Setting up an OpenVPN server on a Windows Server 2008 hosted on AWS. Also tested on Windows Server 2012 R2.
Download the package from the official website here (OpenVPN 2.3.2) and install OpenVPN server on a Windows machine. Make sure that you install the OpenSSL utilities and OpenVPN RSA certificate management scripts.
[UPDATE: July 2014] Note that easy-rsa was included with 2.3.2, but is no longer bundled with OpenVPN source code archives (according to the OpenVPN downloads page). To get it, visit the easy-rsa page on GitHub.
[UPDATE: February 2016] Instructions have been tested with OpenVPN 2.4.0 on Windows Server 2012 R2. When you install OpenVPN, make sure the following box is ticked:
We have Windows Firewall disabled. We are going to need to open a UDP port 11194 in the AWS security group associated with the server.
Optional: Rename TAP-Windows Adapter V9
Find which network interface that is not connected to the Internet and has the device name listed as “TAP-Windows Adapter V9”. Rename the TAP adapter to “tap-vpn” for the sake of clarification.
Generate the Master Certificate Authority (CA) Certificate and Key
Open up a Command Prompt windows as Administrator and change directory to
C:\Users\Administrator> cd \Program Files\OpenVPN\easy-rsa
Run the following batch file to copy configuration files into place:
Now edit the vars file (it’s called vars.bat on Windows):
> notepad vars.bat
And set the parameters below appropriately:
KEY_COUNTRY=GB KEY_PROVINCE=Midlands KEY_CITY=Birmingham KEY_ORG=Private [email protected] KEY_CN=changeme KEY_NAME=changeme KEY_OU=IT
Don’t leave any of these parameters blank. Next thing to do is to initialise the PKI:
> vars > clean-all > build-ca
Generate a Certificate and a Private Key for the Server
> build-key-server server
Generate a Certificate and a Private Key for the Client
Generating client certificates is very similar to the previous step. Make sure that the Common Name value matches the server’s value and the Name value is specified. We can leave all other settings default.
> vars > build-key client
Generate a Diffie Hellman Parameter for the OpenVPN Server
Creating Configuration Files for a Server and Clients
Copy the template file
C:\Program Files\OpenVPN\sample-config\server.ovpn to
> copy ..\sample-config\server.ovpn ..\config 1 file(s) copied.
Modify Configuration File For Server
Open the configuration file
server.ovpn for editing:
> notepad ..\config\server.ovpn
Make it look as below:
#listen on IPv4 local 0.0.0.0 #the default port is 1194 #we use a non-default port 11194 port 11194 #UDP protocol chosen for better protection against DoS attacks and port scanning proto udp #using routed IP tunnel dev tun #relative paths to keys and certificates ca ..//easy-rsa//keys//ca.crt cert ..//easy-rsa//keys//server.crt key ..//easy-rsa//keys//server.key dh ..//easy-rsa//keys//dh1024.pem #set OpenVPN subnet server 10.26.0.0 255.255.255.0 #maintain a record of client-to-virtual-IP-address ifconfig-pool-persist ipp.txt #ping every 10 seconds, assume that remote peer is down if no ping received during 60 keepalive 10 60 #cryptographic cipher, must be the same (copied) on the client config file as well cipher AES-256-CBC #enable compression on VPN link comp-lzo max-clients 20 #try to preserve some state across restarts persist-key persist-tun #log file status ..//log//openvpn-status.log #log file verbosity verb 3
We don’t need to make any other changes.
Start OpenVPN Server
Run from a command prompt window:
> openvpn ..\config\server.ovpn
Once running in the command prompt window, OpenVPN can be stopped by the F4 key.
Service also can be controlled from Start Menu -> Administrative Tools -> Services.
Ensure that the OpenVPN server is running:
> netstat -na | findstr /L 11194 UDP 0.0.0.0:11194 *.*
Setup OpenVPN Client
Download the installation package here and install the OpenVPN client software.
We need to copy the template file
C:\Program Files\OpenVPN\sample-config\client.ovpn from the server to our client PC’s folder
Also copy ca.crt, client.crt and client.key from
C:\Program Files\OpenVPN\easy-rsa\keys to our client PC’s folder
Modify Client Configuration File
Open the configuration file
client.ovpn for editing, and make it look like this:
client dev tun proto udp remote openvpn.example.com 11194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key ns-cert-type server cipher AES-256-CBC comp-lzo verb 3
Connect to OpenVPN server
Launch the OpenVNP client, click “Connection Profiles” -> “Local File”, find
client.ovpn, save the file. Click connect.
Alternatively, run from a command prompt window:
> cd \Program Files\OpenVPN\config > openvpn .\client.ovpn
All done. We should now be able to RDP to the server by using its private IP 10.26.0.X.