Running OpenVPN Server on Windows 🌱

Prerequisites

Create Required Certificates

  1. Launch XCA
  2. Open the PKI database if it is not already (File > Open DataBase), enter password
  3. Click on the Certificates tab, right click on your Intermediate CA certificate
  4. Select New
  5. On the Source tab, make sure Use this Certificate for signing is selected
  6. Verify your Intermediate CA certificate is selected from the drop down
  7. Click the Subject tab
  8. Complete the Distinguished Name section

    internalName: OpenVPN Server
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: vpn.i12bretro.local

  9. Click the Generate a New Key button
  10. Enter a name and set the key size to at least 2048
  11. Click Create
  12. Click on the Extensions tab
  13. Set the Type dropdown to End Endity
  14. Check the box next to Subject Key Identifier
  15. Update the validity dates to fit your needs
  16. Click the Key Usage tab
  17. Under Key Usage select Digital Signature and Key Encipherment
  18. Under Extended Key Usage select TLS Web Server Authentication
  19. Click the Netscape tab
  20. Deselect all options and clear the Netscape Comment field
  21. Click OK to create the certificate
  22. Click on the Certificates tab, right click on your Intermediate CA certificate again
  23. Select New
  24. On the Source tab, make sure Use this Certificate for signing is selected
  25. Verify your Intermediate CA certificate is selected from the drop down
  26. Click the Subject tab
  27. Complete the Distinguished Name section

    internalName: OpenVPN Client #1
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: VPN Client 1

  28. Click the Generate a New Key button
  29. Enter a name and set the key size to at least 2048
  30. Click Create
  31. Click on the Extensions tab
  32. Set the Type dropdown to End Endity
  33. Check the box next to Subject Key Identifier
  34. Update the validity dates to fit your needs
  35. Click the Key Usage tab
  36. Under Key Usage select Digital Signature, Key Agreement
  37. Under Extended Key Usage select TLS Web Client Authentication
  38. Click the Netscape tab
  39. Deselect all options and clear the Netscape Comment field
  40. Click OK to create the certificate
  41. On the Certificates tab, click the OpenVPN Server certificate
  42. Select Extra > Generate DH Parameter
  43. Type 2048 for DH parameter bits
  44. Click OK
  45. Select a location for dh.pem and click Save

Exporting Required Files for OpenVPN

  1. In XCA, click on the Certificates tab
  2. Right click the Intermediate CA certificate > Export > File
  3. Set the file name to ca.crt and verify the export format is PEM chain (*.pem)
  4. Click OK
  5. Right click the OpenVPN Server certificate > Export > File
  6. Set the file name to server.crt and verify the export format is PEM (*.crt)
  7. Click OK
  8. Right click the OpenVPN Client #1 certificate > Export > File
  9. Set the file name to OpenVPN_Client #1.crt and verify the export format is PEM (*.crt)
  10. Click OK
  11. Click on the Private Keys tab
  12. Right click the OpenVPN Server key > Export > File
  13. Set the file name to server.key and verify the export format is PKCS #8 (*.pk8)
  14. Click OK
  15. Right click the OpenVPN Client #1 key> Export > File
  16. Set the file name to OpenVPN_Client #1.pk8 and verify the export format is PKCS #8 (*.pk8)
  17. Click OK

Installing and Configuring OpenVPN Server

  1. Download the OpenVPN software Download
  2. Run the downloaded .msi installer
  3. Click Customize and make sure the OpenVPN Service option is selected for installation
  4. Click Install Now
  5. Once the installation completes, copy the exported ca.crt, server.crt, server.key and dh.pem files exported above to C:\Program Files\OpenVPN\config\Server
  6. Open a text editor and paste the following text

    port 1194
    proto tcp
    dev tun

    ca "C:\\Program Files\\OpenVPN\\config\\Server\\ca.crt"
    cert "C:\\Program Files\\OpenVPN\\config\\Server\\server.crt"
    key "C:\\Program Files\\OpenVPN\\config\\Server\\server.key"
    dh "C:\\Program Files\\OpenVPN\\config\\Server\\dh.pem"

    topology subnet

    auth SHA256
    server 192.168.4.0 255.255.255.0
    keepalive 10 120
    cipher AES-256-GCM
    data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
    comp-lzo
    persist-key
    persist-tun
    verb 3

    client-to-client

    ifconfig-pool-persist "C:\\Program Files\\OpenVPN\\config\\Server\\ipp.txt"

    push "route 10.10.27.0 255.255.255.0"
    push "dhcp-option DNS 10.10.27.1"

