In this tutorial, we'll look at how to set up an OpenVPN server on Microsoft Windows Server 2025.
To create the certificates used for authentication, we'll need to install the OpenSSL software library. In Microsoft environments, I use the packages provided by this website: https://slproweb.com.
Download the latest version of OpenSSL Light.
We need to add the OpenSSL path to the environment variables.
We need to open port 1194 udp to allow OpenVPN client connections.
C:\Windows\system32>netsh advfirewall firewall add rule name="OpenVPN" dir=in localport=1194 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any
PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN" -Direction Inbound -Protocol UDP -LocalPort 1194 -Action Allow
Go to the official OpenVPN website here: https://openvpn.net and download the latest installer.
Here, we're going to set up a pki to create our server and client certificates.
C:\Windows\system32> cd "C:\Program Files\OpenVPN\easy-rsa"
C:\Program Files\OpenVPN\easy-rsa> .\EasyRSA-Start.bat
Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.
Invoke 'easyrsa' to call the program. Without commands, help is displayed.
Using directory: C:/Program Files/OpenVPN/easy-rsa
EasyRSA Shell
#
# ./easyrsa clean-all
# ./easyrsa init-pki
# ./easyrsa build-ca
[…]
Enter PEM pass phrase:MyPassW0rd
Verifying - Enter PEM pass phrase:MyPassW0rd
[…]
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn
# ./easyrsa build-server-full server nopass
[…]
Confirm request details: yes
[…]
Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd
# ./easyrsa gen-dh
# ./easyrsa build-client-full client01 nopass
[…]
Confirm request details: yes
[…]
Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.50.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
The OpenVPN service must be restarted for the configuration file to take effect.
C:\Windows\system32>net stop openvpnservice
C:\Windows\system32>net start openvpnservice
PS C:> Restart-Service OpenVPNService -PassThru
We need to download the same package as for the server, but this time install it with the default settings.
And paste them to the C:\Program Files\OpenVPN\config directory of our Windows client.
client
dev tun
proto udp
remote OPENVPN_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client01.crt
key client01.key
comp-lzo
verb 3
Contact :