OpenVPN as a server on Windows

Posted on Edited on

Before you read this post, familiarize yourself with the basics of running a VPN server on a home PC. These basics are explained in Helping friends in foreign countries. Most of that post applies to all home VPN servers, even if the clients are actually in the same country as you.

You can then proceed to install OpenVPN as a server on your PC.

We use Windows as a sample client at the end of this tutorial, but OpenVPN client software also exists for Linux, macOS, Android, and iOS.

Decisions

Decide whether your clients will access your PC by IP address or by DNS name.

In the examples in this post, we have used the DNS name alice.cscot.buzz.

Decide on a protocol and port for your clients to reach your PC. OpenVPN supports both TCP and UDP. TCP is more reliable, whereas UDP is faster. If clients are subject to censorship, you may have heard about the old trick of using TCP on port 443. This rarely works against modern firewalls.

We will use UDP on port 1194 in our examples.

Open your PC’s firewall

We are using udp/1194 for client input. You should have already opened that port on your router and forwarded it to your PC. Now open that port for input in the Windows firewall like this:

  1. In the Windows search box, type firewall.
  2. Select Windows Defender Firewall with Advanced Security.
  3. In the left pane, select Inbound Rules.
  4. In the right pane, select New Rule.
  5. Type is Port. Click Next.
  6. Type is UDP, and specific local port as 1194. Click Next.
  7. Action is Allow. Click Next.
  8. Leave all domains checked. Click Next.
  9. Set the Name to OpenVPN Inbound.
  10. Click Finish.

When you are done, close Windows Defender Firewall with Advanced Security.

Install OpenVPN

Open your browser, and go to the OpenVPN Community Downloads page at https://openvpn.net/community-downloads.

Download the Windows 64-bit MSI installer. Run the installer.

Don’t install immediately. Make sure you click the Customize button first.

  • Deselect the OpenVPN GUI, but make sure the OpenVPN Service remains selected
  • Select the EasyRSA 3 Certificate Management Scripts

Click Install now.

When the installation is complete, click Close.

Initialize public key infrastructure

The installer has placed the EasyRSA 3 Certificate Management Scripts in C:\Program Files\OpenVPN\easy-rsa.

In the Windows search box, type cmd. Right-click on the Command Prompt app, and select Run as administrator.

Enter the command:

1
cd C:\Program Files\OpenVPN\easy-rsa

Open an Easy-RSA shell:

1
EasyRSA-Start.bat

Initialize your public key infrastructure by entering the command:

1
./easyrsa init-pki

Your newly created public key infrastructure directory is C:\Program Files\OpenVPN\easy-rsa\pki. It has a variables file named vars inside it.

Optionally, launch Notepad with the Run as administrator option, and edit C:\Program Files\OpenVPN\easy-rsa\pki\vars to your liking. Save the file if you edited it.

Create Certification Authority

Create your CA. Inside the Easy-RSA shell enter the command:

1
./easyrsa build-ca nopass

You are promoted for a Common Name. If you just press Enter, the Common Name defaults to Easy-RSA CA.

Your new CA certificate file is created at C:/Program Files/OpenVPN/easy-rsa/pki/ca.crt.

Build server certificate and key

Build a server certificate and key. In our example, the server will be named alice.

1
./easyrsa build-server-full alice nopass

You are asked to type the word yes to confirm the details.

The certificate is created at C:/Program Files/OpenVPN/easy-rsa/pki/issued/alice.crt. The inline file, which we will not use in this tutorial, is created at C:/Program Files/OpenVPN/easy-rsa/pki/inline/alice.inline.

Build client certificate(s) and key(s)

For each client, build a client certificate and key. In our example, the first client will be named bob:

1
./easyrsa build-client-full bob nopass

You are asked to type the word yes to confirm the details.

The certificate is created at C:/Program Files/OpenVPN/easy-rsa/pki/issued/bob.crt. In this tutorial, we will use the automatically generated inline file to make it easier to construct a client .ovpn file. The inline file is created at C:/Program Files/OpenVPN/easy-rsa/pki/inline/bob.inline.

