In this blog article we are going to discuss about How to setup OpenVPN on Windows Server 2019. A VPN is short form of virtual private network, which gives us a privacy, anonymity and security over public internet. A VPN service masks our ISP IP so your online actions are virtually untraceable. A VPN can also be used to connect computers to isolated remote computer networks that is usually inaccessible, by using the Internet or another intermediate network.

We can define OpenVPN as a full-featured SSL VPN. OpenVPN uses OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol. OpenVPN supports flexible client authentication methods based on certificates, smart cards and username/password credentials. OpenVPN is not a web application proxy and does not operate through a web browser. OpenVPN server process over a single TCP or UDP port. The default port number is 1194. OpenVPN 2.3 includes a large number of improvements, including full IPv6 support and PolarSSL support.

OpenVPN is also the name of the open source project started by our co-founder and which uses the GPL license. He developed the OpenVPN project that used to encrypt and secure point-to-point or site-to-site connection between two machines over the public Internet. In other word using OpenVPN we can create a secure Private network over public Internet and will have Remote access to internal services of your IT infrastructure.

Use Cases of OpenVPN

Secure Remote Access
Site-to-site , Users-to-Site or Users-to-Users connectivity to bring networks together
Protect screen sharing and remote desktop communications
Encrypt sensitive IoT communications
Secure Access to Cloud-Based Systems

OpenVPN available as Below.

  1. OpenVPN Community Edition, which is a free and open-source version
  2. OpenVPN Access Server (OpenVPN-AS), is based on the Community Edition, but provides additional paid and proprietary features like LDAP integration, Easy Management Admin Portal ,cluster option etc.
  3. OpenVPN-as-a-Service, solution eliminates the need for VPN server installation. By Purchasing OpenVPN Cloud we can simply connect to our hosted service with regions around the globe.

Apart from OpenVPN Community Edition, the other two OpenVPN editions has Economical licensing model that is based only on the number of simultaneous VPN connecting users or devices.

The OpenVPN Community Edition totally free to use and there is no user limitations. OpenVPN community edition server can be installed on Linux or Windows Based systems.

OpenVPN for Windows

It can be installed from the self-installing exe file which is called OpenVPN GUI. OpenVPN GUI is a graphical fronted for OpenVPN running on Windows. It creates an icon in the notification area from which you can control OpenVPN to start/stop your VPN tunnels, view the log and do other useful things.

OpenVPN Connect client

It is the OpenVPN client software packages installing on client PC. This client package used to connect to the OpenVPN server. OpenVPN Connect client supported on Windows, Linux, MacOS, IOS and Android.

Setting Up OpenVPN Server.

In this article will show you how to Setup up a OpenVPN Server ( Community Edition) On Windows Server 2019 to forward incoming traffic to the internet, then route the responses back to the client. This is a Users-to-Site Model.Which means settings up a OpenVPN Windows Server to tunnel clients internet traffic through OpenVPN server. Those clients that successfully connected to the OpenVPN server will have their ISP IP Address will show as servers Public IP address.Commonly, a VPN tunnel is used to privately access the internet, evading censorship or Geo location by shielding your computer’s web traffic when connecting through entrusted hotspots, or connections.

Section 1. Installing OpenVPN Server

Let’s get Started. Download the latest Windows 64-bit MSI installer for OpenVPN Community edition from official OpenVPN Website, under community section.

The OpenVPN executable should be installed on both server and client machines, since the single executable provides both client and server functions.

Once Downloaded double click the installer exe file. the following screen will appear, click “Customise”  to start the installation.

Make sure to choose all features by clicking the icon next to each features and selecting it.  Below are the two features which will not be installed by default and we need to select during install.

Openssl utilities , EasyRSA 3 Certificate Management scripts

OpenVPN service.

Click Install Now button.

The install will get completed and we will get below screen. Click Close.

We will get a warning message as ” No readable connection profiles ( config files ) found. Its fine , click OK.

