How to Install and Configure OpenVPN Server on Windows? , Ranjan.info

OpenVPN is an open-source software suite that is one of the most popular and easy solutions for implementing a truly secure VPN. OpenVPN allows you to combine a server and a client (even behind a NAT or firewall) into a single network or connect a network of remote offices. You can deploy the server part of OpenVPN in almost all available operating systems (Linux OpenVPN deployment examples). You can install OpenVPN Server on Windows Server 2022/20119/2016/2012R2 or even on a computer running the desktop Windows version (Windows 10 or 11).

In this article, we will show how to install and configure an OpenVPN server on a computer running Windows 10, set up an OpenVPN client on another Windows device, and establish a secure VPN connection.

OpenVPN is extremely popular in the SOHO segment for providing remote employees access: you don’t need to buy any special hardware, license to build a VPN server based on Windows Server, expose RDP ports to the Internet, and easily RDP Can protect against brute force attacks.

How to Install OpenVPN Server Service on Windows?

Download the OpenVPN MSI installer for your Windows version from the official website (https://openvpn.net/community-downloads/) in our case, it is OpenVPN-2.5.7-I602-amd64.msi ,

Run setup and select OpenVPN Service To install. If you want your OpenVPN server to start automatically, you cannot install the OpenVPN GUI.

OpenVPN 2.5 (and newer) supports this win tune Drivers from WireGuard Developers. This driver is faster than the default TAP OpenVPN driver. We recommend installing Wintun drivers instead of TAP-Windows6.

establish EasyRSA Certificate Management Script OpenSSL utility.

Install WinTun Driver and EasyRSA Tool

complete the installation.

By default, OpenVPN is installed in C:\Program Files\OpenVPN.

When the installation is complete, you will see a new network adapter Wintun Userspace Tunnel, This adapter is disabled if the OpenVPN service is not running.

OpentVPN Network Adapter Wintun Userspace Tunnel

Create OpenVPN Encryption Keys and Certificates

OpenVPN is based on OpenSSL encryption. This means that RSA3 keys and certificates must be used to establish a network connection between the client and the VPN server.

Open command prompt and go to easy-rsa directory:

cd "C:\Program Files\OpenVPN\easy-rsa"

Make a copy of the file:

copy vars.example vars

open wars File in any text editor. Check the paths to OpenVPN and EaseRSA working folders.

Make sure to edit the EASYRSA_TEMP_DIR variable as shown below:

set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI/temp"

set_var EASYRSA_TEMP_DIR

You can fill in the certificate fields (optional):

set_var EASYRSA_REQ_COUNTRY "DE"
set_var EASYRSA_REQ_PROVINCE "BY"
set_var EASYRSA_REQ_CITY "MUN"
set_var EASYRSA_REQ_ORG "WOSHUB-Com"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "IT dept"

Set certificate expiration dates:

set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 825

Save the file and run the command:

EasyRSA-Start.bat

All of the following commands must be run in the EasyRSA shell:

Start PKI:

./easyrsa init-pki

You should see this message:

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: C:/Program Files/OpenVPN/easy-rsa/pki

Then generate the root CA:

./easyrsa build-ca

Enter CA password twice:

CA creation is complete and you may now import and sign cert requests.

The above command created:

  • Original Certificate of Certifying Authority: C:\Program Files\OpenVPN\easy-rsa\pki\ca.crt
  • A Certification Authority Key: C:\Program Files\OpenVPN\easy-rsa\pki\private\ca.key

Then generate a certificate request and a key for your OpenVPN server:

./easyrsa gen-req server nopass

The tool will generate two files:

Demand, C:/Program Files/OpenVPN/easy-rsa/pki/reqs/server.req
key, C:/Program Files/OpenVPN/easy-rsa/pki/private/server.key

Sign the request to issue a server certificate to your CA using:

./easyrsa sign-req server server

Confirm data by typing Yes,

Then enter the CA password for your root CA.

