How to Create a VPN with OpenVPN On Window Server

Published:7 February 2022 - 8 min. read

Nicholas Xuan Nguyen Image

Nicholas Xuan Nguyen

Read more tutorials by Nicholas Xuan Nguyen!

Meet Active Directory and Windows Server auditing, security and compliance needs with ManageEngine ADAudit Plus. Download Free Trial!

Need a secure, encrypted way to access your internet? Why not turn to OpenVPN on Window Server? Setting up your first VPN could be a pain, but you’ve come to the right place!

In this tutorial, you’ll learn how to set up a free VPN and keep malicious entities out of your Windows Server.

Ready to secure your network? Well, dive right in!

Prerequisites

This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have the following:

  • A Windows Server – This tutorial uses Window Server 2019 R2.
  • A client machine to test the VPN server – This demo uses Windows 10 64 bit.
  • Connect to the desktop on a Windows Server using Remote Desktop (RDP) or your preferred desktop manager client – This demo uses the default RDP window client.

Installing OpenVPN on Window Server

OpenVPN works on different operating systems, but it doesn’t come with your OS installation. Kick off this tutorial by installing OpenVPN on your server.

1. Open your favorite browser and navigate to the OpenVPN download page. Download the Windows 64-bit MSI installer package to your server and run the installer.

Downloading the Windows 64-bit MSI installer package
Downloading the Windows 64-bit MSI installer package

2. Next, click Customize on the installer wizard’s initial page, as shown below. The Customize option lets you install extra items for your VPN server.

Customizing the OpenVPN installer
Customizing the OpenVPN installer

3. On the Custom Installation page, click on the OpenVPN Service drop-down menu —> Will be installed on local hard drive to install the OpenVPN Service to your system. This option also enables the OpenVPN Service at your system boot.

Enabling the OpenVPN Service
Enabling the OpenVPN Service

4. Now, scroll down, and click on the OpenSSL Utilities drop-down menu —> Will be installed on local hard drive option. This option makes OpenSSL Libraries and development headers available for the OpenVPN Service and required by the OpenVPN Service for certain cryptographic functions.

Click on Install Now to install OpenVPN on your server.

Enabling the OpenSSL Utilities and installing OpenVPN
Enabling the OpenSSL Utilities and installing OpenVPN

5. Finally, click on Close when the installation completes.

Closing the Customization Installation Wizard
Closing the Customization Installation Wizard

Generating Certificates and Keys for the Server and Clients

You now have OpenVPN installed on your server, but how will you secure your server’s connection to the client(s)? You’ll generate certificates and keys for your server and client(s).

Certificates and keys are used to provide an encrypted connection between your server and client(s). You get a unique public and private key upon generating a certificate.

1. Open your command prompt as an administrator. Some OpenVPN commands require elevated privileges to run.

Opening your Command Prompt as an administrator
Opening your Command Prompt as an administrator

2. Next, run the commands below to start the easy-rsa shell. The easy-rsa shell is used to manage certificates, keys, and configurations.

EasyRSA will be your main command-line interface for the rest of the tutorial.

cd C:\Program Files\OpenVPN\easy-rsa
EasyRSA-Start.bat
Accessing the EasyRSA shell
Accessing the EasyRSA shell

3. Run the ./easyrsa clean-all command below to clear any existing keys and configurations. This command ensures that you start with a clean configuration.

./easyrsa clean-all 
Clearing Existing Keys and Configurations
Clearing Existing Keys and Configurations

4. Now, run the ./easyrsa init-pki command to initialize the Public Key Infrastructure (PKI) and create a new directory structure for your certificates and keys.

Public Key Infrastructure (PKI) is a framework that allows you to create and manage public and private keys for your server and client(s) to use.

./easyrsa init-pki 

Type yes and press Enter to confirm that you want to destroy any existing keys and create a new PKI, as shown below.

Initializing the Public Key Infrastructure (PKI)
Initializing the Public Key Infrastructure (PKI)

5. Run the command below to create the Certificate Authority (CA) (build-ca). The CA is responsible for issuing certificates to servers and clients, signing those certificates, revoking certificates, and so on.

The nopass option is used, so you don’t have to enter a password every time you copy the certificates and keys to your clients. ./easyrsa build-ca nopass

./easyrsa build-ca nopass

When configuring your VPN, you will need to generate a certificate for your server and client(s) signed by the Certificate Authority (CA).

Creating the Certificate Authority (CA)
Creating the Certificate Authority (CA)

6. Run the below command to build the server certificate and key (build-server-full). This command creates the OpenVPN server certificate and key, signs it with your CA, and places the files in the keys subdirectory.

./easyrsa build-server-full server nopass
Building the Server Certificate and Key
Building the Server Certificate and Key

7. Next, run the following command to generate the Diffie-Hellman parameters (gen-dh), then close your easyrsa shell.

Diffie-Hellman is a protocol that allows two users to exchange cryptographic keys over an unsecured connection. Diffie-Hellman will be required to ensure that your VPN stays secure even if your encryption keys are stolen.

./easyrsa gen-dh
Generating the Diffie-Hellman Parameters
Generating the Diffie-Hellman Parameters

By now, you have all the necessary SSL/TLS key files required for your OpenVPN service listed in the table below.

Folder PathContent
C:\Program Files\OpenVPN\easy-rsa\pkiCA file, DH file, and other OpenSSL-related files like a config file.
C:\Program Files\OpenVPN\easy-rsa\pki\privateInclude the private key files of CA, Server, and Client certificates.
C:\Program Files\OpenVPN\easy-rsa\pki\issuedContains issued server and client certificates.

