OpenVPN is one the top dogs in the VPN industry. The software has been through many security audits and is considered to be very mature in that respect. Many providers use it to give their customers unparalleled and very secure access to their networks. It is relatively easily to get started and set up within 10 to 15 minutes. The best part is that it is supported on all platforms via client and server, letting you access your network even when on the go from your phone, for example.
In this guide, you will learn how to install OpenVPN, set up both server and client endpoints, as well as configure them via configuration files. You can download the installer from here. It is very important to choose the right version for your operating system because OpenVPN utilizes the Microsoft TAP network interface adapter on Windows and each version is different. If you are running Windows Server 2019, go ahead and download the Windows 10 version as it has been proven to be work on that version of Windows Server.
Before we begin, I recommend you check out this guide in order to set up EasyRSA and have your certificates generated and ready to install into OpenVPN. First we are going to install OpenVPN on both our “server” and “client” computers. Once you’re done downloading OpenVPN, run the installer.
Click “Next” and “Agree” to the terms.
You can select which components to install. Everything, but the EasyRSA 2 Certificate Management Scripts is needed. The OpenVPN Service will run OpenVPN from the background at all times. The TAP Virtual Ethernet Adapter will allow us to establish a link to the other end via the internet and routes data across. The OpenVPN GUI will allow you to see what’s happening with your connection via logging as well as toggling the VPN on/off with ease. The “Advanced” portion allows you to make minor changes such as starting OpenVPN at boot or not allowing passwords from your certificate’s key to be saved in the GUI.
Choose your installation folder and click “Install”. It is better to leave it by default. Wait for installation to complete and click “Finish”. Repeat for the other computer.
Right-click on Start Menu->File Explorer. In the file path bar erase the current path and enter “C:\Program Files\OpenVPN\sample-config”(without quotes of course) and hit enter on your keyboard. You will be taken to the OpenVPN folder containing sample files for configuration.
You can open these files by simply clicking on them. When you do, they will be opened in Notepad. If the formatting is cluttered and unreadable, then your best bet is to right-click on a file and go to “Open with…”. After, click on “More apps” and find “Wordpad” on the list.
We are now going to open the “server” configuration file.
Here is our configuration. You are free to scroll down, read each option and how it is described, and configure accordingly. Though, we will be going over the configuration options in more detail.
This one allows a specific interface ip address on your OpenVPN server computer to listen for incoming client connections. Usually it is best to leave it as is.
This is the port that your OpenVPN clients will be connecting to. For better security, it is best to change it to something else.
proto udp or tcp
Your OpenVPN server can run in UDP or TCP protocol. For performance UDP is recommended unless you encounter stability issues or low performance.
You can run your OpenVPN server as a “tunnel” and IP packets are routed through the link or “tap” and bridge a physical ethernet connection with the TAP adapter. “tun” is recommended.
ca ca.crt cert server.crt key server.key
There is where you will define the location and name(s) of your certificate files. In most cases, they will be placed in the same folder as our configuration.
Specify the location of our diffie hellman key as generated in the EasyRSA guide as well. Again this file will be with our configuration file.
Remove the “;”, this should be enabled in our configuration. We will be routing traffic using a traditional IP network, just like our LAN.
server 10.8.0.0 255.255.255.0
This will be the primary network of our VPN. Of course 10.8.0.1 will be the gateway for all the other VPN clients to connect to and route traffic through. A DHCP server will automatically be enabled with this setting and will hand out IP addresses to clients accordingly.
push "route 192.168.10.0 255.255.255.0"
This will allow clients connected to your VPN server to access the LAN behind it. You must find out your network subnet(192.168.1.1 for example your LAN’s router IP, means route 192.168.1.0 255.255.255.0) and push it to your clients.
You can assign a static IP to specific clients through the use of the certificate common names that have been defined and generated through EasyRSA. As described in the configuration, you can also route the client’s LAN through the VPN tunnel.
push "redirect-gateway def1 bypass-dhcp"
Once a client has connected to your VPN server, the VPN becomes a default route. When pushing this, all internet traffic will be routed through the VPN before reaching its destination.
push "dhcp-option DNS 184.108.40.206"
Forces VPN clients to use pre-defined DNS servers.
