Need a secure, encrypted way to access your internet? Why not turn to OpenVPN on Window Server? Setting up your first VPN could be a pain, but you’ve come to the right place!
In this tutorial, you’ll learn how to set up a free VPN and keep malicious entities out of your Windows Server.
Ready to secure your network? Well, dive right in!
Prerequisites
This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have the following:
- A Windows Server – This tutorial uses Window Server 2019 R2.
- A client machine to test the VPN server – This demo uses Windows 10 64 bit.
- Connect to the desktop on a Windows Server using Remote Desktop (RDP) or your preferred desktop manager client – This demo uses the default RDP window client.
Installing OpenVPN on Window Server
OpenVPN works on different operating systems, but it doesn’t come with your OS installation. Kick off this tutorial by installing OpenVPN on your server.
1. Open your favorite browser and navigate to the OpenVPN download page. Download the Windows 64-bit MSI installer package to your server and run the installer.
2. Next, click Customize on the installer wizard’s initial page, as shown below. The Customize option lets you install extra items for your VPN server.
3. On the Custom Installation page, click on the OpenVPN Service drop-down menu —> Will be installed on local hard drive to install the OpenVPN Service to your system. This option also enables the OpenVPN Service at your system boot.
4. Now, scroll down, and click on the OpenSSL Utilities drop-down menu —> Will be installed on local hard drive option. This option makes OpenSSL Libraries and development headers available for the OpenVPN Service and required by the OpenVPN Service for certain cryptographic functions.
Click on Install Now to install OpenVPN on your server.
5. Finally, click on Close when the installation completes.
Generating Certificates and Keys for the Server and Clients
You now have OpenVPN installed on your server, but how will you secure your server’s connection to the client(s)? You’ll generate certificates and keys for your server and client(s).
Certificates and keys are used to provide an encrypted connection between your server and client(s). You get a unique public and private key upon generating a certificate.
1. Open your command prompt as an administrator. Some OpenVPN commands require elevated privileges to run.
2. Next, run the commands below to start the easy-rsa shell. The easy-rsa shell is used to manage certificates, keys, and configurations.
EasyRSA will be your main command-line interface for the rest of the tutorial.
cd C:\Program Files\OpenVPN\easy-rsa
EasyRSA-Start.bat
3. Run the ./easyrsa clean-all command below to clear any existing keys and configurations. This command ensures that you start with a clean configuration.
./easyrsa clean-all 
4. Now, run the ./easyrsa init-pki command to initialize the Public Key Infrastructure (PKI) and create a new directory structure for your certificates and keys.
Public Key Infrastructure (PKI) is a framework that allows you to create and manage public and private keys for your server and client(s) to use.
./easyrsa init-pki Type yes and press Enter to confirm that you want to destroy any existing keys and create a new PKI, as shown below.
5. Run the command below to create the Certificate Authority (CA) (build-ca). The CA is responsible for issuing certificates to servers and clients, signing those certificates, revoking certificates, and so on.
The nopass option is used, so you don’t have to enter a password every time you copy the certificates and keys to your clients. ./easyrsa build-ca nopass
./easyrsa build-ca nopassWhen configuring your VPN, you will need to generate a certificate for your server and client(s) signed by the Certificate Authority (CA).
6. Run the below command to build the server certificate and key (build-server-full). This command creates the OpenVPN server certificate and key, signs it with your CA, and places the files in the keys subdirectory.
./easyrsa build-server-full server nopass
7. Next, run the following command to generate the Diffie-Hellman parameters (gen-dh), then close your easyrsa shell.
Diffie-Hellman is a protocol that allows two users to exchange cryptographic keys over an unsecured connection. Diffie-Hellman will be required to ensure that your VPN stays secure even if your encryption keys are stolen.
./easyrsa gen-dh
By now, you have all the necessary SSL/TLS key files required for your OpenVPN service listed in the table below.
| Folder Path | Content |
| C:\Program Files\OpenVPN\easy-rsa\pki | CA file, DH file, and other OpenSSL-related files like a config file. |
| C:\Program Files\OpenVPN\easy-rsa\pki\private | Include the private key files of CA, Server, and Client certificates. |
| C:\Program Files\OpenVPN\easy-rsa\pki\issued | Contains issued server and client certificates. |
8. Finally, open your File Explorer, and copy the files listed below to the C:\Program Files\OpenVPN\config-auto and C:\Program Files\OpenVPN\easy-rsa\pki\private folders.
| C:\Program Files\OpenVPN\easy-rsa\pki\ca.cert |
| C:\Program Files\OpenVPN\easy-rsa\pki\dh.pem |
| C:\Program Files\OpenVPN\easy-rsa\pki\issued\server.cert |
| C:\Program Files\OpenVPN\easy-rsa\pki\private\server.key |
Configuring your Windows Firewall Rules
Now that you have configured your OpenVPN server, your next step is to ensure that you can access the service. You will need to configure the Windows Firewall to allow OpenVPN traffic.
