How to Setup OpenVPN On Windows Server 2019

Reading Time: 8 minutes

What is OpenVPN?

As noted previously in our OpenVPN article, OpenVPN is an open-source Windows software package used to create a secure, site-to-site VPN connection that provides remote access between two locations. OpenVPN consists of three parts:

  • The OpenVPN-AS Server
  • The Admin Web Interface/Admin GUI
  • The Connection Clients

The OpenVPN Server

The OpenVPN server is the principal element of the OpenVPN-AS Server and manages the main functions on the backend. Some of the functionality that is handled in the admin interface includes tunneling, routing, encryption, user management, authentication, and many other features. The OpenVPN server also consists of a WebGUI, which assists with control in several of the fundamental components of the software.

The Main WebGUI Administrative Interface

The main web-based GUI allows for the uncomplicated handling of the OpenVPN server elements. In the WebGUI, an admin can check routing options, privileges, network configurations, user validation, and other parameters. By default, an administrator can connect to the GUIWeb gateway by browsing to https://serverip:943/admin

The OpenVPN Connect Clients

The OpenVPN client is also an important part of the OpenVPN software. This application allows users to link to the VPN server directly in one of three ways. The VPN Client also offers the ability to download the user’s configuration file, which can be duplicated to other OpenVPN clients. The three options are:

  • Browser Connect Client – This is the browser-based connection tool for openvpn. The web address for users is https://serverip:943
  • OpenVPN Connect Client (Mac) – Simplistic single connection client
  • OpenVPN Connect Client (Linux/Windows) – This is the OpenVPN client (which is different from the main openvpn-as program). This software requires a configuration file to work correctly.

Install OpenVPN

On a Windows server, we begin by downloading the Windows installer from here and then running it on our Windows server.

Certs and Keys

Prerequisites

Browse to the 

C:\Program Files\OpenVPN\easy-rsa 

folder using the administrative command prompt:

  1. Open the Start menu
  2. Type in “cmd”
  3. Next, right click on “Command Prompt” and select “Run as Administrator.”
  4. Then, right click the menu item “Command Prompt”
  5. On the “User Account Control” pop up window, click “Yes”

Navigate to this folder.

cd "C:\Program Files\OpenVPN\easy-rsa"

And now, we can start the OpenVPN configuration:

init-config
Caution:
Only run init-config once during installation.

Next, we open the “vars.bat” file in a text editor.

notepad vars.bat

And edit the subsequent lines switching “US”, “CA,” etc. with your business’s data.

set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=OpenVPN
set KEY_EMAIL=mail@host.domain

We can then save the file and exit Notepad.

Note:
The KEY_CN and KEY_NAME fields will be unique for each build request.

The KEY_CN and KEY_NAME settings refer to the common name field and the name of the certificate.

The KEY_OU setting refers to an “Organizational Unit” and can be set to whatever if there isn’t a requirement for it.

The PKCS11_ values refer to settings used for Hardware Security Modules and Smart Cards if you use them.

Next, we will run the following commands.

vars

clean-all

Building Certificates and Keys

In order to create the Certificate Authority (CA) certificate and key, we need to run.

build-ca

This will prompt you to enter your country, state, and city. These options will also have default values, which appear within brackets.

For the “Common Name,” a beneficial choice is to choose a unique name to distinguish your company.

Certificate Authority "OpenVPN-CA":
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [mail@host.domain]:

Next, we initiate the server’s certificate and key using this command:

build-key-server server
  1. When prompted, enter the “Common Name” as “server”
  2. When prompted to sign the certificate, enter “y”
  3. When prompted to commit, enter “y”

Server Certificates and Keys:

C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat
Generating a RSA private key
..............................................................................................................................................................................................................................................++++
................................++++
writing new private key to 'keys\.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [MI]:
Locality Name (eg, city) [Lansing]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:Server
Name [changeme]:
Email Address [dsinger@liquidweb.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:XXXXXXXXXXXXXXXX
An optional company name []:
Using configuration from openssl-1.0.0.cnf
Can't open keys/index.txt.attr for reading, No such file or directory
1832:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:74:fopen('keys/index.txt.attr','r')
1832:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'MI'
localityName          :PRINTABLE:'Lansing'
organizationName      :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'Server'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'dsinger@liquidweb.com'
Certificate is to be certified until Dec 24 19:01:08 2029 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\Program Files\OpenVPN\easy-rsa>

Client Certificates and Keys

For each client that will be connecting to the server, we must choose a unique name to identify that user’s computer, such as “david-laptop” in the example below.

build-key david-laptop

Next, when prompted, we enter the “Common Name” as the name you have chosen for the client’s cert/key.

We will repeat this step for every client computer that is going to connect to the VPN.

C:\Program Files\OpenVPN\easy-rsa>build-key david-laptop
Generating a RSA private key
.............................................................................................................................................................................++++
..............................................................................++++
writing new private key to 'keys\david-laptop.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [MI]:
Locality Name (eg, city) [Lansing]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:david-laptop
Name [changeme]:David Singer
Email Address [dsinger@liquidweb.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:XXXXXXXXXXXXXXXX
An optional company name []:
Using configuration from openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'MI'
localityName          :PRINTABLE:'Lansing'
organizationName      :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'david-laptop'
name                  :PRINTABLE:'David Singer'
emailAddress          :IA5STRING:'dsinger@liquidweb.com'
Certificate is to be certified until Dec 24 19:06:10 2029 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\Program Files\OpenVPN\easy-rsa>

Now, we need to generate the “Diffie Hellman” parameters using the build-dh command. This step is necessary in order to set up the encryption model.

C:\Program Files\OpenVPN\easy-rsa>build-dh.bat
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.................................+......................................................................................................+.............................................................................................+..................................................................................+.........................................................
.............................................................................+............................+..........+........+............................................+..............................................+....++*++*++*++*

C:\Program Files\OpenVPN\easy-rsa>

Next, we will generate a shared secret key (which is required when using tls-auth)

"C:\Program Files\OpenVPN\bin\openvpn.exe" --genkey --secret "C:\Program Files\OpenVPN\easy-rsa\keys\ta.key"

Configuration Files

OpenVPN provides sample configuration data which can easily be found using the start menu:
Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files

Server Config File

Now, let’s copy the sample “server configuration” file over to the easy-rsa folder. Here is the command and its output:

copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"


C:\Program Files\OpenVPN\easy-rsa>"C:\Program Files\OpenVPN\bin\openvpn.exe" --genkey --secret "C:\Program Files\OpenVPN\easy-rsa\keys\ta.key"

C:\Program Files\OpenVPN\easy-rsa>copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"
        1 file(s) copied.

C:\Program Files\OpenVPN\easy-rsa>

Next, we will need to edit the server.ovpn file. 

notepad "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"

Now, locate the following lines within the file:

ca ca.crt
cert server.crt
key server.key

dh dh2048.pem

And edit them as follows:

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"

dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"

Finally, save and close the file.

Client Config Files

The client file modification is very similar to the server configuration changes we made earlier. Let’s copy the sample server configuration file to the easy-rsa folder with the client’s Common Name as the file name. (Remember, each client will need to have a unique filename).

copy "C:\Program Files\OpenVPN\sample-config\client.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\david-laptop.ovpn"


C:\Program Files\OpenVPN\easy-rsa>copy "C:\Program Files\OpenVPN\sample-config\client.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\david-laptop.ovpn"
        1 file(s) copied.
C:\Program Files\OpenVPN\easy-rsa>

Next, we will edit the client’s config file.

notepad "C:\Program Files\OpenVPN\easy-rsa\keys\david-laptop.ovpn"

We will locate the following settings in the file and edit them as follows:

ca ca.crt
cert client.crt
key client.key

to

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\david-laptop.crt"
key "C:\\Program Files\\OpenVPN\\config\\david-laptop.key"

Observe that the name of the client certificate and related key files rely upon the “Common Name” of each client.

