OpenVPN is a flexible VPN (Virtual Private Network) solution which is used to encrypt and secure point-to-point or site-to-site connection between two machines over the public Internet. In other word using OpenVPN we can create a secure Private network over public Internet and will have Remote access to internal services of your IT infrastructure. OpenVPN works as VPN Clients-Server model and It secure network extension using the industry standard SSL/TLS protocol.
OpenVPN has Economical licensing model that is based only on the number of concurrent connected devices instead of per user. They do also have Community Edition comes under GPL license which is totally free to use. OpenVPN server can be installed on Linux or Windows Based systems. Also OpenVPN can be installed in a CLOUD based Servers and ON-PREMISE VPN servers.
OpenVPN for Windows can be installed from the self-installing exe file which is called OpenVPN GUI. OpenVPN GUI is a graphical fronted for OpenVPN running on Windows. It creates an icon in the notification area from which you can control OpenVPN to start/stop your VPN tunnels, view the log and do other useful things.
OpenVPN Connect client is the OpenVPN client software packages installing on client PC. This client package used to connect to the OpenVPN server. OpenVPN Connect client supported on Windows, Linux, MacOS, IOS and Android. Two common setups for OpenVPN are Remote Access and Site-to-Site. In this REMOTE ACCESS model, the employees Connecting to the private network from various remote locations and SITE-TO-SITE model, users connecting multiple, fixed sites (branches, offices, etc) over a public network.
In this article will show you how to Setting Up OpenVPN Server ( Community Edition) On Windows Server to forward incoming traffic to the internet, then route the responses back to the client. Which means settings up a OpenVPN Windows Server to tunnel clients internet traffic through OpenVPN server. Those clients that successfully connected to the OpenVPN server will have their ISP IP Address will show as servers Public IP address.Commonly, a VPN tunnel is used to privately access the internet, evading censorship or Geo location by shielding your computer’s web traffic when connecting through entrusted hotspots, or connections.
Setting Up OpenVPN Server
Let’s get Started. Download the latest windows OpenVPN installer from below link. Once Downloaded double click the installer exe file. the following screen will appear, click Next to start the installation
In the Licence Agreement Page click ” I Agree ” button
In the choose which components to install, we will need to ensure to select ALL components, and click Next.
In the choose installation location option, just leave as it is and note down the OpenVPN install location for future use. Click “Install ” button.
You will see the installation is in progress.
During the installation we will be prompted to install the virtual TAP Windows Provider V9 NIC adapter, this is a virtual network device that is required by OpenVPN server, click Install here.
Once the installation is complete, We need to click Next
Installation is now completed, click Finish
At this point if you go the List Network Adapters Section, you will see a new TAP device adapter is created like below in the screenshot.
Now open up Windows Command Prompt and then type the following commands:
Above command will Initialise the OpenVPN configuration, which means running init-config.bat script will generate a new “vars.bat” file in our “easy-rsa” directory, this file will contain our configuration.
now open up the following directory using Windows Explorer
using Notepad (or another text editor) edit the batch file named vars.bat. I have Changed the following settings (the bottom of the file) to meet our requirements. Make sure the KEY_CN and KEY_NAME variable value should be identical.
Save the file and exit notepad Run the following commands in Windows command Prompt.
Create the certificate authority (CA) certificate and key by running following command in Windows CMD.
When asked for input, you should be able to accept the defaults (as we set in the vars.bat file earlier but remember, we must specify a KEY_CN (Common Name) and when asked for the Name, it should match the Common Name.
For your “Common Name,” a good choice is to pick a name to identify your company’s Certificate Authority. For example, “SERVER”
We now need to build the servers certificate file and again, we’ll keep it as simple as possible so we will set the “Common Name” for the servers’ certificate file as ‘server‘ and again, the Name will match this (notice that the name is passed in as the first argument on the build-key-server.bat call):
As we stated run below command for Creating the server certificate and key
When prompted, enter the “Common Name” and “Name” as “SERVER”
When prompted to sign the certificate, enter “y”
When prompted to commit, enter “y”
Now Create client certificates and keys using below command.
Note : For each VPN client that connects to the VPN they will need to connect using an SSL certificate and therefore the following process must be ran for each client device that will connect to the VPN.
As before, when prompted for the “Common Name” and the “Name” use the name of the machine, therefore in this instance “mike-laptop” as demonstrated.
Now generate Diffie Hellman parameters (This is necessary to set up the encryption). we do this by typing the following command:
When using easy-rsa to generate the certificates they are generated and stored under: C:\Program Files\OpenVPN\easy-rsa\keys. Using Windows Explorer we need to copy the below generated certificates to the C:\Program Files\OpenVPN\config directory.
