with Edit option highlighted
  • Click on New and add %ProgramFiles%\OpenSSL-Win64\bin:
Edit environment variable window in Windows showing OpenSSL path added, with an arrow pointing to the New button
  • Open a new Windows command and check that you can run this openssl command:
Command Prompt showing the command to check OpenSSL version and its output

Windows Firewall

Windows Firewall logo

We need to open port 1194 udp to allow OpenVPN client connections.

  • To do this, use the Windows Firewall Management Console or this command in an Administrator command-line console.
C:\Windows\system32>netsh advfirewall firewall add rule name="OpenVPN" dir=in localport=1194 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any
  • Or with PowerShell:
PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN" -Direction Inbound -Protocol UDP -LocalPort 1194 -Action Allow

Installing OpenVPN

Go to the official OpenVPN website here: https://openvpn.net and download the latest installer.

Download page for OpenVPN showing the selection of the Windows 64-bit MSI installer with an arrow pointing to the download button
  • As we want to install OpenVPN as a server, we will choose Customize:
OpenVPN setup window showing options to Install Now or Customize, with an arrow pointing to the Customize button
  • We enable the OpenVPN Service to run on startup:
OpenVPN custom installation window showing options to select features, with OpenVPN Service highlighted
  • We install EasyRsa to create certificates for the server and clients:
OpenVPN custom installation window showing the selection of EasyRSA 3 Certificate Management Scripts with an Install Now button highlighted
  • Finally, click on Close:
OpenVPN installation completed window with a Close button highlighted

Certificates

Set up a Certificate Authority (CA) and generate certificates and keys for server and clients

Here, we're going to set up a pki to create our server and client certificates.

  • Open a Command Prompt:
Windows search result showing Command Prompt desktop app as the best match
  • Then type the following commands to enter the EasyRSA shell:
C:\Windows\system32> cd "C:\Program Files\OpenVPN\easy-rsa" C:\Program Files\OpenVPN\easy-rsa> .\EasyRSA-Start.bat
  • Remove the existing configuration, just in case:
# ./easyrsa clean-all
  • Initialize the pki, and enter yes to confirm:
# ./easyrsa init-pki
EasyRSA shell showing command to initialize PKI with confirmation prompt to type 'yes' for removal
  • Build the certificate authority:
# ./easyrsa build-ca nopass […] Enter PEM pass phrase:MyPassW0rd Verifying - Enter PEM pass phrase:MyPassW0rd […] Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn
  • Generate server certificate and key:
# ./easyrsa build-server-full server nopass […] Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd
  • Generate Diffie Hellman parameters:
# ./easyrsa gen-dh
  • Generate client certificates:
# ./easyrsa build-client-full client01 nopass […] Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd

Copy certificates to the right folders

  • Copy the following files (from the C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private folders):
    • ca.crt
    • dh.pem
    • server.crt
    • server.key
  • To the C:\Program Files\OpenVPN\config-auto and C:\Program Files\OpenVPN\config folders.
File Explorer showing the OpenVPN config-auto folder with various certificate and key files

Configuration File

  • As administrator, edit the file C:\Program Files\OpenVPN\config-auto\server.ovpn:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.50.8.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 #comp-lzo persist-key persist-tun status openvpn-status.log verb 3

Restart the OpenVPN Service

The OpenVPN service must be restarted for the configuration file to take effect.

  • From the services management console:
Run dialog in Windows with services.msc command entered to open the Services management console
  • Right click on OpenVPNService, then restart:
Services management console in Windows showing the OpenVPNService with the Restart option highlighted
  • Or from an administrator's command prompt:
C:\Windows\system32>net stop openvpnservice C:\Windows\system32>net start openvpnservice
  • Or with PowerShell:
PS C:> Restart-Service OpenVPNService -PassThru

OpenVPN Client

  • OpenVPN Client:
    • OS: Windows 10
    • Role: OpenVPN Client

Installing OpenVPN

We're going to download the same package, and here install it with the default settings.