This Completes the OpenVPN MSI Package install. After the install, if we go to  Server “Network and Internet ” settings  >>  Under Ethernet >> Change adaptor options >> We can see a new network adaptor named OpenVPN TAP device created.

We can restart the OpenVPN service from Windows Start Menu -> Control Panel -> Administrative Tools -> Services.

While starting the OpenVPN service the OpenVPN will look for .ovpn configuration file under folder C:\Program Files\OpenVPN\config

Another option to start/stop OpenVPN service is  Click on Windows hidden notification area from task bar , there we can see the OpenVPN icon, right click on it and you will see multiple options including Connect and Disconnect.

If you don’t see the OpenVPN icon in the Windows task bar notification area, double click the OpenVPN icon available in the desktop and that will make the OpenVPN icon available at the windows task bar notification area.

For better understanding refer below screenshot.

Now if you would like to add any OpenVPN features later you can use commands like below. Below example cmd command will install OpenVPN service feature on existing  installed OpenVPN Server.

Copy to Clipboard

Section 2. Setup Master Certificate Authority (CA) and Generate Certificates and keys for OpenVPN Server and Clients.

OpenVPN uses public-key infrastructure (PKI) for certificate generation and Management. It is the technology behind digital certificates. There for, PKI is the technology that allows you to encrypt data, digitally sign documents, and authenticate yourself using certificates.

The PKI consists of:

  1. A separate certificate (also known as a public key) and private key for the server and each client, and
  2. A master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.

For PKI management,  OpenVPN provided  easy-rsa 2, a set of scripts which is bundled with OpenVPN MSI.

The easy-rsa2 scripts folder location should be C:\Program Files\OpenVPN\easy-rsa

If its not available,  From Windows  Server open browser and go to link

Click Code >> Click Download Zip

A zip file named “easy-rsa-old-master” will get downloaded. Unzip it.

Create a Folder named “easy-rsa” under C:\Program Files\OpenVPN\

Now copy all files from Downloaded folder \easy-rsa-old-master\easy-rsa\Windows folder to C:\Program Files\OpenVPN\easy-rsa

Now if we fire up, commands like  below from windows cmd line, we will be able to perform things like

Easy-Rsa 2 Script Purpose
init-config.bat copy vars.bat.sample vars.bat
Initialise the PKI
build-ca Generates certificate authority (CA) certificate and key
build-key-server server
Generate a certificate and private key for the server
build-key client1
Generating client certificates for client named client1
Generates Diffie Hellman parameters

First run the command “init-config” from windows cmd.


After running the first command “init-config” edit the vars.bat  file  and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don’t leave any of these parameters blank.

For editing the vars.bat file, open up the following directory using Windows Explorer

C:\Program Files\OpenVPN\easy-rsa

using Notepad (or another text editor) edit the batch file named vars.bat. I have Changed the following settings (the bottom of the file) to meet our requirements.

Make sure the KEY_CN and KEY_NAME variable value should be identical. For your “Common Name,” a good choice is to pick a name to identify your company’s Certificate Authority.

Here I use the Common name as the VPN server Hostname.

set KEY_CITY=SanFrancisco
set PKCS11_MODULE_PATH=changeme
set PKCS11_PIN=1234

Save the file and exit notepad. It will look like below. Then proceed with other commands.

Copy to Clipboard

Now its the time to run build-ca.bat command. But the problem with this easy-rsa scripts like build-ca is they will only work if the openssl package preinstalled on our Windows Servers because  easy-rsa scripts invoke the interactive openssl commands for issuing SSL/TLS certificates.

In Most windows Servers the openssl toolkit won’t be available because its not a package provided by Microsoft. So we have to install it manually, then only we can make the easy-rsa scripts to work.

So  In this case we decided to not use easy-rsa scripts for generating SSL/TLS certificates and instead use the openssl commands directly.

First make sure if the openssl toolkit installed in the server by issuing below version check command on windows cmd.

Copy to Clipboard

If it shows any error like  openssl is not recognised as an internal or external  command, we need to install the openssl toolkit first.

Section 2 a. Install  and Setup openssl toolkit

Only follow this section if your server doesn’t have openssl toolkit available, otherwise skip this part and move on to next Section 2 b.

