OpenVPN Server and Client Setup on Windows

Setting up an OpenVPN server on a Windows Server 2008 VM hosted on AWS.

Install OpenVPN

Download the package from the official website here (OpenVPN 2.3.2) and install OpenVPN server on a Windows machine. Make sure you install OpenSSL utilities and OpenVPN RSA certificate management scripts.

[EDIT: July 2014] Note that easy-rsa was included with 2.3.2, but is no longer bundled with OpenVPN source code archives (according to the OpenVPN downloads page). To get it, visit the easy-rsa page on GitHub.

We will completely disable Windows Firewall on the server, as our VM is running on AWS. We’ll open UDP 11194 port on Amazon Firewall instead.

Optional: Rename TAP-Windows Adapter V9

Find which network interface is not connected to the Internet and has the device name listed as “TAP-Windows Adapter V9”. Rename the TAP adapter to “tap-vpn” for the sake of clarification.

Generate the Master Certificate Authority (CA) Certificate and Key

Open up a Command Prompt windows as Administrator and change directory to C:\Program Files\OpenVPN\easy-rsa:

C:\Users\Administrator> cd \Program Files\OpenVPN\easy-rsa

Run the following batch file to copy configuration files into place:

> init-config

Now edit the vars file (it’s called vars.bat on Windows):

> notepad vars.bat

And set the parameters below appropriately:

KEY_COUNTRY=GB
KEY_PROVINCE=Midlands
KEY_CITY=Birmingham
KEY_ORG=Private
[email protected]
KEY_CN=changeme
KEY_NAME=changeme
KEY_OU=IT

Don’t leave any of these parameters blank. Next thing to do is to initialise the PKI:

> vars
> clean-all
> build-ca

Generate a Certificate and a Private Key for the Server

> build-key-server server

Generate a Certificate and a Private Key for the Client

Generating client certificates is very similar to the previous step. Make sure the Common Name value matches the server’s value and the  Name value is specified. We can leave all other settings default.

> vars
> build-key client

Generate a Diffie Hellman Parameter for the OpenVPN Server

> build-dh

Creating Configuration Files for a Server and Clients

Copy template file C:\Program Files\OpenVPN\sample-config\server.ovpn to C:\Program Files\OpenVPN\config:

> copy ..\sample-config\server.ovpn ..\config
        1 file(s) copied.

Modify Configuration File For Server

Open the configuration file server.ovpn for editing:

> notepad ..\config\server.ovpn

Make it look as below:

#listen on IPv4
local 0.0.0.0

#we use a non-default port
port 11194

#UDP protocol chosen for better protection against DoS attacks and port scanning
proto udp

#using routed IP tunnel
dev tun

#relative paths to keys and certificates
ca ..//easy-rsa//keys//ca.crt
cert ..//easy-rsa//keys//server.crt
key ..//easy-rsa//keys//server.key
dh ..//easy-rsa//keys//dh1024.pem

#set OpenVPN subnet
server 10.26.0.0 255.255.255.0

#maintain a record of client-to-virtual-IP-address
ifconfig-pool-persist ipp.txt

#ping every 10 seconds, assume that remote peer is down if no ping received during 60
keepalive 10 60

#cryptographic cipher, must be the same (copied) on the client config file as well
cipher AES-256-CBC

#enable compression on VPN link
comp-lzo

max-clients 20

#try to preserve some state across restarts
persist-key
persist-tun

#log file
status ..//log//openvpn-status.log

#log file verbosity
verb 3

We do not need to change anything else on the server.ovpn config. All should work just fine.

Start OpenVPN Server

Run from a command prompt window:

> openvpn ..\config\server.ovpn

Once running in a command prompt window, OpenVPN can be stopped by the F4 key.

Service also can be controlled from Start Menu -> Administrative Tools -> Services.

To ensure that the OpenVPN server is running do:

> netstat -na | findstr /L 11194
UDP    0.0.0.0:11194   *.*

Setup OpenVPN Client

Download here and install an OpenVPN client on a Windows PC.

We need to copy the template file C:\Program Files\OpenVPN\sample-config\client.ovpn from the server to our local PC folder C:\Program Files\OpenVPN.

Also copy ca.crt, client.crt and client.key from C:\Program Files\OpenVPN\easy-rsa\keys to our local PC folder C:\Program Files\OpenVPN\config.