Server.crt file will appear in issued folder (C:\Program Files\OpenVPN\easy-rsa\pki\issued\server.crt,

OpenVPN Server Authenticates Files in Issued Folder

Then you can generate Diffie-Hellman keys (takes a long time):
./easyrsa gen-dh

Easyrsa gen-dh generates Diffie-Hellman keys

To provide additional security for your VPN server, it is recommended to enable tls-authorization, This feature allows HMAC signatures to be used in the SSL/TLS handshake, thus introducing an additional integrity check. Without such signature the packet will be discarded by the VPN server. This will protect you from VPN server port scanning, DoS attacks, SSL/TLS buffer overflows, etc.

Generate a tls-auth key:

cd C:\Program Files\OpenVPN\bin
openvpn --genkey secret ta.key

C:\Program Files\OpenVPN\bin\ta.key The file will appear. move it here C:\Program Files\OpenVPN\easy-rsa\pki folder.

You can then generate keys for your OpenVPN client. Each client connecting to your VPN server must have its own key pair.

There are several ways to generate OpenVPN keys and distribute them to clients.

In the example below, we will create a client key on the server and protect it with a password (PEM pass phrase):

./easyrsa gen-req testuser1
./easyrsa sign-req client testuser1

Easyrsa Sign Certificate Request

copy the key file (C:\Program Files\OpenVPN\easy-rsa\pki\private\testuser1.key) Make the client computer tell the user the password (voice, email, SMS). The client can disable password protection for the key:

openssl rsa -in "C:\Program Files\OpenVPN\easy-rsa\pki\private\testuser1.key"-out "C:\Program Files\OpenVPN\easy-rsa\pki\private\testuser1_use.key"

OpenSSL RSA Disable PEM Pass Phrase

If you want to generate a key that is not password protected, you need to run the command:

./easyrsa gen-req testuser2 nopass

You can create any number of keys and certificates for users on your VPN server. Similarly generate keys and certificates for other clients.

You can revoke compromised client certificates:
cd C:\Program Files\OpenVPN\easy-rsa
EasyRSA-Start.bat
./easyrsa revoke testuser2

Therefore, we have prepared a set of keys and certificates for the OpenVPN server. Now you can configure and run your VPN service.

OpenVPN Server Configuration File for Windows

Copy the configuration file template for the OpenVPN server:

copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\config-auto\server.ovpn"

Open server.ovpn in any text editor and make your settings. I am using the following OpenVPN configuration:

# Specify a port, a protocol and a device type
port 1194
proto udp
dev tun
# Specify paths to server certificates
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"
# Specify the settings of the IP network your VPN clients will get their IP addresses from
server 10.24.1.0 255.255.255.0
# If you want to allow your clients to connect using the same key, enable the duplicate-cn option (not recommended)
# duplicate-cn
# TLS protection
tls-auth "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ta.key" 0
cipher AES-256-GCM
# Other options
keepalive 20 60
persist-key
persist-tun
status "C:\\Program Files\\OpenVPN\\log\\status.log"
log "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 3
mute 20
windows-driver wintun

save the file.

OpenVPN allows you to use both TCP and UDP protocols. In this example, we have run OpenVPN on UDP port 1194. It is recommended to use UDP Because it is optimal for both performance and security.

Remember to open the port in the firewall for the OpenVPN port number you specified on the client and server. You can open ports in Windows Defender using PowerShell.
Firewall rules for OpenVPN servers:

New-NetFirewallRule -DisplayName "AllowOpenVPN-In" -Direction Inbound -Protocol UDP –LocalPort 1194 -Action Allow

Customer rules:

New-NetFirewallRule -DisplayName "AllowOpenVPN-Out" -Direction Outbound -Protocol UDP –LocalPort 1194 -Action Allow

Then run the OpenVPN service and change its startup type to Automatic. To enable the service use the powershell command:

Set-Service OpenVPNService –startuptype automatic –passthru
Get-Service OpenVPNService| Start-Service

Start OpenVPN Service in Windows

Open the Network Connections dialog (ncpa.cpl) and make sure the OpenVPN Wintun Virtual Adapter is now enabled. If it is not, check the log file C:\Program Files\OpenVPN\log\server.log,

OpenVPN Winton Virtual Adapter on Windows

If you see the following error in the logs when starting OpenVPN:

Options error: In C:\Program Files\OpenVPN\config-auto\server.ovpn:1: Maximum option line length (256) exceeded, line starts with…

convert line break character to Windows CRLF (In Notepad++, edit server.ovpn -> EOL conversion -> choose Windows CR LF). Save the file and restart OpenVPNService.