Build Diffie-Hellman parameters

The Diffie-Hellman parameters are used only by an OpenVPN server. They are not needed on the client(s).

1
./easyrsa gen-dh

After the generation process, the Diffie-Hellman parameters of size 2048 are created at C:/Program Files/OpenVPN/easy-rsa/pki/dh.pem.

Build TLS encryption key

Open a browser. Download the most recent Easy-TLS source code .zip file from https://github.com/TinCanTech/easy-tls/releases.

Unzip the .zip file.

Copy the file easytls into C:\Program Files\OpenVPN\easy-rsa. You need administrator permissions to do this.

Back inside the Easy-RSA shell in the Command Prompt window, initialize Easy-TLS:

1
./easytls init-tls

Build a TLS crypt v1 key:

1
./easytls build-tls-crypt

The TLS crypt v1 key is created at C:/Program Files/OpenVPN/easy-rsa/pki/easytls/tls-crypt.key.

Exit the Easy-RSA shell:

1
exit

Close the Command Prompt window for now.

Create server configuration file

Launch Notepad running as administrator.

Using the following as a model for your configuration. Of course, you must change values such as protocol (udp), port (1194), and server name (alice) to match your choices.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
dev tun
proto udp
port 1194
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\alice.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\alice.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem"
tls-crypt "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\easytls\\tls-crypt.key"
cipher AES-256-GCM
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "block-outside-dns"
keepalive 10 60
persist-key
persist-tun
explicit-exit-notify 1
verb 3

When you are done editing, save the file as C:\Program Files\OpenVPN\config-auto\alice.ovpn. Make sure you use the directory name config-auto and that Notepad does not add .txt to the end of the file name.

Close Notepad.

Enable forwarding

Open Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings.

You will see that the installation has created a new network adapter described as TAP-Windows Adapter V9. It will have a name such as OpenVPN TAP-Windows 6.

Now open a Command Prompt window running as administrator. Determine the interface number of OpenVPN TAP-Windows 6 (or whatever name applies in your case) as follows. Issue the command:

1
netsh int ipv4 show int

Note down the interface index number of OpenVPN TAP-Windows 6 (in our example). In our example, the interface index number was 11.

See if forwarding is enabled. For example, if your interface index is 11:

1
netsh int ipv4 show int 11 | findstr "Forwarding"

If forwarding is disabled, then enable forwarding by issuing the command:

1
netsh int ipv4 set int 11 Forwarding="enabled"

Double-check the results show Forwarding is enabled:

1
netsh int ipv4 show int 11 | findstr "Forwarding"

Close the Command Prompt window for now.

Close the Control Panel for now.

Enable routing

In the Windows search box, type regedit, right-click Registry Editor, and select Run as administrator. In the left pane, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.

Find IPEnableRouter of type REG_DWORD.

Set its value to 1.

Click OK.

Close Registry Editor.

Start services

In the Windows search box, type services, right-click the Services app, and select Run as administrator.

Find the row for Routing and Remote Access.

  1. Right-click on it, and select Properties.
  2. Set the Startup type to Automatic.
  3. Click Apply.
  4. Click Start.
  5. Click OK.

Locate the row for OpenVPN Interactive service.

  1. Right-click, and select Properties.
  2. Click Stop.
  3. Change its Startup type to Manual.
  4. Click Apply.
  5. Click OK.

Locate the row for OpenVPNService.

  1. Stop the service.
  2. Start the service.

Close the Services app.

Open Windows File Explorer. Navigate to C:\Program Files\OpenVPN\log. Check the log file alice.log for any error messages. It should show Initialization Sequence Completed.

Share Internet adapter

Go to Windows Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings.

On your main Internet network adapter (i.e. Ethernet or wireless), right-click, and select Properties.

Select the Sharing tab.

Check the box for Allow other network users to connect through this computer’s internet connection.

Select OpenVPN TAP-Windows 6.

Click OK.