Now Lets copy the sample configuration files ( in our case its named as server.ovpn ) from “C:\Program Files\OpenVPN\sample-config” into “C:\Program Files\OpenVPN\config”
Now, using a text editor (for example, NotePad) edit the “C:\Program Files\OpenVPN\config\server.ovpn” file:
We need to set the location of the certificates that we generated earlier, therefore locate the section shows in the below screenshot and correct the certificate paths. Once Done Save the file.
At this point start the OpenVPN service either using windows services section or by Double clicking on the Windows GUI OpenVPN icon.
This action will automatically create a computer icon in the windows notification area. If we right click the mouse in this notification area icon, we will be able to manage the OpenVPN service like, connect, view log etc
During OpenVPN Server Connect, we encounter below error and its fixed by commending out the line “tls-auth ta.key 1” in “C:\Program Files\OpenVPN\config\server.ovpn” file
Installing OpenVPN Client in Local PC/Laptop we use.
In the client workstation, install the same OpenVPN installation package downloaded from below link. In our case the client PC/Laptop is also a Windows one.
So follow the same installation procedure that we have done in the Server.
Configuring OpenVPN Client:
Now download the client configuration file and certificates from the OpenVPN Server in to the client PC/Laptop using any methods like file sharing , using ftp etc.
The files “ca.crt” “mike-laptop.crt” “mike-laptop.key” are located in the OpenVPN server folder “C:\Program Files\OpenVPN\easy-rsa\keys”
the client configuration file named “mike-laptop.ovpn” are located in the server folder “C:\Program Files\OpenVPN\sample-config”
Copy over the downloaded “ca.crt” “mike-laptop.crt” “mike-laptop.key, mike-laptop.ovpn” in to the client workstation folder “C:\Program Files\OpenVPN\config”
Edit “C:\Program Files\OpenVPN\config\mike-laptop.ovpn” with notepad in client Workstation and Locate the following line:
remote my-server-1 1194
Replace “my-server-1” it with your public IP address or hostname that your clients will use to connect to your OpenVPN server.
Also Find the following lines:
Edit them as follows:
ca “C:\\Program Files\\OpenVPN\\config\\ca.crt”
cert “C:\\Program Files\\OpenVPN\\config\\mike-laptop.crt”
key “C:\\Program Files\\OpenVPN\\config\\mike-laptop.key”
Save the file and we’re nearly ready to start testing!!
Open the UDP port number “1194” in the Windows Firewall of OpenVPN Client and OpenVPN server.
Now Double Click on the OpenVPN GUI icon shows up in the client workstation PC >> Go the Windows Notification area >> right click on the little computer icon of OpenVPN service >> and click “connect” option.
At this point we will able to ping the private IP address of OpenVPN server from client work station. By default it will be 10.8.0.1. The client work station will also be assigned with an IP address from the same private IP address subnet. For example 10.8.0.1. We can see this IP address by issuing below command in Windows CMD.
Adding to this, at this moment not all client traffic is routed to the server. In short, the client will use their local ISP connection for internet traffic, not through the OpenVPN Server.
In order to achieve this ( route all client traffic including internet through OpenVPN server), we have to follow below additional settings.
Open the file “C:\Program Files\OpenVPN\config\server.ovpn” in OpenVPN server and remove comment for below three lines.
Save the file and restart the OpenVPN service in the server.
Install NAT on OpenVPN server.
Open Server Manager >> Click “Add Roles and Features ”
Click “Next” Until Select server role section appears.
Choose “Remote Access” and click Next until ” Add features ” popup window appears.
Cick “Add features” option.
Choose ” Direct Access VPN and Routing ” Role services and click Next.
Click “install” button and close the windows when the installation got completed.
Now under server manager >> Remote Access >> Right click Server name >> choose ” Remote Access Management”
Under “Direct Access and VPN ” >> Click “Run the Remote Access setup Wizard”
Choose “Deploy VPN Only ”
Now under server manager >> Remote Access >> Right click Server name >> choose ” Remote Access Management”
Under “Direct Access and VPN ” >> Click “Open RRAS Managment ” from right side.
Right Click server name and choose “Configure and Enable Routing and Remote Access” and click Next
Choose Network Address Translation (NAT) and click Next.
Choose Public NIC name where the public IP address of server is configured.
Click Finish and complete the installation.
Now Expand the server name >> Expand IPV4 >> Choose NAT >> Right click on NIC name where Public IP address configured ” >> Choose Properties.
Choose “Services and Ports ” tab >> Choose Remote Desktop >> Click Edit button >> Under Private address section gave the server Public IP address >> Click Ok.
Restart the OpenVPN service on both client and servers. Reconnect the OpenVPN. At this time all client traffic will be route through OpenVPN server. If you go the client browser and visit the website whatismyip.org, you will see the ISP IP address as OpenVPN Public IP address.
Ping test results from client workstation after successfully connected to openvpn server.
This concluded the NAT install on OpenVPN server. Also the OpenVPN setup and configuration completed. Leave your suggestions at the comment box available.