8. Finally, open your File Explorer, and copy the files listed below to the C:\Program Files\OpenVPN\config-auto and C:\Program Files\OpenVPN\easy-rsa\pki\private folders.

C:\Program Files\OpenVPN\easy-rsa\pki\ca.cert
C:\Program Files\OpenVPN\easy-rsa\pki\dh.pem
C:\Program Files\OpenVPN\easy-rsa\pki\issued\server.cert
C:\Program Files\OpenVPN\easy-rsa\pki\private\server.key

Configuring your Windows Firewall Rules

Now that you have configured your OpenVPN server, your next step is to ensure that you can access the service. You will need to configure the Windows Firewall to allow OpenVPN traffic.

1. Run the netsh command below to allow traffic through your Windows firewall with the following:

  • Configures (advfirewall) Windows Firewall (firewall) by adding a rule named OpenVPN (add rule name="OpenVPN") to the Windows Firewall.
  • Allows (action=allow) all local IP addresses (localip=any) and external devices (remoteip=any) to communicate over this rule.
  • Tells the server which port to open (localport=1194 remoteport=0-65535) and what type of protocol to use (protocol=UDP).
netsh advfirewall firewall add rule name="OpenVPN" dir=in localport=1194 remoteport=0-65535 protocol=UDP action=allow remoteip=any localip=any
Configuring your Windows Firewall Rules
Configuring your Windows Firewall Rules

2. Open your C:\Program Files\OpenVPN\config-auto\server.ovpn file in your preferred text editor to preview its content, as shown below.

An .ovpn file is an OpenVPN configuration file. It contains all the information that OpenVPN needs to connect to a VPN, like encryption and authentication keys. For this tutorial, you will need a .ovpn file in order to configure your connection with your VPN server.

Edit your C:\Program Files\OpenVPN\config-auto\server.ovpn file.
Edit your C:\Program Files\OpenVPN\config-auto\server.ovpn file.

Finally, run the following commands to restart your OpenVPN service to apply your changes.

net stop openvpnservice
net start openvpnservice
Restarting your OpenVPN service
Restarting your OpenVPN service

Configuring your Client

Apart from configuring your server to allow OpenVPN traffic, you’ll also need to configure your client. In OpenVPN, a client is any machine that connects to the VPN. This demo uses Windows 10 to connect to the server.

1. Install OpenVPN on your client as you did in the “Installing OpenVPN on your Server” ****section.

2. Copy the files listed below from your server to your client’s C:\Program Files\OpenVPN\config folder.

C:\Program Files\OpenVPN\easy-rsa\pki\ca.cert
C:\Program Files\OpenVPN\easy-rsa\pki\issued\client.crt
C:\Program Files\OpenVPN\easy-rsa\pki\issued\client.key

3. Finally, open the C:\Program Files\OpenVPN\config\client.ovpn file and populate the file with the content below. Replace YOUR_OPENVPN_IP with your actual Windows Server IP address.

# client is your account name, but you can choose your preferred name
client
# dev tun is the kind of VPN connection you need, using an ethernet connection.
dev tun
# Protocol (UDP) used this VPN connection
proto udp
# Set the IP address of your OpenVPN server. 
# 1194 is the port of your OpenVPN server.
remote YOUR_OPENVPN_IP 1194
# Resolve your domain names when they are not found, 
# so you don't see "domain not found" errors.
resolv-retry infinite
# Change the value from "nobind" to "sea " to disconnect your internet 
# when the VPN ID is disconnected.
nobind
# Your encryption key will be saved for the next time 
# you connect to the OpenVPN server.
persist-key
# your VPN connection will be saved for the next time you use it.
persist-tun
# The certificate your VPN server uses to identify itself to you (the client). 
# You can download it from your VPN server.
ca ca.crt
# the name of your certificate.
cert client01.crt
# the name of your encryption key.
key client01.key
# LZO data compression will compress your blocks of data 
# before sending so that the data should be smaller and faster.
comp-lzo
# The level of verbosity of your output will be set to the maximum.
# So that you will get the most amount of information from your connection.
# This feature is handy when trying to debug your connection.
verb 3

Testing your Client’s VPN Connection

Now that you have installed and configured both server and client, it is time to test whether the connection between them works properly.

On your Windows 10 client, run the OpenVPN GUI.

Running the OpenVPN GUI
Running the OpenVPN GUI

Right click on the OpenVPN status icon (monitor with a padlock icon) in the notification area, and choose Connect to connect the client to your VPN.

Once the client is connected, the OpenVPN status icon turns green, and you’ll get a vpn is now connected notification, as shown below.

Connecting to your VPN
Connecting to your VPN

For double-checking, you can ping your VPN server using the assigned IP address (10.8.0.2).

ping [10.8.0.2](<http://10.8.0.2/>)

The output below confirms that your VPN works as intended.

pinging to your VPN server
pinging to your VPN server

Conclusion

In this tutorial, you have learned the proper steps to install OpenVPN on Windows Server. You also learned to configure the OpenVPN server and client via an OpenVPN configuration file (.ovpn). At this point, you now have a fully-functional VPN service that you can use to secure your internet connection to browse the web safely.

Now, why not extend your VPN Connectivity to Amazon AWS VPC using AWS VPC VPN Gateway service with this newfound knowledge?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!