Disable and enable TAP-Windows Adapter V9

On the OpenVPN TAP-Windows 6 adapter (or whatever your TAP-Windows Adapter V9 is named), right-click, then disable and re-enable the adapter.

Close the Network Connections window.

Close the Control Panel windows.

Create client configuration

In Notepad, create a configuration file for the client. Model it on the following.

  • You will need to change the remote DNS name or IP address to match your situation.
  • Copy and paste in your inline certificates and keys from C:/Program Files/OpenVPN/easy-rsa/pki/inline/bob.inline.
  • Copy and paste in your TLS encryption key from C:/Program Files/OpenVPN/easy-rsa/pki/easytls/tls-crypt.key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
client
dev tun
proto udp
remote alice.cscot.buzz 1194
resolv-retry infinite
nobind
persist-key
persist-tun
<cert>
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIQQWJuayzEoM7gSiKJfPDMRjANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yMzA0MDQwNjA3MzdaFw0yNTA3MDcw
NjA3MzdaMA4xDDAKBgNVBAMMA2JvYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANB39CBsvSng26utFsoPa9i0F/p/w0kb8x4EW/PKyGTj3HdOPJcnI28t
vcqJenIct/D6x8wRGq54p12YKz46vzWDOcOqh/xTrRyI5I5YH3bMQWXNuzkCeit+
FayOakVlcyuUOUGovXxjYDX39JE5WEHqtmRPGuJahimEtx/gaBWGVemMEklTbusK
L0SjIV2uGxRJ41I699T+gMvTUqoycj7dtbIwDSpD75skx/Ne0zO6pHirIfTGX1BU
Qmxo50MfxjvWT2jOT03+GyLx/RMMtokgLLome8tJT4MkHD5KuuivNy/U+kqNK+kW
tcpukX046WpPfk1SpVQDFn84uTyfxwsCAwEAAaOBojCBnzAJBgNVHRMEAjAAMB0G
A1UdDgQWBBSzUQF7f+StkA/zYqoJL1sM6AMbTTBRBgNVHSMESjBIgBTUfoyTfPl2
W4Ey2t3n/WWRElwaC6EapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFDfDAWWK
dLwHywsgWLvff7IaGMYkMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIH
gDANBgkqhkiG9w0BAQsFAAOCAQEAe5rUYU3zHNyy7O+SJBzNxWnTDpe2zBrPbdUW
6jUXbav86N6a74wVHtf9zaKh5j0Z8PTqEUERdFb4BrCswrfcgRmI87z6Ni6/RZEx
nVgwU3xk7kx2e3QB57fA8Zo9Hxn4e04RJRpS/KjzkdEBSfEDsS9P+yEVdvMkTpDt
ox1yruldMWZ0GoV9s4nPWbS7ta2GUtSLNe4orW51dozCXwdbRIb8vCIvhbKAdzzn
cA44NEJ2TVsK47QAzwXqn1cArl3i2Xyh0as2+heBNA759VUUk8rsAhG1t4wRUTb+
VBKAeJ5XE8KrWmaeTBcMVuYPOpeS6uzh6kHh2UGBHDduQC2gQw==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDQd/QgbL0p4Nur
rRbKD2vYtBf6f8NJG/MeBFvzyshk49x3TjyXJyNvLb3KiXpyHLfw+sfMERqueKdd
mCs+Or81gznDqof8U60ciOSOWB92zEFlzbs5AnorfhWsjmpFZXMrlDlBqL18Y2A1
9/SROVhB6rZkTxriWoYphLcf4GgVhlXpjBJJU27rCi9EoyFdrhsUSeNSOvfU/oDL
01KqMnI+3bWyMA0qQ++bJMfzXtMzuqR4qyH0xl9QVEJsaOdDH8Y71k9ozk9N/hsi
8f0TDLaJICy6JnvLSU+DJBw+Srrorzcv1PpKjSvpFrXKbpF9OOlqT35NUqVUAxZ/
OLk8n8cLAgMBAAECggEAWjrxMW+fWJb4vY/Hg2G1XjBlCIlwLx6n1eAxJI4qunBd
pk34r7vC/IYh1Z43n1iKzQTeoZbto4KZfks0vFSVGkZYJDaVcUOOdAFUW8AMrlCu
JbAsTvqhgl2qZ+ukV7EXbk9TkPXGPiaNKA7QjmLxrmY216fdjQd9dk75LBTnOBkK
0Yan/tu++JtvCjryO043Z36alLyA4IgNWUA7ul2p0pfgU3BRm/WWv239yg03dgFT
w1ImmFJn/PFiC49WcpLvOcJEw+sxAM8hV5RlADUhEZ9nCo4bbGlvhHOktR/PIPA1
