How to Set Up OpenVPN Server with Routing on Windows Server 2019

Last updated: Oct 27, 2024

Here we'll look at how to set up an OpenVPN server on Microsoft Windows Server.

This is a continuation of the previous "How To" I wrote, see here, but with Windows 2019 (which doesn't change much). However, I'd also mention the possibility of enabling routing to be able to access LAN machines from our remote clients.

OpenVPN is a very powerful VPN with several advantages: it's free, compatible with most operating systems, easy to implement and highly configurable.

Network diagram

OpenVPN Server

OpenVPN Server Properties:
- OS: Windows Server 2019
- Role: OpenVPN Server
- IP: 192.168.0.254

Prerequisites

OpenSSL

In order to create connection certificates, we need to install the OpenSSL software library. I personally use the https://slproweb.com packages.

Download OpenSSL

Download the latest OpenSSL Light version.

Table showing download options for Win64 OpenSSL installers, with an arrow pointing to the EXE link for version 3.0.1 Light

Install OpenSSL

Accept the agreement:

OpenSSL installation window showing the license agreement with the option to accept the agreement selected

Select destination location:

OpenSSL installation window prompting to select the destination location for the installation on Windows

Select start menu folder:

OpenSSL installation window prompting to select the Start Menu folder for program shortcuts on Windows

Select the OpenSSL binaries directory:

OpenSSL installation window asking to select additional tasks, with the option to copy binaries to the OpenSSL bin directory selected

Click to install:

OpenSSL installation window showing summary of settings and ready to install prompt on Windows

Click Finish to exit (and make a donation if you can to support the project 😊):

OpenSSL setup wizard completion window with options for donations and a Finish button

Add OpenSSL in Environment Variables

We need to add the OpenSSL path to the environment variables.

Run SystemPropertiesAdvanced to open System Properties:

Windows Run dialog box with 'SystemPropertiesAdvanced' entered to open advanced system properties with administrative privileges

Click on Environment Variables…:

Windows System Properties window with the Environment Variables button highlighted for accessing system environment settings.

Edit Path system variable:

Environment Variables window in Windows showing system Path variable with Edit option highlighted

Click on New and add %ProgramFiles%\OpenSSL-Win64\bin:

Edit environment variable window in Windows showing OpenSSL path added, with an arrow pointing to the New button

Open a new Windows command and check that you can run this openssl command:

Command Prompt showing the command to check OpenSSL version and its output

Windows Firewall

We need to open port 1194 udp to allow OpenVPN client connections.

To do this, use the Windows Firewall Management Console or this command in an Administrator command-line console.

C:\Windows\system32>netsh advfirewall firewall add rule name="OpenVPN" dir=in localport=1194 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any

Or with PowerShell:

PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN" -Direction Inbound -Protocol UDP -LocalPort 1194 -Action Allow

Installing OpenVPN

Go to the official OpenVPN website here: https://openvpn.net and download the latest installer.

Download page for OpenVPN showing the selection of the Windows 64-bit MSI installer with an arrow pointing to the download button

As we want to install OpenVPN as a server, we will choose Customize:

OpenVPN setup window showing options to Install Now or Customize, with an arrow pointing to the Customize button

We enable the OpenVPN Service to run on startup:

OpenVPN custom installation window showing options to select features, with OpenVPN Service highlighted

We install EasyRsa to create certificates for the server and clients:

OpenVPN custom installation window showing the selection of EasyRSA 3 Certificate Management Scripts with an Install Now button highlighted

Finally, click on Close:

OpenVPN installation completed window with a Close button highlighted

Certificates

Set up a Certificate Authority (CA) and generate certificates and keys for server and clients

Here, we're going to set up a pki to create our server and client certificates.

Open a Command Prompt:

Windows search result showing Command Prompt desktop app as the best match

Then type the following commands to enter the EasyRSA shell:

C:\Windows\system32> cd "C:\Program Files\OpenVPN\easy-rsa"

C:\Program Files\OpenVPN\easy-rsa> .\EasyRSA-Start.bat

Remove the existing configuration, just in case:

# ./easyrsa clean-all

Initialize the pki, and enter yes to confirm:

# ./easyrsa init-pki

EasyRSA shell showing command to initialize PKI with confirmation prompt to type 'yes' for removal

Build the certificate authority:

# ./easyrsa build-ca nopass
[…]
Enter PEM pass phrase:MyPassW0rd
Verifying - Enter PEM pass phrase:MyPassW0rd
[…]
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn

Generate server certificate and key:

# ./easyrsa build-server-full server nopass
[…]
Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd

Generate Diffie Hellman parameters:

# ./easyrsa gen-dh

Generate client certificates:

# ./easyrsa build-client-full client01 nopass
[…]
Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd

Copy certificates to the right folders

Copy the following files (from the C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private folders):
- ca.crt
- dh.pem
- server.crt
- server.key
To the C:\Program Files\OpenVPN\config-auto and C:\Program Files\OpenVPN\config folders.

