OpenVPN: how to install and configure

OpenVPN is one the top dogs in the VPN industry. The software has been through many security audits and is considered to be very mature in that respect. Many providers use it to give their customers unparalleled and very secure access to their networks. It is relatively easily to get started and set up within 10 to 15 minutes. The best part is that it is supported on all platforms via client and server, letting you access your network even when on the go from your phone, for example.

In this guide, you will learn how to install OpenVPN, set up both server and client endpoints, as well as configure them via configuration files. You can download the installer from here. It is very important to choose the right version for your operating system because OpenVPN utilizes the Microsoft TAP network interface adapter on Windows and each version is different. If you are running Windows Server 2019, go ahead and download the Windows 10 version as it has been proven to be work on that version of Windows Server.

Before we begin, I recommend you check out this guide in order to set up EasyRSA and have your certificates generated and ready to install into OpenVPN. First we are going to install OpenVPN on both our “server” and “client” computers. Once you’re done downloading OpenVPN, run the installer.

Click “Next” and “Agree” to the terms.

You can select which components to install. Everything, but the EasyRSA 2 Certificate Management Scripts is needed. The OpenVPN Service will run OpenVPN from the background at all times. The TAP Virtual Ethernet Adapter will allow us to establish a link to the other end via the internet and routes data across. The OpenVPN GUI will allow you to see what’s happening with your connection via logging as well as toggling the VPN on/off with ease. The “Advanced” portion allows you to make minor changes such as starting OpenVPN at boot or not allowing passwords from your certificate’s key to be saved in the GUI.

Click “Next”.

Choose your installation folder and click “Install”. It is better to leave it by default. Wait for installation to complete and click “Finish”. Repeat for the other computer.

Right-click on Start Menu->File Explorer. In the file path bar erase the current path and enter “C:\Program Files\OpenVPN\sample-config”(without quotes of course) and hit enter on your keyboard. You will be taken to the OpenVPN folder containing sample files for configuration.

You can open these files by simply clicking on them. When you do, they will be opened in Notepad. If the formatting is cluttered and unreadable, then your best bet is to right-click on a file and go to “Open with…”. After, click on “More apps” and find “Wordpad” on the list.

We are now going to open the “server” configuration file.

Here is our configuration. You are free to scroll down, read each option and how it is described, and configure accordingly. Though, we will be going over the configuration options in more detail.

local enteripaddresshere

This one allows a specific interface ip address on your OpenVPN server computer to listen for incoming client connections. Usually it is best to leave it as is.

port 1194

This is the port that your OpenVPN clients will be connecting to. For better security, it is best to change it to something else.

proto udp or tcp

Your OpenVPN server can run in UDP or TCP protocol. For performance UDP is recommended unless you encounter stability issues or low performance.

dev tun

You can run your OpenVPN server as a “tunnel” and IP packets are routed through the link or “tap” and bridge a physical ethernet connection with the TAP adapter. “tun” is recommended.

ca ca.crt
cert server.crt
key server.key  

There is where you will define the location and name(s) of your certificate files. In most cases, they will be placed in the same folder as our configuration.

dh dh2048.pem

Specify the location of our diffie hellman key as generated in the EasyRSA guide as well. Again this file will be with our configuration file.

topology subnet

Remove the “;”, this should be enabled in our configuration. We will be routing traffic using a traditional IP network, just like our LAN.

server 10.8.0.0 255.255.255.0

This will be the primary network of our VPN. Of course 10.8.0.1 will be the gateway for all the other VPN clients to connect to and route traffic through. A DHCP server will automatically be enabled with this setting and will hand out IP addresses to clients accordingly.

push "route 192.168.10.0 255.255.255.0"

This will allow clients connected to your VPN server to access the LAN behind it. You must find out your network subnet(192.168.1.1 for example your LAN’s router IP, means route 192.168.1.0 255.255.255.0) and push it to your clients.

client-config-dir ccd

You can assign a static IP to specific clients through the use of the certificate common names that have been defined and generated through EasyRSA. As described in the configuration, you can also route the client’s LAN through the VPN tunnel.

