rss logo

Setting Up OpenVPN on Windows Server 2025

OpenVPN Logo

In this tutorial, we'll look at how to set up an OpenVPN server on Microsoft Windows Server 2025.

Network diagram

OpenVPN setup diagram showing a Windows Server 2025 with IP 192.168.0.200 connected to a client via a router and VPN configuration.

OpenVPN Server

Microsoft Logo
  • OpenVPN Server Properties:
    • OS: Windows Server 2025
    • Role: OpenVPN Server
    • IP: 192.168.0.254

Prerequisites

OpenSSL

OpenSSL Logo

To create the certificates used for authentication, we'll need to install the OpenSSL software library. In Microsoft environments, I use the packages provided by this website: https://slproweb.com.

Download OpenSSL

Download the latest version of OpenSSL Light.

Screenshot of OpenSSL download page showing different versions of Win32/Win64 OpenSSL, with an arrow pointing to the Win64 OpenSSL v3.3.2 Light installer option.
Install OpenSSL
  • Accept the agreement:
OpenSSL 64-bit installer License Agreement window with 'I accept the agreement' option selected during setup.
  • Select destination location:
OpenSSL 64-bit installer window showing the destination folder selection with default path set to Program Files.
  • Select start menu folder:
OpenSSL 64-bit installer window showing the Start Menu folder selection with 'OpenSSL' as the default option.
  • Select the OpenSSL binaries directory:
OpenSSL 64-bit installer window showing additional tasks with 'The OpenSSL binaries (bin) directory' option selected.
  • Click to install:
OpenSSL 64-bit installer ready to install window showing destination location, Start Menu folder, and additional tasks summary.
  • Click Finish to exit (and make a donation if you can to support the project 😊):
OpenSSL 64-bit setup wizard completion window with donation options and Finish button.
Add OpenSSL in Environment Variables

We need to add the OpenSSL path to the environment variables.

  • Run SystemPropertiesAdvanced to open System Properties:
Windows Run dialog box with 'SystemPropertiesAdvanced' entered to open advanced system properties with administrative privileges
  • Click on Environment Variables…:
Windows System Properties window with the Environment Variables button highlighted for accessing system environment settings.
  • Modify Path:
Windows Environment Variables window with the Path variable highlighted and Edit button selected under System variables.
  • Click on New and add %ProgramFiles%\OpenSSL-Win64\bin:
Edit environment variable window with a new path for OpenSSL added under Program Files, and the New button highlighted.
  • Open a new Windows command and check that you can run this openssl command:
PowerShell window showing the 'openssl version' command executed with OpenSSL version 3.3.2 output.

Windows Firewall

Windows Firewall logo

We need to open port 1194 udp to allow OpenVPN client connections.

  • To do this, use the Windows Firewall Management Console or this command in an Administrator command-line console.
C:\Windows\system32>netsh advfirewall firewall add rule name="OpenVPN" dir=in localport=1194 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any
  • Or with PowerShell:
PS C:\ > New-NetFirewallRule -DisplayName "OpenVPN" -Direction Inbound -Protocol UDP -LocalPort 1194 -Action Allow

Installing OpenVPN

Go to the official OpenVPN website here: https://openvpn.net and download the latest installer.

OpenVPN 2.6.12 release page with an arrow pointing to the Windows 64-bit MSI installer download link.
  • As we want to install OpenVPN as a server, we will choose Customize:
OpenVPN setup window with an arrow pointing to the 'Customize' option under 'Choose setup type.
  • We enable the OpenVPN Service to run on startup:
OpenVPN custom installation window with 'Enable OpenVPN Pre-Logon Access Provider' option selected under OpenVPN Service.
  • We install EasyRsa to create certificates for the server and clients:
OpenVPN custom installation window with 'EasyRSA 3 Certificate Management Scripts' selected under OpenSSL Utilities and the 'Install Now' button highlighted.
  • Finally, click on Close:
OpenVPN installation completed window with the 'Close' button highlighted.

Certificates

Setting up Certificate Authority (CA) and generating certificates and keys for server and clients

Here, we're going to set up a pki to create our server and client certificates.