  7. Save the file as server.ovpn in the C:\Program Files\OpenVPN\config\Server directory
  8. Open the Registry Editor by right clicking the Start button > Run > type regedit > Press Enter
  9. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  10. Double click the IPEnableRouter key and change the value to 1
  11. Close Registry Editor
  12. Open Windows Services by right clicking the Start button > Run > type services.msc > Press Enter
  13. Find the following services and set them to start automatically if they are not already

    Remote Access Connection Manager
    Routing and Remote Access

  14. Open Network Connections by right clicking the Start button > Run > type ncpa.cpl > Press Enter
  15. Right click on the main LAN connection > Properties
  16. Click the Sharing tab
  17. Check the box to Allow other network users to connect
  18. From the dropdown select the OpenVPN TAP connection
  19. Restart the Windows device for the changes to take effect
  20. Once the system has rebooted, start the OpenVPN server by right clicking the OpenVPN icon in the system tray > System Profiles > Server > Connect

Configuring Port Forwarding

At this point the OpenVPN server is running but you will need to configure your router to forward TCP port 1194 from the WAN to the IP address of the Windows host. The process to do this will vary based on your router, below are the steps required in DD-WRT

  1. Open a web browser and navigate to the router IP address
  2. Log in
  3. Click the NAT / QoS tab in the top navigation menu
  4. Click the Add button
  5. Enter the following values

    Application: OpenVPN
    Protocol: TCP
    Source Net:
    Port from: 1194
    IP Address: (IP address of the Windows host)
    Port to: 1194
    Enable: (checked)

  6. Click the Save button and then Apply Settings

Creating the OpenVPN Client Profile and Testing

  1. On the client device, download the OVPN template Download
  2. Rename the .ovpn template something meaningful
  3. Edit the .ovpn template replacing the following:

    <#replace with dynamic dns#> with a dynamic DNS or external IP address to your server
    <#replace with CA chain#> with the contents of ca.crt
    <#replace with client 1 cert #> with the contents of OpenVPN_Client #1.crt
    <#replace with client 1 key #> with the contents of OpenVPN_Client #1.pk8

  4. Save your changes
  5. Copy the .ovpn template to OpenVPN install directory/config
  6. Right click OpenVPN GUI in the system tray > Connect

Starting the OpenVPN Server on System Startup

  1. Click on the Start Button > Type task > Launch Task Scheduler
  2. Right click the Task Scheduler Library folder in the left pane > Create Basic Task...
  3. Set the name to OpenVPN Server and optionally set a Description > Click Next
  4. For the Trigger, select When the computer starts > Click Next
  5. For the Action, select Start a program > Click Next
  6. In the Program/script field, paste the following, editing the path if OpenVPN is not installed to the default location:

    "%ProgramFiles%\OpenVPN\bin\openvpn.exe"

  7. In the Add arguments field, paste the following, editing the path to the .ps1 file if necessary:

    --config "C:\Program Files\OpenVPN\config\Server\server.ovpn"

  8. Click Next
  9. Click Finish
  10. In the Properties dialog, click the Change User or Group... button
  11. Type System in the Object name field > Click OK
  12. Check the Run with highest privileges box
  13. Click OK to create the scheduled task
  14. To test, stop the OpenVPN Server using the system tray icon
  15. Right click the OpenVPN Server task > Run
  16. Check the OpenVPN system tray icon to verify the server is running

Further Reading: https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide#ServerConfigFile