Open Windows Powershell and download the openssl package using below command.

Copy to Clipboard

Now perform the install by double-clicking on .exe file or from PowerShell issue below command.

Copy to Clipboard

A popup window will appear with message as Microsoft Visual C++ 2019 package is missing from the server.  We need to install this package prior to proceed with the openssl package install .So click Yes for downloading the package.

Double click the  downloaded Microsoft Visual C++ 2019 Redistributables msi installer.  A another popup window will appear. Confirm the Licence Agreement and click Install.

We will get a success message after installation. Click close.

Now go back to the OpenSSL install wizard, Accept the Licence Agreement and Click Next.

Choose the Install directory and click Next,  In our case, we are choosing the install directory as C:\OpenSSL-Win64

Select Folder for OpenSSL Application shortcut. Leave the default one as it is and click Next.

Choose the copy OpenSSL DLL files as The windows system directory, which is the default one and Click Next.

Click “Install ” to proceed with the install  of OpenSSL on Windows Server 2019.

Give few minutes to complete the install, A progress bar  like below will show the status of install.

Click Finish to Complete the OpenSSL install.

Now add OpenSSL install  binary folder C:\OpenSSL-Win64\bin to the Windows environment PATH by issuing below two powershell commands.

Copy to Clipboard

Now export the  OPENSSL_CONF  as environment variable to server system variables section. Use below Powershell command.

Copy to Clipboard

The command output will look like below.

Now, we need to add the system variable OPENSSL_CONF permanently.

For that Press Windows + R keys together to open run window, Then type “sysdm.cpl” in the Run dialog box and hit Enter.

Go to “Advanced” tab and click on “Environment variables”. Click New under System Variables section.

Add values in the “variable name”  as OPENSSL_CONF and “variable value” value box as C:\OpenSSL-Win64\bin\openssl.cfg . Click OK Two times and Apply and OK from System Properties window.


Section 2 b . Configure OpenSSL.

In this section, we configure OpenSSL installed in the server to build SSL/TLS certificated as per OpenVPN recommendation. For that,

  1. First go the folder C:\OpenSSL-Win64\bin and create folder named “demoCA” . This is the folder where we kept generated certificates and other related files.
  2.  Now under the “demoCA” folder create another folder named “certs” . This is the folder where the issued certs are kept.
  3. Now under the “demoCA” folder itself, create another folder named “newcerts”. This is the default folder for new certs.
  4. Under folder “demoCA” create a file named “serial”. Make sure there is no file extension like .txt. Enter a value as “01” in the file. It holds the current serial number
  5. Lastly under folder “demoCA” create a empty file named “index.txt”

Refer below screenshot for getting an idea about file structure.

Now open the OpenSSL config file C:\OpenSSL-Win64\bin\openssl.cfg using any text editor.

Under [ CA_default ] section , set “dir” variable location as C:\\OpenSSL-Win64\\bin\\demoCA

To avoid a possible Man-in-the-Middle attack where an authorised client tries to connect to another client by impersonating the server, make sure to enforce some kind of server certificate verification by clients. For accomplishing this we are following below method.

Build our server certificates with specific key usage and extended key usage as per RFC3280.

Now as part of creating  CERT with the extended key attributes, first verify  under which section we need define extended key attributes. For that look under [ req ] section in  file C:\OpenSSL-Win64\bin\openssl.cfg

Normally it should look like below.  If its not, make the arrangement like below.

[ req ]

default_bits = 2048
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
req_extensions = v3_req
x509_extensions = usr_cert

In the above section  what we understood is all the x509 extension that are required should be specified in [ usr_cert ] section in C:\OpenSSL-Win64\bin\openssl.cfg

So find out the [ usr_cert ]  section and make sure below values are defined.

[ usr_cert ]

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection

After adding the extensions to usr_cert , Now find out [ v3_req ] section and  insert same Extensions to add to a certificate request. As this section will have the extension that the certificate request should have.

