How to Setup OpenVPN On Windows Server
What is OpenVPN?
As noted previously in our OpenVPN article, this is an open-source Windows software package used to create a secure, site-to-site tunneled VPN connection that provides remote access between two locations. In this tutorial, we will be setting up an OpenVPN server on a Windows server.
OpenVPN consists of three parts:
- The OpenVPN-AS Server
- The Admin Web Interface/Admin GUI
- The Connection Clients
The OpenVPN Server
The OpenVPN server is the principal element of the OpenVPN-AS Server and manages the main functionality on the backend. Some functionality that is handled within the admin interface includes tunneling, routing, encryption, user management, authentication, and many other features. The OpenVPN server also consists of a WebGUI, which assists with control in several of the fundamental components of the software.
The Main WebGUI Administrative Interface
The main web-based GUI allows for the uncomplicated handling of the OpenVPN server elements. In the WebGUI, an admin can check routing options, privileges, network configurations, user validation, and other parameters. By default, an administrator can connect to the GUIWeb gateway by browsing to https://serverip:943/admin
The OpenVPN Connect Clients
The OpenVPN client is also an important part of the OpenVPN software. This application allows users to link to the VPN server directly in one of three ways. The VPN Client also offers the ability to download the user’s configuration file, which can be duplicated to other OpenVPN clients. The three options are:
- Browser Connect Client – This is the browser-based connection tool for openvpn. The web address for users is https://serverip:943
- OpenVPN Connect Client (Mac) – Simplistic single connection client
- OpenVPN Connect Client (Linux/Windows) – This is the OpenVPN client (which is different from the main openvpn-as program). This software requires a configuration file to work correctly.
Section 1. Installing OpenVPN
Download and Install OpenVPN
On a Windows server, we begin by downloading the Windows installer and then running it on our Windows server. Once that has completed, we begin the configuration portion of the setup.
Configuration, Certificates and Keys
Step 1: Change Directory
- Open the Start menu and go to "Windows System" >> and then right click on “Command Prompt” then "More" and select "Run as Administrator."
- Then, right click the menu item "Command Prompt".
- On the “User Account Control” pop up window, click "Yes" to accept the program to make changes this the server.
- Browse to the following folder location using the cd command in the administrative command prompt.
cd C:\Program Files\OpenVPN\easy-rsa
Step 2: Configure OpenVPN Server
- Now, we can begin the OpenVPN configuration. Type in the following command.
init-config
- Next, we open the “vars.bat” file in the notepad text editor.
notepad vars.bat
- Then, we will edit the subsequent lines switching the "US", "CA," settings that are consistent with your business' location.
set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=OpenVPN
set KEY_EMAIL=mail@host.domain - Now, save the file and exit Notepad.
- Next, we will run the following commands.
vars
clean-all
Step 3. Create Certificates and Keys
- To create the Certificate Authority (CA) certificate and key, we need to run the following command.
build-ca
- This will prompt you to enter your country, state, and city. These options will also have default values, which appear within brackets. For the "Common Name," the most beneficial choice is to choose a unique name to distinguish your company.
Certificate Authority "OpenVPN-CA":
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [mail@host.domain]: - Next, we initiate the server's certificate and key using this command:
- When prompted, enter the "Common Name" as "server"build-key-server server
- When prompted to sign the certificate, enter "y"
- When prompted to commit, enter "y"
Step 4. Create Client/Server Certificates and Keys
- First, we should create our keys using the following command.
C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat
- For each client that will be connecting to the server, we must choose a unique name to identify that user’s computer, such as "david-laptop" in the example below.
build-key david-laptop
- Next, when prompted, we enter the "Common Name" as the name you have chosen for the client’s cert/key. We will repeat this step for every client computer that is going to connect to the VPN.
C:\Program Files\OpenVPN\easy-rsa>build-key david-laptop
- Now, we need to generate the “Diffie Hellman” parameters using the build-dh command. This step is necessary to set up the encryption model.
C:\Program Files\OpenVPN\easy-rsa>build-dh.bat
- Next, we will generate a shared secret key (which is required when using tls-auth)
"C:\Program Files\OpenVPN\bin\openvpn.exe" --genkey --secret "C:\Program Files\OpenVPN\easy-rsa\keys\ta.key"
Section 2. Configure OpenVPN
OpenVPN provides sample configuration data which can easily be found using the start menu: Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files
Configure Server
Step 1. Copy/Edit Files
- Let’s begin by copying the sample “server configuration” file over to the easy-rsa folder. Here is the command and its output:
copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"
copy "C:\Program Files\OpenVPN\easy-rsa" "C:\Program files\OpenVPN\bin\openvpn.exe" --genkey --secret
copy "C:\Program Files\OpenVPN\easy-rsa\keys\ta.key" "C:\Program Files\OpenVPN\easy-rsa"
copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn" 1 file(s) copied. - Next, we will need to edit the server.ovpn file.
notepad "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn
- Now, locate the following lines within the file:
And edit them as follows:ca - ca.crt
cert - server.crt
key - server.key
dh - dh2048.pemca "C:\\Program Files\\OpenVPN\config\ca.crt"
cert "C:\\Program Files\OpenVPN\config\server.crt"
key "C:\\Program Files\OpenVPN\config\server.key"
dh "C:\\Program Files\OpenVPN\config\dh2048.pem" - Finally, save and close the file.
Step 2. Client Config Files
- Let’s begin by copying the sample “server configuration” file over to the easy-rsa folder. Here is the command and its output:
copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"
C:\Program Files\OpenVPN\easy-rsa "C:\Program files\OpenVPN\bin\openvpn.exe" --genkey --secret "C:\Program Files\OpenVPN\easy-rsa\keys\ta.key"
C:\Program Files\OpenVPN\easy-rsa copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"
1 file(s) copied.