1. Run the netsh command below to allow traffic through your Windows firewall with the following:
- Configures (
advfirewall) Windows Firewall (firewall) by adding a rule namedOpenVPN(add rule name="OpenVPN") to the Windows Firewall. - Allows (
action=allow) all local IP addresses (localip=any) and external devices (remoteip=any) to communicate over this rule. - Tells the server which port to open (
localport=1194 remoteport=0-65535) and what type of protocol to use (protocol=UDP).
netsh advfirewall firewall add rule name="OpenVPN" dir=in localport=1194 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any
2. Open your C:\Program Files\OpenVPN\config-auto\server.ovpn file in your preferred text editor to preview its content, as shown below.
An .ovpn file is an OpenVPN configuration file. It contains all the information that OpenVPN needs to connect to a VPN, like encryption and authentication keys. For this tutorial, you will need a .ovpn file in order to configure your connection with your VPN server.
Finally, run the following commands to restart your OpenVPN service to apply your changes.
net stop openvpnservice
net start openvpnservice
Configuring your Client
Apart from configuring your server to allow OpenVPN traffic, you’ll also need to configure your client. In OpenVPN, a client is any machine that connects to the VPN. This demo uses Windows 10 to connect to the server.
1. Install OpenVPN on your client as you did in the “Installing OpenVPN on your Server” ****section.
2. Copy the files listed below from your server to your client’s C:\Program Files\OpenVPN\config folder.
| C:\Program Files\OpenVPN\easy-rsa\pki\ca.cert |
| C:\Program Files\OpenVPN\easy-rsa\pki\issued\client.crt |
| C:\Program Files\OpenVPN\easy-rsa\pki\issued\client.key |
3. Finally, open the C:\Program Files\OpenVPN\config\client.ovpn file and populate the file with the content below. Replace YOUR_OPENVPN_IP with your actual Windows Server IP address.
# client is your account name, but you can choose your preferred name
client
# dev tun is the kind of VPN connection you need, using an ethernet connection.
dev tun
# Protocol (UDP) used this VPN connection
proto udp
# Set the IP address of your OpenVPN server.
# 1194 is the port of your OpenVPN server.
remote YOUR_OPENVPN_IP 1194
# Resolve your domain names when they are not found,
# so you don't see "domain not found" errors.
resolv-retry infinite
# Change the value from "nobind" to "sea " to disconnect your internet
# when the VPN ID is disconnected.
nobind
# Your encryption key will be saved for the next time
# you connect to the OpenVPN server.
persist-key
# your VPN connection will be saved for the next time you use it.
persist-tun
# The certificate your VPN server uses to identify itself to you (the client).
# You can download it from your VPN server.
ca ca.crt
# the name of your certificate.
cert client01.crt
# the name of your encryption key.
key client01.key
# LZO data compression will compress your blocks of data
# before sending so that the data should be smaller and faster.
comp-lzo
# The level of verbosity of your output will be set to the maximum.
# So that you will get the most amount of information from your connection.
# This feature is handy when trying to debug your connection.
verb 3Testing your Client’s VPN Connection
Now that you have installed and configured both server and client, it is time to test whether the connection between them works properly.
On your Windows 10 client, run the OpenVPN GUI.
Right click on the OpenVPN status icon (monitor with a padlock icon) in the notification area, and choose Connect to connect the client to your VPN.
Once the client is connected, the OpenVPN status icon turns green, and you’ll get a vpn is now connected notification, as shown below.
For double-checking, you can ping your VPN server using the assigned IP address (10.8.0.2).
ping [10.8.0.2](<http://10.8.0.2/>)
The output below confirms that your VPN works as intended.
Conclusion
In this tutorial, you have learned the proper steps to install OpenVPN on Windows Server. You also learned to configure the OpenVPN server and client via an OpenVPN configuration file (.ovpn). At this point, you now have a fully-functional VPN service that you can use to secure your internet connection to browse the web safely.
Now, why not extend your VPN Connectivity to Amazon AWS VPC using AWS VPC VPN Gateway service with this newfound knowledge?