push "redirect-gateway def1 bypass-dhcp"

Once a client has connected to your VPN server, the VPN becomes a default route. When pushing this, all internet traffic will be routed through the VPN before reaching its destination.

push "dhcp-option DNS 208.67.222.222"

Forces VPN clients to use pre-defined DNS servers.

client-to-client

Allows VPN clients to see each other as well instead of only the server’s content, as described in the configuration.

keepalive 10 120

Pings the other end of your VPN link for if/when a disconnect occurs. You will want this enabled in your config.

tls-auth ta.key 0

This helps prevent any unauthorized attempt at compromising your VPN tunnel(Man-in-the-middle attack). It is recommended that you generate the ta.key and place it along with the rest of your certificates in the configuration folder. Open Command Prompt and type in the command “cd C:\Program Files\OpenVPN\bin” and then “openvpn –genkey –secret ta.key”. The ta.key will be placed in the “bin” folder by default.

cipher AES-256-CBC

The strength of data encryption within your VPN tunnel. This is important so as to prevent any data from leaking on the internet. AES-256-GCM is recommended as well for stronger encryption.

push "compress lz4-v2"
comp-lzo

Generally you don’t want to use these settings as it may cause instability issues.

max-clients 100

Allows a certain number of simultaneous connections from VPN clients. Adjust accordingly to your needs.

persist-key
persist-tun

Prevents the tunnel interface from being deleted and recreated upon disconnect. You will want to leave this on for clients who are on Linux.

status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3
mute 20

These are all logging settings for OpenVPN. By default they will be placed in the “log” directory of your OpenVPN folder. Verb defines what its logging, if you need to debug connection problems, then setting it to 5, 6, or 9 will help otherwise leave it at 3. Mute prevents log spam, set the number of repeated messages as your desire.

explicit-exit-notify 1

You will want this setting enabled. Allows the client to reconnect upon server restart/reconnect.

Your config should look something like this.

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
topology subnet
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
auth-nocache
tls-auth ta.key 0
cipher AES-256-GCM
max-clients 2
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

Go ahead and save your config as “server.ovpn” to “C:\Program Files\OpenVPN\config”, also move your server certificates and keys to this directory as well as “ta.key”.

Right-click on the Start Menu->Search. Type in “OpenVPN GUI” and click to run it.

Under the notification area in your Task Bar, you will see a screen with a lock, click on it to open the OpenVPN GUI. The server should start without a hitch, upon success the window will hide itself and continue running in the background, listening for incoming connections.

Go to your client computer. Make sure to have your client certificates and ta.key transferred by secure means such as a USB flash drive or LAN. For our client configuration, it should look something like this.

client
dev tun
proto udp
remote IPADDRESSHERE 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-GCM
verb 3

For our client configuration, we have added “client” telling OpenVPN that we will be connecting to a server instead of acting as one. Under “remote” we have our server’s IP address followed by the port number. “resolv-retry infinite” forces the client to keep trying to connect until it has established an connection to the server. “remote-cert-tls server” also helps protect our VPN tunnel from and security risks, and “tls-auth ta.key” is set to 1 for client. Go ahead and save this config as “client.ovpn” in your “config” directory as well as moving all required certificates. You do not need dh.pem.

Note: Make sure on the server side to configure your router’s firewall accordingly to port forward 1194 and set a static IP address on your server computer to avoid complications later on.

Run the OpenVPN GUI on this computer. It should connect automatically with success. If you’re getting an EKU error on the connection, add the following to your server config file.

remote-cert-ku 00
remote-cert-eku "TLS Web Client Authentication"

Retrieve the KU number from the OpenVPN GUI client log box by scrolling up and pulling the 4 digit number in the red error text. You will enter the last 2 digits after “remote-cert-ku”. Click “Reconnect” and try again.

If you’re having problems transferring data through your VPN tunnel or if it feels slow, try adding the following to both configurations.

mssfix 1300

Click “Reconnect” on both the server and client GUI to restart.

You have now successfully created your very own personal VPN tunnel. Tweak your tunnel as you see fit and keep trying different settings to achieve maximum performance, functionality, and stability.