C:\Program Files\OpenVPN\easy-rsa - Next, we will need to edit the server.ovpn file.
notepad "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"
- Now, locate the following lines within the file:
ca ca.crt
cert server.crt
key server.key
dh dh2048.pemAnd edit them as follows:
ca "C:\\Program Files\OpenVPN\config\ca.crt"
cert "C:\\Program Files\OpenVPN\config\server.crt"
key "C:\\Program Files\OpenVPN\config\server.key"
dh "C:\\Program Files\OpenVPN\config\dh2048.pem" - Finally, save and close the file.
Configure Client
Step 1. Copy Files
- Now we can copy the following files on the client from C:\Program Files\OpenVPN\easy-rsa\keys\ toC:\Program Files\OpenVPN\config\ on the server using the robocopy command:
-ca.crt
-ta.key
-dh2048.pem
-server.crt
-server.key
-server.ovpnrobocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\"
ca.crt
ta.key
dh2048.pem
server.crt
server.key
server.ovpn
-----------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-----------------------------------------------------
Started : Friday, December 27, 2019 12:16:02 PM
Source : C:\Program Files\OpenVPN\easy-rsa\keys\
Dest : C:\Program Files\OpenVPN\config\
Files :
ca.crt
dh2048.pem
server.crt
server.ovpn
Options : /DCOPY:DA /COPY:DAT /R:1000000 /W:30
--------------------------------------------------------------------
C:\Program Files\OpenVPN\easy-rsa\keys\
100% New File 2482 ca.crt
100% 432 dh2048.pem
100% New File 10901 server.ovpn
100% New File 657 ta.key
--------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs: 1 0 1 0 0 0
Files : 0 0 0 0
Bytes : 14.1 k 14.1 k 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 452250 Bytes/sec.
Speed : 25.877 MegaBytes/min.
Ended : Friday, December 27, 2019 12:16:02 PM
C:\Program Files\OpenVPN\easy-rsa - Now, we can copy the following files on the server from C:\Program Files\OpenVPN\easy-rsa\keys\ to C:\Program Files\OpenVPN\config\ for each client that will be using the VPN (e.g., david-laptop in this example)
-ca.crt
-ta.key
-david-laptop.crt
-david-laptop.key
-david-laptop.ovpnrobocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\ " ca.crt ta.key dh2048.pem server.crt server.key server.ovpn
-----------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-----------------------------------------------------------------------
Started : Friday, December 27, 2019 12:16:02 PM
Source : C:\Program Files\OpenVPN\easy-rsa\keys\
Dest : C:\Program Files\OpenVPN\config\
Files : ca.crt
ta.key
dh2048.pem
server.crt
server.key
server.ovpn
Options : /DCOPY:DA /COPY:DAT /R:1000000 /W:30
-----------------------------------------------------------------------
C:\Program Files\OpenVPN\easy-rsa\keys\
100% New File 2482 ca.crt
100% New File 432 dh2048.pem
100% New File 10901 server.ovpn
100% New File 657 ta.key
-----------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 4 4 0 0 0 0
Bytes :14.1 k 14.1 k 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed :452250 Bytes/sec.
Speed :25.877 MegaBytes/min.
Ended : Friday, December 27, 2019 12:16:02 PM
C:\Program Files\OpenVPN\easy-rsa
Starting OpenVPN
Next, on both the server and the client, we need to run OpenVPN from:
Start Menu -> All Programs -> OpenVPN -> OpenVPN GUI
Finally, double click the icon which appears in the system tray to start the connection. The subsequent dialog box will close upon an effective start.
Final Thoughts
Firewall Settings
If you have any connection difficulties, ensure you set up a rule on the server's firewall allowing incoming UDP traffic on port 1194. (Win+R "wf.msc")
Running OpenVPN as a Service
We can also run OpenVPN as a service, which will allow:
- OpenVPN to be run from a non-administrative account.
- OpenVPN to be started automatically on the systems startup. This is the preferred method to use on a server, as well as any clients which will be continually connecting to the server.
- To run the Windows Service administrative tool:
(Press Windows Key+R)
Type in "services.msc" and press ‘Enter’ to start the services.msc tool. Next, locate the OpenVPN service, and reset its Startup Type to "automatic." Optionally, you can start the service now if desired.
Security Tips
We can also run OpenVPN as a service, which will allow:
- OpenVPN to be run from a non-administrative account.
- OpenVPN to be started automatically at the systems startup. This is the preferred method to use on a server, as well as any clients which will be continually connecting to the server.
We Would Love to Hear From You!
We pride ourselves on being The Most Helpful Humans In Hosting™!
Our Support Team is full of experienced Linux technicians and talented System administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.
Should you have any questions regarding this information, we are always available to answer any inquiries with issues related to this article, 24 hours a day, 7 days a week 365 days a year.
If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone @800.580.4985, a chat or support ticket to assisting you with this process.
Related Articles:

About the Author: David Singer
I am a g33k, Linux blogger, developer, student, and former Tech Writer for Liquidweb.com. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.
Latest Articles
2024 cPanel and Plesk pricing breakdown
Read ArticleCentOS Linux 7 EOL — everything you need to know
Read ArticleHow to install Node.js on Linux (AlmaLinux)
Read ArticleUpgrading or installing PHP on Ubuntu — PHP 7.2 and Ubuntu 22.04
Read ArticleWhy is your IP blocked?
Read Article