Below is the extensions we normally needed.

extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

Now also make sure below extension  key values  added under [ v3_ca ] section too.  From this section our CA certificate extension will be added.  Below is the necessary values need to added or enabled.

basicConstraints = critical,CA:true

Finally save the OpenSSL config file C:\OpenSSL-Win64\bin\openssl.cfg .  Refer below screenshots so you will get an idea how the config file will look like.

This Completes the OpenSSL configuration according to OpenVPN recommendation.  Now lets Proceed with the  SSL/TLS Certificate creation.

Section 2 c. Generate SSL/TLS Certificates.

In this section we are creating CA,  generate certificate & key for server and client. Sign those certificates using CA certificates. For all these tasks we use openssl commands.

Build a cert authority valid for ten years, starting now.

Open windows cmd , go to the directory C:\OpenSSL-Win64\bin\demoCA.  Issue below command.

Copy to Clipboard

We will ask to input information’s that will be incorporated in to the certificate request. Below are fields and Answered I have used. You can enter values as per your requirement.

In the common name field, I entered my VPN server Hostname which is OPENVPNSERVER, and it is a common practice. Here we are free to use any name or values.

Field Value
Country Name US
State or Province Name CA
Locality Name SanFrancisco
Organisation Name OpenVPN
Organisation Unit Name IT
Email Address

Below is the captured screenshot of above issued command output.

After creating the CA certificate , we can check if the extensions are still properly added by issuing below command.

Copy to Clipboard

The captured output of above verify command will look like below. From the results we can see our added  Extended Key usage parameters, validation details  are  with the generated SSL/TLS CA certificate.

Now Generate certificate & key for server

For that first issue below command for build a request for a server cert that will be valid for ten years.

Copy to Clipboard

Enter the needed information as we described earlier. Attached a screenshot for your reference. In the Common Name Field  I have given the name as “Server” because the SSL/TLS certificate request are generating for the server.

Now we can confirm the generated server csr certificate has the Extended Key Usage values by using below command.

Copy to Clipboard

The output of above command will look like below. We will be able to see the Extended Key usage values from the result.

Now sign the server cert request with our ca, creating a cert/key pair.

For that issue below command.

Copy to Clipboard

We will be asked to confirm the signing of Certificate, type “Y” and also commit the changes by typing “Y”

Attached a screenshot for reference.

After signing the cert , we can check if the extensions are still properly added by issuing below command.

Also we can verify server certificate against the root CA certificate. An OK indicates that the chain of trust is intact.

Copy to Clipboard

The captured output of above verify command will look like below. From the results we can the Extended Key usage parameters are enabled with the generated SSL/TLS certificate.

Now Generate certificates & keys for 1 clients using below command.

Copy to Clipboard

Enter the Necessary information as we discussed earlier. Here the only change I made is changed the Common name to Client1 because I am generating this certificate for the VPN client named client1.

The command output will look like below.

Now sign the client cert request with our ca, creating a cert/key pair. Use below command.

Copy to Clipboard

We will be asked to confirm the Signing of Certificate and Commit the changes. Type “y” for both and Hit Enter.

Screenshot Attached for reference.

This Completed the CA certificate, Sever and Client Certificate Generation along with Key. These keys will be used to authenticate between OpenVPN server and with the Client.

Now we need to Generate Diffie Hellman parameters.

Diffie Hellman parameters must be generated for the OpenVPN server.

These parameters define how OpenSSL performs the Diffie-Hellman (DH) key-exchange. Diffie–Hellman key exchange is a method of securely exchanging cryptographic keys over a public channel

Issue below command for generating Diffie Hellman parameters.

Copy to Clipboard

The  above command output will look like below.

Now Generate a shared-secret key that is used in addition to the standard RSA certificate/key. We named the file as ta.key.

Using this key we enable  tls-auth directive Which adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing.

Enabling the tls-auth will protect us from

  • DoS attacks or port flooding on the OpenVPN UDP port.
  • Port scanning to determine which server UDP ports are in a listening state.
  • Buffer overflow vulnerabilities in the SSL/TLS implementation.
  • SSL/TLS handshake initiations from unauthorised machines.

