Easy Windows Guide?

This page contains a no-frills guide to getting OpenVPN up and running on a Windows server and client(s). For a more detailed understanding of setting up OpenVPN and its advanced features, see the ?HOWTO page.

Table of contents?

1. Downloading and Installing OpenVPN

1. Certificates and Keys

2.1 Preparatory Steps

2.2 Building Certificates and Keys

1. Configuration Files

3.1 Server Config File

3.2 Client Config Files

1. Copying the Server and Client Files to Their Appropriate Directories

1. Starting OpenVPN

1. Further Considerations / Troubleshooting

6.1 Firewall Configuration

6.2 Port Forwarding

6.3 Static Internet IP

6.4 Running OpenVPN as a Service

6.5 Security Tips

Downloading and Installing OpenVPN?

1. Download the installer from ?here and run it on the server computer.

1. Install OpenVPN on each client. (This step can be skipped for now and done at any convenient time)

Certificates and Keys?

Preparatory Steps?

1. Navigate to the C:\Program Files\OpenVPN\easy-rsa folder in the command prompt:
   1. Press Windows Key + R
   2. Type "cmd.exe" and press Enter.

      cmd.exe
      

   3. Navigate to the correct folder:

      cd "C:\Program Files\OpenVPN\easy-rsa"
      

1. Initialize the OpenVPN configuration:

   init-config
   

   • NOTE: Only run init-config once, during installation.

1. Open the vars.bat file in a text editor:

   notepad vars.bat
   

1. Edit the following lines in vars.bat, replacing "US", "CA," etc. with your company‘s information:

   set KEY_COUNTRY=US
   set KEY_PROVINCE=CA
   set KEY_CITY=SanFrancisco
   set KEY_ORG=OpenVPN
   set [email protected]
   

1. Save the file and exit notepad.

1. Run the following commands:

   vars
   

   clean-all
   

Building Certificates and Keys?

1. The certificate authority (CA) certificate and key:

   build-ca
   

   • When prompted, enter your country, etc. These will have default values, which appear in brackets. For your "Common Name," a good choice is to pick a name to identify your company‘s Certificate Authority. For example, "OpenVPN-CA":

     Country Name (2 letter code) [US]:
     State or Province Name (full name) [CA]:
     Locality Name (eg, city) [SanFrancisco]:
     Organization Name (eg, company) [OpenVPN]:
     Organizational Unit Name (eg, section) []:
     Common Name (eg, your name or your server‘s hostname) []:OpenVPN-CA
     Email Address [[email protected]]:
     

1. The server certificate and key:

   build-key-server server
   

   • When prompted, enter the "Common Name" as "server"
   • When prompted to sign the certificate, enter "y"
   • When prompted to commit, enter "y"

1. Client certificates and keys:

1. For each client, choose a name to identify that computer, such as "mike-laptop" in this example.

   build-key mike-laptop
   

   • When prompted, enter the "Common Name" as the name you have chosen (e.g. "mike-laptop")
2. Repeat this step for each client computer that will connect to the VPN.

1. Generate Diffie Hellman parameters (This is necessary to set up the encryption)

   build-dh
   

Configuration Files?

1. Find the sample configuration files:

   Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files
   

Server Config File?

1. Open server.ovpn

1. Find the following lines:

   ca ca.crt
   cert server.crt
   key server.key
   

   dh dh1024.pem
   

1. Edit them as follows:

   ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
   cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
   key "C:\\Program Files\\OpenVPN\\config\\server.key"
   

   dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
   

1. Save the file as C:\Program Files\OpenVPN\easy-rsa\server.ovpn

Client Config Files?

This is similar to the server configuration

1. Open client.ovpn

1. Find the following lines:

   ca ca.crt
   cert client.crt
   key client.key
   

1. Edit them as follows:

   ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
   cert "C:\\Program Files\\OpenVPN\\config\\mike-laptop.crt"
   key "C:\\Program Files\\OpenVPN\\config\\mike-laptop.key"
   

   • Notice that the name of the client certificate and key files depends upon the Common Name of each client.

1. Edit the following line, replacing "my-server-1" with your server‘s public Internet IP Address or Domain Name. If you need help, see Static Internet IP below.

   remote my-server-1 1194
   

1. Save the file as C:\Program Files\OpenVPN\easy-rsa\mike-laptop.ovpn (in this example. Each client will need a different, but similar, config file depending upon that client‘s Common Name.)

Copying the Server and Client Files to Their Appropriate Directories?

1. Copy these files from C:\Program Files\OpenVPN\easy-rsa\ to C:\Program Files\OpenVPN\config\ on the server:

   ca.crt
   dh1024.pem
   server.crt
   server.key
   server.ovpn
   

1. Copy these files from C:\Program Files\OpenVPN\easy-rsa\ on the server to C:\Program Files\OpenVPN\config\ on each client (mike-laptop, in this example):

   ca.crt
   mike-laptop.crt
   mike-laptop.key
   mike-laptop.ovpn
   

Starting OpenVPN?

1. On both client and server, run OpenVPN from:

   Start Menu -> All Programs -> OpenVPN -> OpenVPN GUI
   

1. Double click the icon which shows up in the system tray to initiate the connection. The resulting dialog should close upon a successful start.

Further Considerations / Troubleshooting?

Firewall Configuration?

If you have connection problems, make sure to set a rule on your server‘s firewall allowing incoming traffic on UDP port 1194.

Port Forwarding?

If your server is behind a router, you will need to forward the port chosen for OpenVPN (in this example UDP 1194) to the server. Consult your router‘s documentation for details on this.

To set up port forwarding, you will likely need to set up the server with a static local IP address instead of the default dynamic (changing) IP. Instructions for Windows XP may be found ?here. Make sure to choose a static IP address that is not in the range your router might assign as a dynamic IP, but is within the router‘s subnet (usually 192.168.0.xxx , 10.0.0.xxx , or similar).

Static Internet IP?

Your server will need to have a static internet IP or Domain Name to be accessible over the long term. One solution is to sign up for an account with DynDNS and install the DynDNS Updater on your server. When signing up you will determine the static Domain Name of your server. (For example, "myserver.dyndns.org") You will use this Domain Name in the client configuration files as part of the "remote" directive.

Running OpenVPN as a Service?

Running OpenVPN as a service will allow:

1. OpenVPN to be run from a non-administrator account.

1. OpenVPN to be started automatically on system startup. This is often preferred on the server machine, as well as any machines which will be constantly connected to the server.

1. Run the Windows Service administrative tool:
   1. Press Windows Key + R
   2. Type "services.msc" and press Enter.

      services.msc
      

1. Find the OpenVPN service, and set its Startup Type to "automatic."

1. Optionally, start the service now.

Security Tips?

1. Transmit all needed files to the client computers using a secure means such as a USB drive (email is not always a secure means).
2. Choose a port other than UDP 1194, and replace the port number wherever this guide mentions UDP port 1194.

Cloning OpenVPN Servers?

If including OpenVPN in a cloned server build you will find that all servers will have the same MAC address for the TAP device. This will cause packet loss across the network. Standard methods of changing the IP address from scripts do not work on the TAP device, to resolve this delete and recreate the TAP device using the scripts included with OpenVPN:

C:\Program Files\OpenVPN\bin\deltapall
C:\Program Files\OpenVPN\bin\addtap

You will then have to rename the connection to match the entry in the config file.

Last modified 4 weeks ago Last modified on 02/01/17 17:06:32

Download in other formats:

• Plain Text