OpenVPN on Windows Server 2019

Here’s how to run OpenVPN using Windows Server 2019 for your OpenVPN server. The client is a PC running Windows 10.

In this article, we assume most of the work is done on the Windows 10 PC that will also be the client. We will use Remote Desktop Connection (RDC) to RDP to the Windows Server machine that we will use as the OpenVPN server.

If you are using a cloud server as your OpenVPN server, and your provider implements the concept of Security Groups, you will need to open port 1194 for UDP in the Security Group for your server. This applies to Amazon Web Services (AWS) and similar providers. If you want to be able to ping your server as an aid to troubleshooting, you will also need to allow ICMPv4 input. And, of course, since you will connect to the server over Remote Desktop Protocol (RDP), you must open port 3389 for TCP input.

This article was tested using an evaluation copy of Microsoft Windows Server 2019 Datacenter edition with desktop experience. The virtual server used for testing had 4 virtual cores, 2 GB of RAM, and 35 GB of storage.

Remote Desktop to Server

On your local PC, and type the word remote in the Windows search box. Open the Remote Desktop Connection (RDC) app.

  1. Enter your server DNS name or IP address.
  2. Click Show Options.
  3. Select the Local Resources tab.
  4. Under Local devices and resources, click More.
  5. Select your local disk drive, and click OK.
  6. Now click Connect.

This connects from your local PC to the Windows machine that will be your server, but with access from the server to the drive on your local PC. You are asked to enter the username and password. Check the option to save them (Remember me).

To allow the use of Internet Explorer from Windows Server, click the Windows Start menu icon at the bottom left of your screen, and select Server Manager.

In the pane on the left of Server Manager, select Local Server. Find the setting for IE Enhanced Security Configuration, and toggle it to Off.

Install OpenVPN on Server

You previously set IE Enhanced Security Configuration to Off on your Local Server in Server Manager. Therefore you can now launch Internet Explorer on the server, and from the page https://openvpn.net/community-downloads/ download the latest OpenVPN installer for Windows. For example, at the time of writing, it was named openvpn-install-2.4.6-I602.exe.

Double-click on the installer to run it. When asked to choose components to install, make sure you include the EasyRSA Certificate Management Scripts. Also install the TAP-Windows Provider V9 Network adapters.

Initialize Certificate and Key Infrastructure

The EasyRSA scripts are installed in C:\Program Files\OpenVPN\easy-rsa. Navigate here in Windows Explorer, then type cmd in the address bar to open a Windows command prompt.

First enter the command:

init-config

This copies vars.bar.sample to vars.bat.

Open Notepad or Notepad++, and edit the values in vars.bat to your liking.

set KEY_COUNTRY=CN
set KEY_PROVINCE=Guangdong
set KEY_CITY=Shenzhen
set KEY_ORG=TestOrg
set KEY_EMAIL=test@example.com
set KEY_CN=55.66.77.88
set KEY_NAME=TestName
set KEY_OU=TestUnit

Also, back in your Windows Command Prompt, create the subfolder C:\Program Files\OpenVPN\easy-rsa\keys:

mkdir keys

Now run the clean-up script:

vars

clean-all

Build Certification Authority (CA) Certificate and Key

Run the command:

build-ca

Make sure you give it a unique Common Name, e.g., Cindy CA. This creates ca.crt and ca.key in the keys subfolder.

Build Server Certificate and Key

Run the command:

build-key-server ec2

where ec2 is just an example of a certificate and key file name. Substitute in your own choice of name for the server key and certificate files instead of ec2. Make sure you give it a unique Common Name, e.g., 55.66.77.88 in our example. Leave the challenge password blank. When asked if you want to sign the certificate, enter y for Yes. When asked if you want to commit the certificate, enter y for Yes. This creates ec2.csr, ec2.crt and ec2.key in the keys subfolder.

Build Client Certificate and Key

Run the command:

build-key adminpc

where adminpc is just an example of a client name. Substitute in your own choice of name for the client instead of adminpc. Make sure you give it a unique Common Name, e.g., adminpc. Leave the challenge password blank. When asked if you want to sign the certificate, enter y for Yes. When asked if you want to commit the certificate, enter y for Yes. This creates adminpc.csr, adminpc.crt and adminpc.key in the keys subfolder.

Build Diffie-Hellman (DH) Parameters

Run the command:

build-dh

This creates dh2048.pem in the keys subfolder.

You can now close the Command Prompt window.

Make Configuration File for Server

Using Windows Explorer, copy the file C:\Program Files\OpenVPN\sample-config\server.ovpn to C:\Program Files\OpenVPN\config. Rename it to ec2.ovpn, where ec2 is just an example of a server name.

Also copy the four files ca.crt, ec2.crt, ec2.key, and dh2048.pem into the C:\Program Files\OpenVPN\config folder.

Edit the file C:\Program Files\OpenVPN\config\ec2.ovpn.