  • Open a Command Prompt:
Windows search result for 'Terminal' with the Command Prompt option highlighted.
  • Then type the following commands to enter the EasyRSA shell:
C:\Windows\system32> cd "C:\Program Files\OpenVPN\easy-rsa" C:\Program Files\OpenVPN\easy-rsa> .\EasyRSA-Start.bat Welcome to the EasyRSA 3 Shell for Windows. Easy-RSA 3 is available under a GNU GPLv2 license. Invoke 'easyrsa' to call the program. Without commands, help is displayed. Using directory: C:/Program Files/OpenVPN/easy-rsa EasyRSA Shell #
  • Delete the existing configuration, just for good measure:
# ./easyrsa clean-all
  • Initialize pki, and type yes to confirm:
# ./easyrsa init-pki OpenVPN on Windows Easy RSA Shell init-pki
  • Building the certificate authority:
# ./easyrsa build-ca […] Enter PEM pass phrase:MyPassW0rd Verifying - Enter PEM pass phrase:MyPassW0rd […] Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ovpn
  • Building the server certificate and key:
# ./easyrsa build-server-full server nopass […] Confirm request details: yes […] Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd
  • Generate Diffie-Hellman parameters:
# ./easyrsa gen-dh
  • Generate client certificates:
# ./easyrsa build-client-full client01 nopass […] Confirm request details: yes […] Enter pass phrase for c:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key:MyPassW0rd

Move certificates to the correct folders

  • Place these files (from « C:\Program Files\OpenVPN\easy-rsa\pki », « C:\Program Files\OpenVPN\easy-rsa\pki\issued » and « C:\Program Files\OpenVPN\easy-rsa\pki\private ») :
    • ca.crt
    • dh.pem
    • server.crt
    • server.key
  • In the « C:\Program Files\OpenVPN\config-auto » and « C:\Program Files\OpenVPN\config » folders.
OpenVPN on Windows config-auto folder

Configuration File

  • As administrator, edit the « C:\Program Files\OpenVPN\config-auto\server.ovpn » file:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.50.8.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3

Restart OpenVPN Service

The OpenVPN service must be restarted for the configuration file to take effect.

  • Open the service management console:
Windows Run dialog box with 'services.msc' entered to open the services management console.
  • Right click on OpenVPNService then Restart:
Windows Services management console showing OpenVPNService with the Restart option selected.
  • Or from an administrator command prompt:
C:\Windows\system32>net stop openvpnservice C:\Windows\system32>net start openvpnservice
  • Or with PowerShell:
PS C:> Restart-Service OpenVPNService -PassThru

Windows client configuration

Microsoft Logo

Installing OpenVPN

We need to download the same package as for the server, but this time install it with the default settings.

Copy certificates from the Server

  • From the server, we need to copy the following files:
    • ca.crt: C:\Program Files\OpenVPN\easy-rsa\pki
    • client01.crt: C:\Program Files\OpenVPN\easy-rsa\pki\issued
    • client01.key: C:\Program Files\OpenVPN\easy-rsa\pki\private

And paste them to the C:\Program Files\OpenVPN\config directory of our Windows client.

  • You should see this client files:
Windows Explorer showing the OpenVPN config folder with files ca.crt, client.ovpn, client01.crt, and client01.key highlighted.
  • Edit the C:\Program Files\OpenVPN\config\client.ovpn file:
client dev tun proto udp remote OPENVPN_IP 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client01.crt key client01.key comp-lzo verb 3
  • Open OpenVPN with administrator rights (otherwise the routing rules, if any have been set up, will not work) and connect:
System tray showing OpenVPN icon with the Connect option selected from the context menu.
  • A pop-up window will confim that we are connected:
OpenVPN GUI notification showing client is now connected with assigned IP 10.50.8.6, and the OpenVPN icon in the system tray.
  • To reach the server, we'll use the IP address 10.50.8.1:
Windows PowerShell window showing ping results for IP 10.50.8.1, alongside a file explorer window accessing the same IP address.
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address