This OpenVPN configuration allows remote clients to access only server resources. Other computers and services in the server’s local network are not available to remote clients. To allow the OpenVPN client to access the internal LAN, enable ipenable router Options in the registry (Enables IP routing in Windows, including routing between Hyper-V networks, and allows you to use port-forwarding):

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v IPEnableRouter /t REG_DWORD /d 1 /f

Add routes to your local IP network in the server configuration file:

push "route 10.24.1.0 255.255.255.0"
push "route 192.168.31.0 255.255.255.0"

If necessary, assign DNS server addresses to the client:

push "dhcp-option DNS 192.168.31.10"
push "dhcp-option DNS 192.168.31.11"

If you want to redirect all client requests (including Internet traffic) to your OpenVPN server, add the option:

push "redirect-gateway def1"

Configuring the OpenVPN Client on Windows

Create a template configuration file for a VPN client (based on the client.oVPN template) on your server with the following settings (the file name is testuser1.ovpn,

client
dev tun
proto udp
remote your_vpn_server_address 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert testuser1.crt
key testuser1.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-GCM
connect-retry-max 25
verb 3

Specify the public IP address or DNS name of your OpenVPN server in far Instructions.

Download and install OpenVPN Connect for Windows ,https://openvpn.net/downloads/openvpn-connect-v3-windows.msi,

Install OpenVPN Client Connect for Windows

Then copy the following files from your server to the computer with the OpenVPN client installed:

  • ca.crt
  • testuser1.crt
  • testuser1.key
  • dh.pem
  • t.ki
  • testuser1.ovpn

Import *.ovpn config file into OpenVPN Connect for Windows

Import *.ovpn profile file and try to connect to your VPN server.

If you have set it up correctly, you will see the image below:

OpenVPN client successfully connected to server

Check the OpenVPN connection log on the client: C:\Program Files\OpenVPN Connect\agent.log

Mon Jul 17 08:09:30 2022 proxy_auto_config_url
Mon Jul 17 08:09:31 2022 TUN SETUP
TAP ADAPTERS:
guid='{25EE4A55-BE90-45A0-88A1-8FA8FEF24C42}' index=22 name="Local Area Connection"
Open TAP device "Local Area Connection" PATH="\\.\Global\{25EE4A55-BE90-45A0-88A1-8FA8FEF24C42}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=22
netsh interface ip set interface 22 metric=1
Ok.
netsh interface ip set address 22 static 10.24.1.10 255.255.255.252 gateway=10.24.1.5 store=active
IPHelper: add route 10.24.1.1/32 22 10.24.1.5 metric=-1

The client has successfully connected to the VPN server and has received an IP address 10.24.1.10.

Now check OpenVpn log on server-side (C:\Program Files\OpenVPN\log\openvpn.log) Here you can also see that the customer examiner1 The certificate has been successfully connected to the server.

2022-07-17 08:09:35 192.168.13.20:55648 [tesuser1] Peer Connection Initiated with [AF_INET6]::ffff:192.168.13.20:55648
2022-07-17 08:09:35 tesuser1/192.168.13.20:55648 MULTI_sva: pool returned IPv4=10.24.1.10, IPv6=(Not enabled)
2022-07-17 08:09:35 tesuser1/192.168.13.20:55648 MULTI: Learn: 10.24.1.10 -> testuser1/192.168.13.20:55648
2022-07-17 08:09:35 tesuser1/192.168.13.20:55648 MULTI: primary virtual IP for tesuser1/192.168.13.20:55648: 10.24.1.10

Leave a Comment