How to Setup OpenVPN On Windows Server 2019

Reading Time: 6 minutes

What is OpenVPN?

As noted previously in our OpenVPN article, OpenVPN is an open-source Windows software package used to create a secure, site-to-site tunneled VPN connection that provides remote access between two locations. OpenVPN consists of three parts:

  • The OpenVPN-AS Server
  • The Admin Web Interface/Admin GUI
  • The Connection Clients

The OpenVPN Server

The OpenVPN server is the principal element of the OpenVPN-AS Server and manages the main functionality on the backend. Some functionality that is handled within the admin interface includes tunneling, routing, encryption, user management, authentication, and many other features. The OpenVPN server also consists of a WebGUI, which assists with control in several of the fundamental components of the software.

The Main WebGUI Administrative Interface

The main web-based GUI allows for the uncomplicated handling of the OpenVPN server elements. In the WebGUI, an admin can check routing options, privileges, network configurations, user validation, and other parameters. By default, an administrator can connect to the GUIWeb gateway by browsing to https://serverip:943/admin

The OpenVPN Connect Clients

The OpenVPN client is also an important part of the OpenVPN software. This application allows users to link to the VPN server directly in one of three ways. The VPN Client also offers the ability to download the user’s configuration file, which can be duplicated to other OpenVPN clients. The three options are:

  • Browser Connect Client – This is the browser-based connection tool for openvpn. The web address for users is https://serverip:943
  • OpenVPN Connect Client (Mac) – Simplistic single connection client
  • OpenVPN Connect Client (Linux/Windows) – This is the OpenVPN client (which is different from the main openvpn-as program). This software requires a configuration file to work correctly.

Section 1. Installing OpenVPN

Download and Install OpenVPN

On a Windows server, we begin by downloading the Windows installer and then running it on our Windows server. Once that has completed, we begin the configuration portion of the setup.

Configuration, Certificates and Keys

Step 1: Change Directory

  1. Open the Start menu and go to “Windows System” >> and then right click on “Command Prompt” then “More” and select “Run as Administrator.”

  2. Then, right click the menu item “Command Prompt”.

  3. On the “User Account Control” pop up window, click “Yes” to accept the program to make changes this the server.

  4. Browse to the following folder location using the cd command in the administrative command prompt.
    cd C:\Program Files\OpenVPN\easy-rsa

Step 2: Configure OpenVPN Server

Caution:
Only run init-config once during installation.
  1. Now, we can begin the OpenVPN configuration. Type in the following command.
    init-config
  2.  
  3. Next, we open the “vars.bat” file in the notepad text editor.
    notepad vars.bat
  4.  
  5. Then, we will edit the subsequent lines switching the “US”, “CA,” settings that are consistent with your business’ location.
    set KEY_COUNTRY=US
    set KEY_PROVINCE=CA
    set KEY_CITY=SanFrancisco
    set KEY_ORG=OpenVPN
    set KEY_EMAIL=mail@host.domain
  6.  
  7. Now, save the file and exit Notepad.
  8.  
  9. Next, we will run the following commands.
    vars
    
    clean-all
Note:
The KEY_CN and KEY_NAME fields will be unique for each build request.

The KEY_CN and KEY_NAME settings refer to the common name field and the name of the certificate.

The KEY_OU setting refers to an “Organizational Unit” and can be set to whatever if there isn’t a requirement for it.

The PKCS11_ values refer to settings used for Hardware Security Modules and Smart Cards if you use them.

Step 3. Create Certificates and Keys

  1. To create the Certificate Authority (CA) certificate and key, we need to run the following command.
    build-ca
  2.  
  3. This will prompt you to enter your country, state, and city. These options will also have default values, which appear within brackets. For the “Common Name,” the most beneficial choice is to choose a unique name to distinguish your company. 
    Certificate Authority "OpenVPN-CA":
    Country Name (2 letter code) [US]:
    State or Province Name (full name) [CA]:
    Locality Name (eg, city) [SanFrancisco]:
    Organization Name (eg, company) [OpenVPN]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
    Email Address [mail@host.domain]:
  4.  
  5. Next, we initiate the server’s certificate and key using this command: 
    build-key-server server
    
    – When prompted, enter the “Common Name” as “server”
    – When prompted to sign the certificate, enter “y”
    – When prompted to commit, enter “y”