khgnWdcbo0/WTDOf05yhFSwk0BoWH9XqWli2MyA1kQKBgQDvCPf2bmf0wnayeR2l
NfCgSoDXU3OqVvlSsD+u9fTh1kmJSXnfZfyAPJEAV9KTujUqEz/s9i+KOJkhPQH5
Ria6OpQfEL7jD813GVHsj+h16agmP3the97omsLtY2q6AD+iGJh2at/NdITVPRCP
lpWfJMSVIGZbEmf4Pvo9wPVlrwKBgQDfQ59XEBQptRuofx3pQ40Cc/Vk/JERDWGY
lvNifBx1h7MHwZCblDzemd02mGXqJHIYQPDiaZjnwxVMIpegvGV0prm1sa2DM8Yp
7KhhVXA7AK5CR0nQjdwwPGiuZ+StGJlBNfEJNR7oIqDqiIxzAfqprz/FDj+R16dD
k1XskP8nZQKBgHD0QwBvca5mimKR+yFL2PZV3oZiCAFRciXR5XYPAfYKJdu7Hd0k
O2p5tGd+GKL4VhEY4ZdfSl29mxbq1ljt/nT4I3B+oEV5/TSvgVgRNN8rV+sjCnGp
cE9oen5lAVT9sxQtHTawECvtSKvfXEkN9owqer6hfdzBWOIlGGlAGnY/AoGABqEh
aBpoHtzr11L+9mA1Ha+Hx9ngDNuS3E8PJwt8ZNkEreRHgPcj35A+C1L3I761TJcR
EAgGrEsUpNAaJIGzmYUh2o1OE6lD5xbJ4SoCTR42Dm3DeVfdA+mnShZ3qdQjKNaL
M7TKGCZ/FLe9Q+T5JnS3tgg4RwJaSx1i3cVobikCgYBiFeZgcR8t8v980DGw7xUp
kcdzSx7UqtKCq2qy4R2oiJSdjiWGOrMIAXa8YC+TnG/A+ooynlWoyiudCKI+lhxH
TrCjb32w2FU3S/VeZA+55WW4jtdiXJTB8mKXr8pxj6BcMVVttouj/gGXGU0pHHG1
lqvGY4Wua8tIhfLhZCD7RA==
-----END PRIVATE KEY-----
</key>
<ca>
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIUN8MBZYp0vAfLCyBYu99/shoYxiQwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjMwNDA0MDYwNjI4WhcNMzMw
NDAxMDYwNjI4WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAPpmTVIoJIWDH+U1sbuPaPkkYfKC0/QNnF8koS0z
lGzrYZlNHHB9KlZo9zx8J76q3JaY6Vi9JBd0JF0d3czEgy0uVUV+UqNIJ07AhTIM
9LtRIEb1aRXgfzaQbLTa1XmRko1MUJKDmRAgNP1TY5crjUS4PEK3xwY8ZneaAYxu
Qkg8b8sK05b50NCP+Emnf/uow1bT5wNhHMwU6xber/D8YgtXDWAhDOKsku+7ExAs
tI+IBRdSjMOqFOpnDWV98AZjO+0BV2vqd2JgylpZ5OvBKZdMHr8FX58KXVqoYlmF
Yx2bI0G9C/64VoLAvA+B9OvILBix0ZS3rsWz16iNljM4w0MCAwEAAaOBkDCBjTAM
BgNVHRMEBTADAQH/MB0GA1UdDgQWBBTUfoyTfPl2W4Ey2t3n/WWRElwaCzBRBgNV
HSMESjBIgBTUfoyTfPl2W4Ey2t3n/WWRElwaC6EapBgwFjEUMBIGA1UEAwwLRWFz
eS1SU0EgQ0GCFDfDAWWKdLwHywsgWLvff7IaGMYkMAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAQEAbF1tpIL0632IpjZ42Gtgs1MPLMoeuGOGvcK32Xfld3pj
xXQCyiF6mVlnXYFLD0QLNLl3MPdMhHuZtGOHqYmdD8uEE01TaTki0mZ5ObnN5pOG
kIk/Q8E0VVjGoWKYGfUvMxxdXVpnZqDzm2oFGKhYh8JCUkMiAQB7pUw1IgflZ1kd
60bYYvryi2EeP8v8sM3yQIEtD/QO3gzHTPVtZIMZGpsJcHB3MjK4XS7dYYg2vjaN
7AJlaaqGUFeDpfq2l6tfFcul8Nr6j0dxxRK+N9TEDjhnNG1fuCzfUw7f2fo8eTpk
PhOWSdmt5alLf8zE37yovTFrw0gSuCFGs7MvSTPSmw==
-----END CERTIFICATE-----
</ca>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
48e3921f8013f667318938d3454a0e10
cb592af181e30da37643acbbfd36b54d
099441265e768047334242c08db4eb01
1a136cecd628452ba004a042b92362d5
3b69b766ebf9af7f264718b849e83030
b99bc255a627e788061b533d06678d99
b661b485c1df0d4a552c44f6e1c4ff82
34636917f48479eef95033071a763c5a
4738cc084737a4c58e08e62020a6dc84
bdf37ae4d8a2edf9310d60967320378d
4bf261151e7aaa3698a0cce1c9758fb1
a6a41a87da3a619b4e6ce4917c3af53e
2cbf0f4aef9c3c9eb5315e4cfa30508b
e153d051310bf1a96788255d4d408f9d
837c786570980178e98c4bcb15b7801e
cab6b007f31204b71e4ad0d611d9da21
-----END OpenVPN Static key V1-----
</tls-crypt>
remote-cert-tls server
cipher AES-256-GCM
verb 3