File Explorer showing the OpenVPN config-auto folder with various certificate and key files

Configuration File

As administrator, edit the file C:\Program Files\OpenVPN\config-auto\server.ovpn:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt

keepalive 10 120

#comp-lzo

persist-key
persist-tun

status openvpn-status.log

verb 3

Restart the OpenVPN Service

The OpenVPN service must be restarted for the configuration file to take effect.

From the services management console:

Run dialog in Windows with services.msc command entered to open the Services management console

Right click on OpenVPNService, then restart:

Services management console in Windows showing the OpenVPNService with the Restart option highlighted

Or from an administrator's command prompt:

C:\Windows\system32>net stop openvpnservice

C:\Windows\system32>net start openvpnservice

Or with PowerShell:

PS C:> Restart-Service OpenVPNService -PassThru

OpenVPN Client

OpenVPN Client:
- OS: Windows 10
- Role: OpenVPN Client

Installing OpenVPN

We're going to download the same package, and here install it with the default settings.

Copy certificates from the Server

Copy from the Server the following files (from the folders C:\Program Files\OpenVPN\easy-rsa\pki, C:\Program Files\OpenVPN\easy-rsa\pki\issued and C:\Program Files\OpenVPN\easy-rsa\pki\private) :
- ca.crt
- client01.crt
- client01.key
In the folder C:\Program Files\OpenVPN\config.

File Explorer showing the OpenVPN config folder with certificate and key files

Configuration File

Edit the file C:\Program Files\OpenVPN\config\client.ovpn with administrator rights:

client

dev tun

proto udp

remote OPENVPN_IP 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client01.crt
key client01.key

#comp-lzo

verb 3

Establishing the connection

Run the OpenVPN client as administrator:

Context menu showing the option to run OpenVPN GUI as administrator on Windows

Establish connection:

OpenVPN GUI taskbar icon menu showing the Connect option highlighted

A pop-up window will confim that we are connected:

OpenVPN GUI notification showing that the client is now connected with an assigned IP address, displayed on the taskbar

Server Access

To access the server, we'll use the IP address 10.50.8.1.

File Explorer and Command Prompt showing successful network connection and ping response to IP address 10.50.8.1 over OpenVPN

⚠️Troubleshooting: After a Windows update, I no longer had access to the server share (OpenVPN could connect, however). For this to work again, I had to repair (available by relaunching the installer) the OpenVPN program on the server side.

Enabling Routing

At this stage, we have an operational OpenVPN server that is reachable from our remote client. But do we reach the server on its private ip (192.168.0.254) or other computers on the local network? That's what we're going to find out here, by enabling routing on our OpenVPN Windows server.

OpenVPN Server

Configuration File

As administrator, edit the file C:\Program Files\OpenVPN\config-auto\server.ovpn and add the line push "route add 192.168.0.0 255.255.255.0" to announce the network to the remote clients:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.200"

keepalive 10 120

#comp-lzo

persist-key
persist-tun

status openvpn-status.log

verb 3

Restart OpenVPNService, example here with PowerShell:

PS C:> Restart-Service OpenVPNService -PassThru

Installing Routing Feature

As administrator, open a PowerShell prompt and type this command to install the routing feature:

PS C:> Install-WindowsFeature -Name Routing -IncludeManagementTools

Routing configuration

Open the Routing and Remote Access Console by running the rrasmgmt.msc command:

Run dialog in Windows with rrasmgmt.msc command entered to open RRAS management console with administrative privileges

Right-click on your server name and select Configure and Enable Routing and Remote Access:

Routing and Remote Access console showing the option to configure and enable Routing and Remote Access with an arrow pointing to it

Click on Next:

Routing and Remote Access Server Setup Wizard start screen with Next button highlighted

Select Custom configuration and click Next:

Routing and Remote Access Server Setup Wizard showing custom configuration option selected, with Next button highlighted

Select NAT and LAN routing services:

Routing and Remote Access Server Setup Wizard with NAT and LAN routing options selected, and Next button highlighted

Finally, click on Finish:

Completing the Routing and Remote Access Server Setup Wizard with a summary of selections and Finish button highlighted

Then Start the service. At this point, the remote client should be able to ping the LAN interface (here 192.168.0.254):

Routing and Remote Access dialog prompting to start the service with Start service button highlighted

To be able to access our entire local network, we need to create a NAT rule:

Routing and Remote Access console showing the option to create a new NAT interface with an arrow pointing to it

Select the LAN Network Interface (here 192.168.0.254) and click OK:

New Interface for NAT window in Routing and Remote Access, showing selection of Ethernet1 interface with OK button highlighted

Select Public interface connected to the internet and check the Enable NAT on this interface option before confirming by clicking on OK:

Network Address Translation Properties window showing the option to enable NAT on a public interface with OK button highlighted

OpenVPN Client

As administrator, open a command prompt and run the route print command to check that route 192.168.0.0 has been pushed correctly:

Command Prompt showing output of the 'route print' command with route details highlighted

Check that you can reach your network:

Command Prompt windows showing continuous ping results to two different IP addresses, 192.168.0.200 and 192.168.0.254