Step 4. Create Client/Server Certificates and Keys

  1. First, we should create our keys using the following command.
    C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat
     
  2. For each client that will be connecting to the server, we must choose a unique name to identify that user’s computer, such as “david-laptop” in the example below.
    build-key david-laptop

  3. Next, when prompted, we enter the “Common Name” as the name you have chosen for the client’s cert/key. We will repeat this step for every client computer that is going to connect to the VPN.
    C:\Program Files\OpenVPN\easy-rsa>build-key david-laptop
     
  4. Now, we need to generate the “Diffie Hellman” parameters using the build-dh command. This step is necessary to set up the encryption model.
    C:\Program Files\OpenVPN\easy-rsa>build-dh.bat

  5. Next, we will generate a shared secret key (which is required when using tls-auth)
    "C:\Program Files\OpenVPN\bin\openvpn.exe" --genkey --secret "C:\Program Files\OpenVPN\easy-rsa\keys\ta.key"

Section 2. Configure OpenVPN

OpenVPN provides sample configuration data which can easily be found using the start menu: Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files

Configure Server

Step 1. Copy/Edit Files

  1. Let’s begin by copying the sample “server configuration” file over to the easy-rsa folder. Here is the command and its output:
     copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"

    copy "C:\Program Files\OpenVPN\easy-rsa" "C:\Program files\OpenVPN\bin\openvpn.exe" --genkey --secret

    copy "C:\Program Files\OpenVPN\easy-rsa\keys\ta.key" "C:\Program Files\OpenVPN\easy-rsa"

    copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn" 1 file(s) copied.
  2. Next, we will need to edit the server.ovpn file.
    notepad "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn
  3. Now, locate the following lines within the file:
    ca - ca.crt
    cert - server.crt
    key - server.key
    dh - dh2048.pem
    And edit them as follows:
    ca "C:\\Program Files\\OpenVPN\config\ca.crt"
    cert "C:\\Program Files\OpenVPN\config\server.crt"
    key "C:\\Program Files\OpenVPN\config\server.key"
    dh "C:\\Program Files\OpenVPN\config\dh2048.pem"
  4. Finally, save and close the file.

Step 2. Client Config Files

  1. Let’s begin by copying the sample “server configuration” file over to the easy-rsa folder. Here is the command and its output:
    copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"
    C:\Program Files\OpenVPN\easy-rsa "C:\Program files\OpenVPN\bin\openvpn.exe" --genkey --secret "C:\Program Files\OpenVPN\easy-rsa\keys\ta.key"
    C:\Program Files\OpenVPN\easy-rsa copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"
    1 file(s) copied.
    C:\Program Files\OpenVPN\easy-rsa
  2. Next, we will need to edit the server.ovpn file.
    notepad "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn" 
  3. Now, locate the following lines within the file:
    ca ca.crt
    cert server.crt
    key server.key
    dh dh2048.pem

    And edit them as follows:

    ca "C:\\Program Files\OpenVPN\config\ca.crt"
    cert "C:\\Program Files\OpenVPN\config\server.crt"
    key "C:\\Program Files\OpenVPN\config\server.key"
    dh "C:\\Program Files\OpenVPN\config\dh2048.pem"
  4. Finally, save and close the file.

Configure Client

Step 1. Copy Files

  1. Now we can copy the following files on the client from C:\Program Files\OpenVPN\easy-rsa\keys\ toC:\Program Files\OpenVPN\config\ on the server using the robocopy command:

    -ca.crt
    -ta.key
    -dh2048.pem
    -server.crt
    -server.key
    -server.ovpn
    robocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\"
    ca.crt
    ta.key
    dh2048.pem
    server.crt
    server.key
    server.ovpn
    -----------------------------------------------------
    ROBOCOPY     :: Robust File Copy for Windows
    -----------------------------------------------------
    Started : Friday, December 27, 2019 12:16:02 PM
    Source : C:\Program Files\OpenVPN\easy-rsa\keys\
    Dest : C:\Program Files\OpenVPN\config\
    Files :
    ca.crt
    dh2048.pem
    server.crt
    server.ovpn
    Options : /DCOPY:DA /COPY:DAT /R:1000000 /W:30
    --------------------------------------------------------------------
    C:\Program Files\OpenVPN\easy-rsa\keys\
    100% New File 2482 ca.crt
    100% 432 dh2048.pem
    100% New File 10901 server.ovpn
    100% New File 657 ta.key
    --------------------------------------------------------------------
    Total Copied Skipped Mismatch FAILED Extras
    Dirs: 1 0 1 0 0 0
    Files : 0 0 0 0
    Bytes : 14.1 k 14.1 k 0 0 0 0
    Times : 0:00:00 0:00:00 0:00:00 0:00:00
    Speed : 452250 Bytes/sec.
    Speed : 25.877 MegaBytes/min.
    Ended : Friday, December 27, 2019 12:16:02 PM
    C:\Program Files\OpenVPN\easy-rsa
  2. Now, we can copy the following files on the server from C:\Program Files\OpenVPN\easy-rsa\keys\ to C:\Program Files\OpenVPN\config\ for each client that will be using the VPN (e.g., david-laptop in this example)
    -ca.crt
    -ta.key
    -david-laptop.crt
    -david-laptop.key
    -david-laptop.ovpn

    robocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\ " ca.crt ta.key dh2048.pem server.crt server.key server.ovpn
    -----------------------------------------------------------------------
    ROBOCOPY     :: Robust File Copy for Windows
    -----------------------------------------------------------------------
    Started : Friday, December 27, 2019 12:16:02 PM
    Source : C:\Program Files\OpenVPN\easy-rsa\keys\
    Dest : C:\Program Files\OpenVPN\config\
    Files : ca.crt
    ta.key
    dh2048.pem
    server.crt
    server.key
    server.ovpn
    Options : /DCOPY:DA /COPY:DAT /R:1000000 /W:30
    -----------------------------------------------------------------------
    C:\Program Files\OpenVPN\easy-rsa\keys\
    100% New File 2482 ca.crt
    100% New File 432 dh2048.pem
    100% New File 10901 server.ovpn
    100% New File 657 ta.key
    -----------------------------------------------------------------------
    Total Copied Skipped Mismatch FAILED Extras
    Dirs : 1 0 1 0 0 0
    Files : 4 4 0 0 0 0
    Bytes :14.1 k 14.1 k 0 0 0
    Times : 0:00:00 0:00:00 0:00:00 0:00:00
    Speed :452250 Bytes/sec.
    Speed :25.877 MegaBytes/min.
    Ended : Friday, December 27, 2019 12:16:02 PM
    C:\Program Files\OpenVPN\easy-rsa
Note:
The space at the end of the path in each string is important.

Starting OpenVPN

Next, on both the server and the client, we need to run OpenVPN from:
Start Menu -> All Programs -> OpenVPN -> OpenVPN GUI

Finally, double click the icon which appears in the system tray to start the connection. The subsequent dialog box will close upon an effective start.

Final Thoughts

Firewall Settings

If you have any connection difficulties, ensure you set up a rule on the server’s firewall allowing incoming UDP traffic on port 1194. (Win+R “wf.msc”)

Running OpenVPN as a Service

We can also run OpenVPN as a service, which will allow:

  • OpenVPN to be run from a non-administrative account.
  • OpenVPN to be started automatically on the systems startup. This is the preferred method to use on a server, as well as any clients which will be continually connecting to the server.
  • To run the Windows Service administrative tool:
    (Press Windows Key+R)
    Type in “services.msc” and press ‘Enter’ to start the services.msc tool. Next, locate the OpenVPN service, and reset its Startup Type to “automatic.” Optionally, you can start the service now if desired.

Security Tips

We can also run OpenVPN as a service, which will allow:

  • OpenVPN to be run from a non-administrative account.
  • OpenVPN to be started automatically at the systems startup. This is the preferred method to use on a server, as well as any clients which will be continually connecting to the server.

We Would Love to Hear From You!

We pride ourselves on being The Most Helpful Humans In Hosting™!

Our Support Team is full of experienced Linux technicians and talented System administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.

Should you have any questions regarding this information, we are always available to answer any inquiries with issues related to this article, 24 hours a day, 7 days a week 365 days a year.

If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone @800.580.4985, a chat or support ticket to assisting you with this process.

Author Bio

About the Author: David Singer

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Refer a friend and get a $50 hosting credit!