Copy certificates from the Server

  • Copy from the Server the following files (from the folders C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private) :
    • ca.crt
    • client01.crt
    • client01.key
  • In the folder C:\Program Files\OpenVPN\config.
File Explorer showing the OpenVPN config folder with certificate and key files

Configuration File

  • Edit the file C:\Program Files\OpenVPN\config\client.ovpn with administrator rights:
client dev tun proto udp remote OPENVPN_IP 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client01.crt key client01.key #comp-lzo verb 3

Establishing the connection

  • Run the OpenVPN client as administrator:
Context menu showing the option to run OpenVPN GUI as administrator on Windows
  • Establish connection:
OpenVPN GUI taskbar icon menu showing the Connect option highlighted
  • A pop-up window will confim that we are connected:
OpenVPN GUI notification showing that the client is now connected with an assigned IP address, displayed on the taskbar

Server Access

To access the server, we'll use the IP address 10.50.8.1.

File Explorer and Command Prompt showing successful network connection and ping response to IP address 10.50.8.1 over OpenVPN

⚠️Troubleshooting: After a Windows update, I no longer had access to the server share (OpenVPN could connect, however). For this to work again, I had to repair (available by relaunching the installer) the OpenVPN program on the server side.

Enabling Routing

At this stage, we have an operational OpenVPN server that is reachable from our remote client. But do we reach the server on its private ip (192.168.0.254) or other computers on the local network? That's what we're going to find out here, by enabling routing on our OpenVPN Windows server.

Diagram illustrating the network routing setup between OpenVPN server, client, and LAN with IP addresses and connection paths

OpenVPN Server

Configuration File

  • As administrator, edit the file C:\Program Files\OpenVPN\config-auto\server.ovpn and add the line push "route add 192.168.0.0 255.255.255.0" to announce the network to the remote clients:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.50.8.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.0.0 255.255.255.0" push "dhcp-option DNS 192.168.0.200" keepalive 10 120 #comp-lzo persist-key persist-tun status openvpn-status.log verb 3
  • Restart OpenVPNService, example here with PowerShell:
PS C:> Restart-Service OpenVPNService -PassThru

Installing Routing Feature

  • As administrator, open a PowerShell prompt and type this command to install the routing feature:
PS C:> Install-WindowsFeature -Name Routing -IncludeManagementTools

Routing configuration

  • Open the Routing and Remote Access Console by running the rrasmgmt.msc command:
Run dialog in Windows with rrasmgmt.msc command entered to open RRAS management console with administrative privileges
  • Right-click on your server name and select Configure and Enable Routing and Remote Access:
Routing and Remote Access console showing the option to configure and enable Routing and Remote Access with an arrow pointing to it
  • Click on Next:
Routing and Remote Access Server Setup Wizard start screen with Next button highlighted
  • Select Custom configuration and click Next:
Routing and Remote Access Server Setup Wizard showing custom configuration option selected, with Next button highlighted
  • Select NAT and LAN routing services:
Routing and Remote Access Server Setup Wizard with NAT and LAN routing options selected, and Next button highlighted
  • Finally, click on Finish:
Completing the Routing and Remote Access Server Setup Wizard with a summary of selections and Finish button highlighted
  • Then Start the service. At this point, the remote client should be able to ping the LAN interface (here 192.168.0.254):
Routing and Remote Access dialog prompting to start the service with Start service button highlighted
  • To be able to access our entire local network, we need to create a NAT rule:
Routing and Remote Access console showing the option to create a new NAT interface with an arrow pointing to it
  • Select the LAN Network Interface (here 192.168.0.254) and click OK:
New Interface for NAT window in Routing and Remote Access, showing selection of Ethernet1 interface with OK button highlighted
  • Select Public interface connected to the internet and check the Enable NAT on this interface option before confirming by clicking on OK:
Network Address Translation Properties window showing the option to enable NAT on a public interface with OK button highlighted

OpenVPN Client

  • As administrator, open a command prompt and run the route print command to check that route 192.168.0.0 has been pushed correctly:
Command Prompt showing output of the 'route print' command with route details highlighted
  • Check that you can reach your network:
Command Prompt windows showing continuous ping results to two different IP addresses, 192.168.0.200 and 192.168.0.254
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address