Modify Client Configuration File

Open the configuration file client.ovpn for editing and make it look as below:

client

dev tun

proto udp
remote openvpn.example.com 11194

resolv-retry infinite

nobind

persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key

ns-cert-type server

cipher AES-256-CBC

comp-lzo

verb 3

Connect to OpenVPN server

Launch OpenVNP client, click “Connection Profiles” -> “Local File” and find client.ovpn, save the file. Click connect.

Alternatively run from a command prompt window:

> cd \Program Files\OpenVPN\config
> openvpn .\client.ovpn

Job’s done. We should now be able to RDP to the server by using its private IP 10.26.0.X.

16 thoughts on “OpenVPN Server and Client Setup on Windows

  1. I config like you,but when i use openvpn client to internet ,client cannot out to internet , my status local Area Connection(TAP-Windows-Adapter V9) at IPv4 Connectivity:No Internet access
    myserver window 7
    myclient window7

    Thank you very much
    I live in Thailand

    • Is firewall configured to allow VPN traffic? Did you enable IP Forwarding on your server?

  2. Half of the things described here are not up to date. It refers to files that do not exist, and Windows totally don’t know what to do with half of the command line instructions. These are examples of what the elevated command line in Windows returns:

    WARNING: can’t open config file: /etc/ssl/openssl.cnf
    unknown option -config
    Could Not Find C:\*.old
    Options error: –dh fails with ‘dh2048.pem’: No such file or directory
    Options error: –ca fails with ‘ca.crt’: No such file or directory
    Options error: –cert fails with ‘server.crt’: No such file or directory
    Options error: –key fails with ‘server.key’: No such file or directory
    Options error: Please correct these errors.
    FINDSTR: Cannot open UDP
    FINDSTR: Cannot open 0.0.0.0:11194

    Those are a lot of errors. Can this guide be replaced by an up to date explanation for OpenVPN version 2.3.8? The current guide is not working anymore. Any help would be appreciated.

    • This article was written year and a half ago, it is expected that things get outdated as the time passes by.

      What version of Windows are you using? What version of OpenSSL? What version of OpenVPN? Which command in particular gives the error?

      Updating the article would require my time and resources. Are you willing to pay for any? :)

  3. …and the contents of server.ovpn of the 2.3.8 version are much different than described on this page. I don’t know where to put those information on which lines, because of the different version this page is speaking about.

  4. I got a message: “VERIFY ERROR: depth=1, error=self signed certificate in certificate …”. What do I have to do to fix this?

  5. Hi Tomas,
    I think its a good job, first of all… anybody know that time passes by… and have to be up to date. ;)

    Just some questions:
    * Have you opened 11194 UDP port in your router to your local Ethernet private IP?
    * Have you configure anything in TAP nic?
    * Have you configure static routes somewhere?

    Im trying to set up at home and i cant “RDP-ing” my PC (OVPN server is on it – Ethernet nic and TAP nic) so i connect client to server but can not RDP my PC.

    Thks in advance

  6. I’ve tried and make it exactly like Tomas on the local network, and it works well. For openvpn server must be connected first in the OpenVPN GUI in order to tap adapter can accept connections from the outside, then the client can connect to the server.

    * For the server I’m using Windows XP 32-bit and openvpn Installer (32-bit), Windows XP swupdate.openvpn.org/community/releases/openvpn-install-2.3.11-I001-i686.exe

    * Openssl in the server slproweb.com/download/Win32OpenSSL_Light-1_0_2h.exe

    * Replace port 1194 in server.ovpn

    – For the client I use windows 7 64-bit and Installer (64-bit), Windows Vista and later swupdate.openvpn.org/community/releases/openvpn-install-2.3.11-I601-x86_64.exe.

    – Replace “remote xxx.xxx.xxx.xxx” 1194 in client.ovpn
    note: ip xxx.xxx.xxx.xxx replaced with a computer that was made into a server

    And it works well.

    Currently I am just trying to the local network, not using the internet network. Supposedly by setting like this, it can be done for vpn over the internet, as long as the modem router has been made for the forward port 1194 to a computer that is in use as a server.

    thank you Tomas, very nice

Leave a Reply

Your email address will not be published. Required fields are marked *