We can also include the ca, cert, and key content in the client file. We will have to copy the file content from inside the tags:

  • <ca></ca>
  • <cert></cert>
  • <key></key>

Next, we will edit the line “my-server-1“, replacing it with the server’s public IP Address or Domain Name. 

remote my-server-1 1194


# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.

remote my-server-1 69.16.236.167

;remote my-server-2 1194

Finally, we can save and close the file. 

Copying the Client and Server Files to Their Pertinent Directories

Now we can copy these files from C:\Program Files\OpenVPN\easy-rsa\keys\ to C:\Program Files\OpenVPN\config\ on the server using the robocopy command:

  • ca.crt
  • ta.key
  • dh2048.pem
  • server.crt
  • server.key
  • server.ovpn
robocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\ " ca.crt ta.key dh2048.pem server.crt server.key server.ovpn
C:\Program Files\OpenVPN\easy-rsa>robocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\ " ca.crt ta.key dh2048.pem server.crt server.key server.ovpn
-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------
  Started : Friday, December 27, 2019 12:16:02 PM
   Source : C:\Program Files\OpenVPN\easy-rsa\keys\
     Dest : C:\Program Files\OpenVPN\config\
    Files : ca.crt
            ta.key
            dh2048.pem
            server.crt
            server.key
            server.ovpn
  Options : /DCOPY:DA /COPY:DAT /R:1000000 /W:30
------------------------------------------------------------------------------
                           4    C:\Program Files\OpenVPN\easy-rsa\keys\
100%        New File                2482        ca.crt
100%        New File                 432        dh2048.pem
100%        New File               10901        server.ovpn
100%        New File                 657        ta.key
------------------------------------------------------------------------------
               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :         1         0         1         0         0         0
   Files :         4         4         0         0         0         0
   Bytes :    14.1 k    14.1 k         0         0         0         0
   Times :   0:00:00   0:00:00                       0:00:00   0:00:00

   Speed :              452250 Bytes/sec.
   Speed :              25.877 MegaBytes/min.
   Ended : Friday, December 27, 2019 12:16:02 PM
C:\Program Files\OpenVPN\easy-rsa>
Note:
The space at the end of the path in each string is important.

Now, we can copy the following files from C:\Program Files\OpenVPN\easy-rsa\keys\ on the server to C:\Program Files\OpenVPN\config\ for each client that will be using the VPN (e.g., david-laptop, in this example)

  • ca.crt
  • ta.key
  • david-laptop.crt
  • david-laptop.key
  • david-laptop.ovpn

Starting OpenVPN

Next, on both the server and the client, we need to run OpenVPN from:
Start Menu -> All Programs -> OpenVPN -> OpenVPN GUI

Now, let’s double click the icon which appears in the system tray to start the connection. The subsequent dialog box will close upon an effective start.

Final Thoughts

Firewall Settings

If you have any connection difficulties, ensure you set up a rule on the server’s firewall allowing incoming UDP traffic on port 1194. (Win+R “wf.msc”)

Running OpenVPN as a Service

We can also run OpenVPN as a service, which will allow:

  • OpenVPN to be run from a non-administrative account.
  • OpenVPN to be started automatically on the systems startup. This is the preferred method to use on a server, as well as any clients which will be continually connecting to the server.
  • To run the Windows Service administrative tool:
    (Press Windows Key+R)
    Type in “services.msc” and press ‘Enter’ to start the services.msc tool. Next, locate the OpenVPN service, and reset its Startup Type to “automatic.” Optionally, you can start the service now if desired.

Security Tips

We can also run OpenVPN as a service, which will allow:

  • OpenVPN to be run from a non-administrative account.
  • OpenVPN to be started automatically at the systems startup. This is the preferred method to use on a server, as well as any clients which will be continually connecting to the server.

Author Bio

About the Author: David Singer

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Get 33% off the first 3 months on a new Dedicated server! Find out why 30,000 customers have chosen our Best-in-Class Performance & 24x7x365 Support