Use below command.

Copy to Clipboard

Below is the captured output of above command.

Key Files

Now we will find our newly-generated keys and certificates in the “C:\OpenSSL-Win64\bin\demoCA” folder and its subdirectory  “certs” folder.

Take a look at the attached screenshot for reference.

Here is an short explanation of the relevant files.

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate No
ca.key Server Only Root CA key YES
dh4096.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
ta.key server + all clients Used for tls-auth directive No

Now its the time to copy Certificate files ca.crt, client1.crt, client1.key  and ta.key  from OpenVPN server to the OpenVPN client PC.  Make sure to copy secret files over a secure channel.

Section 3 . Enable NAT On OpenVPN Server.

As I mentioned in the introduction section we  are setting up   our OpenVPN server , to  route clients all IP traffic such as Web browsing and DNS lookups through VPN Server itself.  For that we need to NAT the OpenVPN TUN/TAP Network interface to the public internet through OpenVPN server Public Interface that already have internet access.

Lets Get Started. First Open Server Manager. Click Add Roles And Features.

Click Next on the Add Roles and Feature install wizard.

Choose “Role based or feature based installation” and click Next.

Select Our Server from the “select server from the server pool” section and click Next.

Choose “Remote Access”  role and click Next.

leave Features section as it is and Click Next.

Click next On Remote Access section.

From Role Services section, choose “Routing ” and “Direct Access and VPN”

A popup window will appear. Click Add features and Click Next.

Click Next on Web Server Role Section.

Leave the default selection as it is under IIS Role Service section and Click on Next.

Click Install button on Confirmation Section.

Wait for few minutes, we will get the message as installation got succeeded. Click Close.

Now From the Server Manager itself, Choose “Remote Access from Left side” >> Right click our Server Name from Right side >> Choose Remote Access Management.

Under Direct Access and VPN >> Click on “Run the Remote Access Setup Wizard”

A Popup Window will appear. In that Click “Deploy VPN only”

The Routing and Remote Access Management” Panel will open. From there Right click on our VPN Server Name and Choose ” Configure and Enable Routing And Remote Access”

Click Next on Routing and Remote Access Server Setup Wizard.

Choose “Network Address Translation (NAT) ” and click Next.

Select Our Public Network Interface where we have internet Access and Click Next.

Select our OpenVPN TUN/TAP interface that we attach to the internet and Click Next.

Click Finish and Complete the NAT setup wizard.

Now from the Route and Remote Access Management panel itself >> Expand Our Server name >> Expand IPV4 >> Select NAT >> From right side Right click our Public Interface name and choose Properties.

From Services And Ports tab >> Choose Remote Access.

A popup windows will appear, in the Private Address filed give our Public IP address and Click OK, After that click Apply and Ok.

Suppose your Server RDP Port is different, you need create a new rule and allow that Port instead of default remote desktop port 3389.

Okay, This Completes the Enabling of NAT on OpenVPN server. Lets move to Next section.

Section 4 . Create configuration files for server

In this section,  we create the OpenVPN Server configuration file and Make Necessary changes in it.

First Open Windows Explorer and go the folder C:\Program Files\OpenVPN\sample-config and copy file named  “server.ovpn” to C:\Program Files\OpenVPN\config.

Now open the config file using any Text editor and make changes to below values accordingly.

ca “C:\\OpenSSL-Win64\\bin\\demoCA\\certs\\ca.crt”

cert “C:\\OpenSSL-Win64\\bin\\demoCA\\server.crt”

key “C:\\OpenSSL-Win64\\bin\\demoCA\\certs\\server.key”

dh “C:\\OpenSSL-Win64\\bin\\demoCA\\certs\\dh4096.pem”

push “redirect-gateway def1 bypass-dhcp”

push “dhcp-option DNS”

push “dhcp-option DNS”

tls-auth C:\\OpenSSL-Win64\\bin\\demoCA\\certs\\ta.key 0

data-ciphers AES-256-GCM

In that first four values defines the location of ca, cert , key  and Diffie hellman parameters  certificate locations.