Change the lines that specify the server certificate and key to read:

cert ec2.crt
key ec2.crt

Uncomment (remove the initial semicolon from) the line:

push "redirect-gateway def1 bypass-dhcp"

Also uncomment the lines that push DNS servers to Windows clients:

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

Comment out the TLS authorization key:

;tls-auth ta.key 0 # This file is secret

Make sure that you have specified a strong cipher:

cipher AES-256-GCM

Save the file with all these changes in it.

Install Routing and NAT on Server

From the Server Manager dashboard, select Add roles and features to the local server. When you get to the Server Roles screen, check Remote Access. When you get to the Remote Access’s Role Services screen, check Direct Access and VPN (RAS) and Routing.

When you get to the Confirmation screen at the end of the wizard, check the box to restart the destination server automatically if required. Click Install. When the installation progress is complete, click Close.

You receive a notification in Server Manager to run the post-deployment configuration wizard. Open the Getting Started Wizard to configure Remote Access. Select Deploy VPN Only. Select your server, then select Action > Configure and Enable Routing and Remote Access. On the configuration screen, select the radio button for Network Address Translation (NAT).

When you get to the NAT Internet Connection screen, your public interface may be grayed out cannot be selected, or the list of interfaces may be blank, or you may not see the NAT Internet Connection screen at all. In this case, open Control Panel, go to Network and Internet, Network and Sharing Center, then Change Adapter Settings. Select the main Ethernet connection. Right-click on it. Do Properties, then click on the Sharing tab. Check the box to turn sharing on, and click OK. Now go back into it, and uncheck the sharing box. You can now select the Ethernet public interface on the NAT Internet Connection screen.

Click Finish.

Open Windows Defender Firewall with Advanced Security

You must open the Windows firewall for UDP input on port 1194. Click the Windows Start menu icon at the bottom left of your screen. Select Windows Administrative Tools. Launch Windows Defender Firewall with Advanced Security.

Select Inbound Rules in the pane on the left, and in the pane on the right the Action of New Rule.

Click Finish.

If you want to be able to ping your server as an aid to troubleshooting, also allow ICMPv4. The rule already exists with the name File and Printer Sharing (Echo Request - ICMPv4 In. Select its row. In the right pane, click Enable Rule.

Start OpenVPN Service

Click the Windows Start menu icon at the bottom left of your screen. Select Windows Administrative Tools. Launch Services.

Locate the OpenVPN Interactive service, right-click, and Stop it. Also right-click, select Properties, and set the Startup type to Disabled.

Locate the main OpenVPNService, and change its start type to Automatic. Also Start it now.

Close the Services window.

Server Troubleshooting

Check C:\Program Files\OpenVPN\log\ec2.log for any messages.

Download Certificates and Key for Client

Provided you allowed access to your local drive when you set up your RDC connection, you can simply copy the three files ca.crt, adminpc.crt, and adminpc.key from the C:\Program Files\OpenVPN\easy-rsa\keys folder on the server to your local PC. For example, if your local user name is cindy, you could copy the files to C:\Users\cindy\Downloads.

Install OpenVPN on Client

On your local PC, from the OpenVPN Downloads page at https://openvpn.net/community-downloads/, download the latest installer for Windows. For example, at the time of writing, it was named openvpn-install-2.4.6-I602.exe.

Double-click on the installer to run it. You do not need the EasyRSA scripts on the client. The installer places an OpenVPN GUI shortcut icon on your desktop.

Make Configuration File for Client

On your PC, create a folder C:\Users\cindy\OpenVPN, where cindy is just an example of a user name. Inside C:\Users\cindy\OpenVPN, create subfolder named config.

Copy the file C:\Program Files\OpenVPN\sample-config\client.ovpn to C:\Users\cindy\OpenVPN\config, where cindy is your user name. Rename the copied file to adminpc.ovpn (again, just an example of a client configuration name).

Also copy the files ca.crt, adminpc.crt, and adminpc.key from wherever you downloaded them into your C:\Users\cindy\OpenVPN\config folder.

The folder C:\Users\cindy\OpenVPN\config now contains four files:

Edit the file C:\Users\cindy\OpenVPN\config\adminpc.ovpn.

Change the line:

remote my-server-1 1194

to point to your own server. For example:

remote ec2-55-66-77-88.us-west-2.compute.amazonaws.com 1194

Change the client certificate and key file names to be the ones you chose, e.g.:

cert adminpc.crt
key adminpc.key

Comment out the TLS authorization key:

;tls-auth ta.key 1 # This file is secret

Make sure that you have specified a strong cipher:

cipher AES-256-GCM

Save the file with all these changes in it.

Start OpenVPN on Client

Double-click the OpenVPN GUI shortcut icon on your desktop.

Locate the OpenVPN icon in the system tray (bottom right of Windows desktop). Right-click on the OpenVPN icon. Click Connect.

A notification appears to say you are now connected, and the OpenVPN icon in the system tray turns green.

Client Troubleshooting

Check C:\Users\cindy\OpenVPN\log\adminpc.log for any messages.

Initial Test

ping 10.8.0.1

https://ipchicken.com/