Setting Up OpenVPN Server On Windows Server 2012/2016

OpenVPN is an opensource software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connection between two machines.

OpenVPN GUI is a graphical frontend for OpenVPN running on Windows XP / Vista / 7 / 8. It creates an icon in the notification area from which you can control OpenVPN to start/stop your VPN tunnels, view the log and do other useful things.

In this article will show you how to configure an OpenVPN server to forward incoming traffic to the internet, then route the responses back to the client. Which means settings up a OpenVPN Windows Server to tunnel clients internet traffic  through OpenVPN server.  Those clients that successfully connected to the OpenVPN server will have their ISP IP Address will show as servers Public IP address.

Commonly, a VPN tunnel is used to privately access the internet, evading censorship or geolocation by shielding your computer’s web traffic when connecting through untrusted hotspots, or connections.

Setting Up OpenVPN Server

Let’s get Started. Download the latest windows OpenVPN installer from below link. Once Downloaded double click the installer exe file. the following screen will appear, click Next to start the installation

In the Licence Agreement Page click ” I Agree ” button

In the choose which components to install, we will need to ensure to select ALL components, and click Next.

In the choose installation location option, just leave as it is and note down the OpenVPN install location for future use.  Click “Install ” button.

You will see the installation is in progress.

During the installation we will be prompted to install the virtual TAP Windows Provider V9 NIC adapter, this is a virtual network device that is required by OpenVPN server, click Install here.

Once the installation is complete, We need to click Next

Installation is now completed, click Finish

At this point if you go the List Network Adapters Section, you will see a new TAP device adapter is created like below in the screenshot.

Now open up Windows Command Prompt and then type the following commands:

cd "C:\Program Files\OpenVPN\easy-rsa"

Above command will Initialize the OpenVPN configuration, which means running init-config.bat script will
generate a new vars.bat file in our easy-rsa directory, this file will contain our configuration.

now open up the following directory using Windows Explorer:

C:\Program Files\OpenVPN\easy-rsa

using Notepad (or another text editor) edit the batch file named vars.bat. I have Changed the following settings
(the bottom of the file) to meet our requirements. Make sure the KEY_CN and KEY_NAME variable value should be

set KEY_CITY=Cochin
set [email protected]
set PKCS11_MODULE_PATH=changeme
set PKCS11_PIN=1234

Save the file and exit notepad Run the following commands in Windows command Prompt.

cd "C:\Program Files\OpenVPN\easy-rsa"

Create the certificate authority (CA) certificate and key by running following command in Windows CMD.


When asked for input, you should be able to accept the defaults (as we set in the vars.bat file earlier
but remember, we must specify a KEY_CN (Common Name) and when asked for the Name, it should match the
Common Name.

For your “Common Name,” a good choice is to pick a name to identify your company’s Certificate Authority.
For example, “SERVER”

We now need to build the servers’ certificate file and again, we’ll keep it as simple as possible so
we will set the “Common Name” for the servers’ certificate file as ‘server‘ and again, the Name will match
this (notice that the name is passed in as the first argument on the build-key-server.bat call):

As we stated run below command for Creating the server certificate and key

build-key-server.bat server

When prompted, enter the “Common Name” and “Name” as “SERVER”
When prompted to sign the certificate, enter “y”
When prompted to commit, enter “y”

Now Create client certificates and keys using below command.

Note : For each VPN client that connects to the VPN they will need to connect using an SSL certificate and
therefore the following process must be ran for each client device that will connect to the VPN.

build-key.bat mike-laptop

As before, when prompted for the “Common Name” and the “Name” use the name of the machine, therefore in this
instance “mike-laptop” as demonstrated.

Generate Diffie Hellman parameters (This is necessary to set up the encryption). we do this by typing the
following command:


 When using easy-rsa to generate the certificates they are generated and stored under: 
C:\Program Files\OpenVPN\easy-rsa\keys. Using Windows Explorer we need to copy the below generated certificates 
to the  C:\Program Files\OpenVPN\config directory.


Now Lets copy the sample configuration files ( in our  case its named as server.ovpn ) from
"C:\Program Files\OpenVPN\sample-config" into "C:\Program Files\OpenVPN\config"

Now, using a text editor (for example, NotePad) edit the “C:\Program Files\OpenVPN\config\server.ovpn” file:

We need to set the location of the certificates that we generated earlier, therefore locate the section shows
in the below screenshot and correct the certificate paths. Once Done Save the file.

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh4094.pem"

At this point start the OpenVPN service either using windows services section or by Double clicking on the
Windows GUI OpenVPN icon.

This action will automatically create a computer icon in the windows notification area. If we right click the
mouse in this notification area icon, we will be able to manage the OpenVPN service like, connect, view log etc

During OpenVPN Server Connect, we encounter below error and its fixed by commending out the line
“tls-auth ta.key 1” in “C:\Program Files\OpenVPN\config\server.ovpn” file

Sun Jan 28 01:08:53 2018 All TAP-Windows adapters on this system are currently in use.