The Next three lines enforce the clients to redirect their all traffic through OpenVPN server once they successfully connected to OpenVPN server.

Using “tls-auth” parameter, we enable HMAC firewall. Its an extra layer of security used to prevent DDos attack.

The last one “data-ciphers AES-256-GCM”  enables a cryptographic cipher.

Refer below screenshots and then you will get an idea about how these parameters looks in server.ovpn  config file.

This Completes the OpenVPN config file Setup.  Now open the UDP Port 1194  in the Windows firewall using below powershell command.

Copy to Clipboard

Now start the OpenVPN server service by click on Windows Show hidden icons section >> right click the OpenVPN icon >> Choose Connect.

The OpenVPN service will start automatically and you will see a green colour inside OpenVPN icon. This means that our OpenVPN service is running.

Another option to start the OpenVPN service is from the Windows services section, which we described in section 1.

Another Option to confirm the running of OpenVPN service is , take windows cmd and list all network interfaces. We will see now the OpenVPN TUN/TAP interface is assigned with private IP, which is the default private IP address range assigned to server and with clients as per the config settings.

Section 5 . Setup OpenVPN Client.

In this section we first install the OpenVPN MSI installer on Client PC like Windows 10. After that we will setup OpenVPN client config files.

Finally start the the OpenVPN connection and test it out.

Section 5 a . OpenVPN Client MSI  Install

For OpenVPN MSI installation on Client PC, follow the same steps described on Section 1.  The OpenVPN Community Edition MSI Installer  can be used on both Server side and with the client side.

After the OpenVPN MSI installation. Open Windows Explorer  and go the folder C:\Program Files\OpenVPN\sample-config and copy file named “client.ovpn” to C:\Program Files\OpenVPN\config.

After that rename the “client.ovpn” to “client1.ovpn” because we use this client config file for client1.

Move already downloaded ca.crt, client1.crt, client1.key and ta.key to folder C:\Program Files\OpenVPN\config.

Refer below screenshot for better understanding on file structure.

Section 5 b . Configure Client Config File.

Go to the folder “C:\Program Files\OpenVPN\config” and  open client1.ovpn file using any text editor and define below parameters accordingly.

remote 1194

ca “C:\\Program Files\\OpenVPN\\config\\ca.crt”

cert “C:\\Program Files\\OpenVPN\\config\\client.crt”

key “C:\\Program Files\\OpenVPN\\config\\client.key”

remote-cert-tls server

tls-auth “C:\\Program Files\\OpenVPN\\config\\ta.key” 1

cipher AES-256-GCM

In that first value defines  The hostname/IP and port of the OpenVPN server

The Next three ca, cert , key values defines the location of CA and client certificate locations.

Using “remote-cert-tls server” , the OpenVPN client will verify the server certificate extendedKeyUsage.

Using “tls-auth” parameter, we enable HMAC firewall. Its an extra layer of security used to prevent DDos attack.

The last one “cipher AES-256-GCM” enables a cryptographic cipher.

Below picture shows how these parameters looks in the client config file.

This Completes the Client Setup. Now test the VPN Connection from client side. Make sure to open UDP port 1194 in the client side windows firewall too.

Section 5 c . Testing the OpenVPN connection.

Under windows Hidden Notification area , right click on OpenVPN icon and Click Connect.

The OpenVPN connection will establish automatically. After the successful connection , try to ping to the private IP of OpenVPN server and make sure its reachable. Also test the internet connection of your client PC.

Also on a Successfully connected OpenVPN Client PC, if we lookup the what is my IP on web browser, we will see its our VPN Server IP. This means that all our web traffic is routing through OpenVPN server.


We have successfully completed the OpenVPN setup On Windows server 2019 and successfully connected from a Windows 10 OpenVPN client PC. Also we have seen how to route all IP traffic from client side through OpenVPN server. I hope this article is informative. Leave your thoughts at the comment box.

Share This Story, Choose Your Platform!