Save the file in your server’s Documents folder as bob.ovpn.

Securely copy client ovpn file to client PC

Securely copy bob.ovpn from the server’s Documents folder to the client’s Downloads folder.

You can use any secure tool to do the copy.

  • If both server and client are nearby, you can use a USB memory stick.
  • For a remote server, you can use the Remote Desktop Connection (RDC) app with local disk access enabled.
  • Or you can just copy and paste from Notepad on an RDC session with the server down to Notepad on your local client.

However you do the secure copy, you will end up with a file bob.ovpn in your client PC Downloads folder.

Set up Windows client

Switch to working on the client PC.

From the OpenVPN Downloads page at https://openvpn.net/community-downloads, download the 64-bit installer for Windows.

Run the installer. On the client, you need the OpenVPN GUI component, but you do not need the EasyRSA 3 Certificatre Management scripts. These are the defaults.

The installer places an OpenVPN GUI shortcut icon on your desktop.

Double-click the OpenVPN GUI shortcut icon on your desktop.

A message appears to say that there are as yet no readable connection profiles (i.e., configurations). Click OK.

Import bob.ovpn as follows:

  1. Right-click on the OpenVPN icon in the system tray.
  2. Select Import file.
  3. Select the bob.ovpn file from your Downloads folder.
  4. You should see a message indicating that the file was imported successfully.
  5. Click OK.

Right-click on the OpenVPN icon in the system tray, and select Connect. If problems occur, check C:\Users\<YOUR-USER-NAME>\OpenVPN\log\bob.log for any error messages.

On successful connect, a notification appears to say you are now connected.

The OpenVPN icon in the system tray turns green.