Allows VPN clients to see each other as well instead of only the server’s content, as described in the configuration.
keepalive 10 120
Pings the other end of your VPN link for if/when a disconnect occurs. You will want this enabled in your config.
tls-auth ta.key 0
This helps prevent any unauthorized attempt at compromising your VPN tunnel(Man-in-the-middle attack). It is recommended that you generate the ta.key and place it along with the rest of your certificates in the configuration folder. Open Command Prompt and type in the command “cd C:\Program Files\OpenVPN\bin” and then “openvpn –genkey –secret ta.key”. The ta.key will be placed in the “bin” folder by default.
The strength of data encryption within your VPN tunnel. This is important so as to prevent any data from leaking on the internet. AES-256-GCM is recommended as well for stronger encryption.
push "compress lz4-v2" comp-lzo
Generally you don’t want to use these settings as it may cause instability issues.
Allows a certain number of simultaneous connections from VPN clients. Adjust accordingly to your needs.
Prevents the tunnel interface from being deleted and recreated upon disconnect. You will want to leave this on for clients who are on Linux.
status openvpn-status.log log openvpn.log log-append openvpn.log verb 3 mute 20
These are all logging settings for OpenVPN. By default they will be placed in the “log” directory of your OpenVPN folder. Verb defines what its logging, if you need to debug connection problems, then setting it to 5, 6, or 9 will help otherwise leave it at 3. Mute prevents log spam, set the number of repeated messages as your desire.
You will want this setting enabled. Allows the client to reconnect upon server restart/reconnect.
Your config should look something like this.
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem topology subnet server 10.1.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 auth-nocache tls-auth ta.key 0 cipher AES-256-GCM max-clients 2 persist-key persist-tun status openvpn-status.log verb 3 explicit-exit-notify 1
Go ahead and save your config as “server.ovpn” to “C:\Program Files\OpenVPN\config”, also move your server certificates and keys to this directory as well as “ta.key”.
Right-click on the Start Menu->Search. Type in “OpenVPN GUI” and click to run it.
Under the notification area in your Task Bar, you will see a screen with a lock, click on it to open the OpenVPN GUI. The server should start without a hitch, upon success the window will hide itself and continue running in the background, listening for incoming connections.
Go to your client computer. Make sure to have your client certificates and ta.key transferred by secure means such as a USB flash drive or LAN. For our client configuration, it should look something like this.
client dev tun proto udp remote IPADDRESSHERE 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-GCM verb 3
For our client configuration, we have added “client” telling OpenVPN that we will be connecting to a server instead of acting as one. Under “remote” we have our server’s IP address followed by the port number. “resolv-retry infinite” forces the client to keep trying to connect until it has established an connection to the server. “remote-cert-tls server” also helps protect our VPN tunnel from and security risks, and “tls-auth ta.key” is set to 1 for client. Go ahead and save this config as “client.ovpn” in your “config” directory as well as moving all required certificates. You do not need dh.pem.
Note: Make sure on the server side to configure your router’s firewall accordingly to port forward 1194 and set a static IP address on your server computer to avoid complications later on.
Run the OpenVPN GUI on this computer. It should connect automatically with success. If you’re getting an EKU error on the connection, add the following to your server config file.
remote-cert-ku 00 remote-cert-eku "TLS Web Client Authentication"
Retrieve the KU number from the OpenVPN GUI client log box by scrolling up and pulling the 4 digit number in the red error text. You will enter the last 2 digits after “remote-cert-ku”. Click “Reconnect” and try again.
If you’re having problems transferring data through your VPN tunnel or if it feels slow, try adding the following to both configurations.
Click “Reconnect” on both the server and client GUI to restart.
You have now successfully created your very own personal VPN tunnel. Tweak your tunnel as you see fit and keep trying different settings to achieve maximum performance, functionality, and stability.