Sun Jan 28 01:08:53 2018 Exiting due to fatal error

Sun Jan 28 14:59:40 2018 WARNING: cannot stat file ‘ta.key’: No such file or directory (errno=2)

Options error: –tls-auth fails with ‘ta.key’: No such file or directory (errno=2)

Options error: Please correct these errors.

Use –help for more information.

Installing OpenVPN Client in  Local PC/Laptop we use.

In the client workstation, install the same  OpenVPN installation package  downloaded from below link. In our case the client PC/Laptop is also a Windows one.

So follow the same installation procedure that we have done in the Server.

Configuring OpenVPN Client:

Now download the client configuration file  and certificates from the OpenVPN Server in to the client PC/Laptop using any methods like file sharing , using ftp  etc.

The files  “ca.crt” “mike-laptop.crt” “mike-laptop.key”  are located in the OpenVPN server folder  “C:\Program Files\OpenVPN\easy-rsa\keys”

the client configuration file named “mike-laptop.ovpn”  are located in the server folder ” “C:\Program Files\OpenVPN\sample-config”

Copy over the downloaded “ca.crt” “mike-laptop.crt” “mike-laptop.key, mike-laptop.ovpn”  in to the client workstation folder

"C:\Program Files\OpenVPN\config"

Edit “C:\Program Files\OpenVPN\config\mike-laptop.ovpn” with notepad in client Workstation.

Locate the following line:

remote my-server-1 1194

and replace “my-server-1” it with your public IP address or hostname that your clients will use to connect
to your OpenVPN server.

Also Find the following lines:

ca ca.crt cert client.crt key client.key

Edit them as follows:

ca “C:\\Program Files\\OpenVPN\\config\\ca.crt” cert “C:\\Program Files\\OpenVPN\\config\\mike-laptop.crt” key “C:\\Program Files\\OpenVPN\\config\\mike-laptop.key”

Save the file and we’re nearly ready to start testing!!
Open the UDP port number "1194" in the Windows Firewall of OpenVPN Client and OpenVPN server.

Now Double Click on the OpenVPN GUI icon shows up in the client workstation PC >> Go the Windows Notification
area >> right click on the little computer icon of OpenVPN service >> and click “connect” option.

At this point we will able to ping the private IP address of OpenVPN server from client work station. By default
it will be The client work station will also be assigned with an IP address from the same private IP
address subnet. For example We can see this IP address by issuing below command in Windows CMD.

ipconfig /all

Adding to this, at this moment not all client traffic is routed to the server. In short, the client will use
their local ISP connection for internet traffic, not through the OpenVPN Server.

In order to achieve this ( route all client traffic including internet through OpenVPN server), we have
to follow below additional settings.

Open the file “C:\Program Files\OpenVPN\config\server.ovpn” in OpenVPN server and  remove comment  for below three lines.

push “redirect-gateway def1 bypass-dhcp”

push "dhcp-option DNS"

push "dhcp-option DNS"

Save the file and restart the OpenVPN service in the server.

Install NAT on OpenVPN server.

Open Server Manager >> Click “Add Roles and Features ”

Click “Next” Until Select server role section appears.

Choose “Remote Access” and click Next until ” Add features ” popup window appears.

Click “Add features” option.

Choose ” Direct Access VPN and Routing ” Role services  and click Next.

Click “install” button and close the windows when the installation got completed.

Now under server manager >> Remote Access >> Right click Server name >> choose ” Remote Access Management”

Under “Direct Access and VPN ” >> Click “Run the Remote Access setup Wizard”

Choose “Deploy VPN Only ”

Now under server manager >> Remote Access >> Right click Server name >> choose ” Remote Access Management”

Under “Direct Access and VPN ” >> Click “Open RRAS Managment ” from right side.

Right Click server name and choose “Configure and Enable Routing and Remote Access” and click Next

Choose Network Address Translation and click Next.

Choose Public NIC name where the public IP address of server is configured.

Click Finish and complete the installation.

Now Expand the server name >> Expand IPV4 >> Choose NAT >> Right click on NIC name where Public IP address configured ” >> Choose Properties.

Choose “Services and Ports ” tab >> Choose Remote Desktop  >> Click Edit button >> Under Private address section gave the server Public IP address >> Click Ok.

This concluded the NAT install on OpenVPN server.

Restart the OpenVPN service on both client and servers. Reconnect the OpenVPN. At this time all client traffic will be route through OpenVPN server.

If you go the client browser and visit the website, you will see the ISP IP address as OpenVPN Public IP address.

Ping test results from client workstation after successfully connected to  openvpn server.

By |2018-02-11T14:09:46+00:00February 11th, 2018|OpenVPN, Windows|