What is OpenVPN?
As noted previously in our OpenVPN article, OpenVPN is an open-source Windows software package used to create a secure, site-to-site VPN connection that provides remote access between two locations. OpenVPN consists of three parts:
- The OpenVPN-AS Server
- The Admin Web Interface/Admin GUI
- The Connection Clients
The OpenVPN Server
The OpenVPN server is the principal element of the OpenVPN-AS Server and manages the main functions on the backend. Some of the functionality that is handled in the admin interface includes tunneling, routing, encryption, user management, authentication, and many other features. The OpenVPN server also consists of a WebGUI, which assists with control in several of the fundamental components of the software.
The Main WebGUI Administrative Interface
The main web-based GUI allows for the uncomplicated handling of the OpenVPN server elements. In the WebGUI, an admin can check routing options, privileges, network configurations, user validation, and other parameters. By default, an administrator can connect to the GUIWeb gateway by browsing to https://serverip:943/admin
The OpenVPN Connect Clients
The OpenVPN client is also an important part of the OpenVPN software. This application allows users to link to the VPN server directly in one of three ways. The VPN Client also offers the ability to download the user’s configuration file, which can be duplicated to other OpenVPN clients. The three options are:
- Browser Connect Client – This is the browser-based connection tool for openvpn. The web address for users is https://serverip:943
- OpenVPN Connect Client (Mac) – Simplistic single connection client
- OpenVPN Connect Client (Linux/Windows) – This is the OpenVPN client (which is different from the main openvpn-as program). This software requires a configuration file to work correctly.
Install OpenVPN
On a Windows server, we begin by downloading the Windows installer and then running it on our Windows server.
Certs and Keys
Prerequisites
Browse to the
C:\Program Files\OpenVPN\easy-rsa
folder using the administrative command prompt:
- Open the Start menu
- Type in “cmd”
- Next, right click on “Command Prompt” and select “Run as Administrator.”
- Then, right click the menu item “Command Prompt”
- On the “User Account Control” pop up window, click “Yes”
Navigate to this folder.
cd "C:\Program Files\OpenVPN\easy-rsa"
And now, we can start the OpenVPN configuration:
init-config
Next, we open the “vars.bat” file in a text editor.
notepad vars.bat
And edit the subsequent lines switching “US”, “CA,” etc. with your business’s data.
set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=OpenVPN
set KEY_EMAIL=mail@host.domain
We can then save the file and exit Notepad.
The KEY_CN and KEY_NAME settings refer to the common name field and the name of the certificate.
The KEY_OU setting refers to an “Organizational Unit” and can be set to whatever if there isn’t a requirement for it.
The PKCS11_ values refer to settings used for Hardware Security Modules and Smart Cards if you use them.
Next, we will run the following commands.
vars
clean-all
Building Certificates and Keys
In order to create the Certificate Authority (CA) certificate and key, we need to run.
build-ca
This will prompt you to enter your country, state, and city. These options will also have default values, which appear within brackets.
For the “Common Name,” a beneficial choice is to choose a unique name to distinguish your company.
Certificate Authority "OpenVPN-CA":
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [mail@host.domain]:
Next, we initiate the server’s certificate and key using this command:
build-key-server server
- When prompted, enter the “Common Name” as “server”
- When prompted to sign the certificate, enter “y”
- When prompted to commit, enter “y”
Server Certificates and Keys:
C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat
Generating a RSA private key
..............................................................................................................................................................................................................................................++++
................................++++
writing new private key to 'keys\.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [MI]:
Locality Name (eg, city) [Lansing]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:Server
Name [changeme]:
Email Address [dsinger@liquidweb.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:XXXXXXXXXXXXXXXX
An optional company name []:
Using configuration from openssl-1.0.0.cnf
Can't open keys/index.txt.attr for reading, No such file or directory
1832:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:74:fopen('keys/index.txt.attr','r')
1832:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'MI'
localityName :PRINTABLE:'Lansing'
organizationName :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'Server'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'dsinger@liquidweb.com'
Certificate is to be certified until Dec 24 19:01:08 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>
Client Certificates and Keys
For each client that will be connecting to the server, we must choose a unique name to identify that user’s computer, such as “david-laptop” in the example below.
build-key david-laptop
Next, when prompted, we enter the “Common Name” as the name you have chosen for the client’s cert/key.
We will repeat this step for every client computer that is going to connect to the VPN.
C:\Program Files\OpenVPN\easy-rsa>build-key david-laptop
Generating a RSA private key
.............................................................................................................................................................................++++
..............................................................................++++
writing new private key to 'keys\david-laptop.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [MI]:
Locality Name (eg, city) [Lansing]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:david-laptop
Name [changeme]:David Singer
Email Address [dsinger@liquidweb.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:XXXXXXXXXXXXXXXX
An optional company name []:
Using configuration from openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'MI'
localityName :PRINTABLE:'Lansing'
organizationName :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'david-laptop'
name :PRINTABLE:'David Singer'
emailAddress :IA5STRING:'dsinger@liquidweb.com'
Certificate is to be certified until Dec 24 19:06:10 2029 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>
Now, we need to generate the “Diffie Hellman” parameters using the build-dh command. This step is necessary in order to set up the encryption model.
C:\Program Files\OpenVPN\easy-rsa>build-dh.bat
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.................................+......................................................................................................+.............................................................................................+..................................................................................+.........................................................
.............................................................................+............................+..........+........+............................................+..............................................+....++*++*++*++*
C:\Program Files\OpenVPN\easy-rsa>
Next, we will generate a shared secret key (which is required when using tls-auth)
"C:\Program Files\OpenVPN\bin\openvpn.exe" --genkey --secret "C:\Program Files\OpenVPN\easy-rsa\keys\ta.key"
Configuration Files
OpenVPN provides sample configuration data which can easily be found using the start menu:
Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files
Server Config File
Now, let’s copy the sample “server configuration” file over to the easy-rsa folder. Here is the command and its output:
copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"
C:\Program Files\OpenVPN\easy-rsa>"C:\Program Files\OpenVPN\bin\openvpn.exe" --genkey --secret "C:\Program Files\OpenVPN\easy-rsa\keys\ta.key"
C:\Program Files\OpenVPN\easy-rsa>copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"
1 file(s) copied.
C:\Program Files\OpenVPN\easy-rsa>
Next, we will need to edit the server.ovpn file.
notepad "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"
Now, locate the following lines within the file:
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
And edit them as follows:
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
Finally, save and close the file.
Client Config Files
The client file modification is very similar to the server configuration changes we made earlier. Let’s copy the sample server configuration file to the easy-rsa folder with the client’s Common Name as the file name. (Remember, each client will need to have a unique filename).
copy "C:\Program Files\OpenVPN\sample-config\client.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\david-laptop.ovpn"
C:\Program Files\OpenVPN\easy-rsa>copy "C:\Program Files\OpenVPN\sample-config\client.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\david-laptop.ovpn"
1 file(s) copied.
C:\Program Files\OpenVPN\easy-rsa>
Next, we will edit the client’s config file.
notepad "C:\Program Files\OpenVPN\easy-rsa\keys\david-laptop.ovpn"
We will locate the following settings in the file and edit them as follows:
ca ca.crt
cert client.crt
key client.key
to
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\david-laptop.crt"
key "C:\\Program Files\\OpenVPN\\config\\david-laptop.key"
Observe that the name of the client certificate and related key files rely upon the “Common Name” of each client.
We can also include the ca, cert, and key content in the client file. We will have to copy the file content from inside the tags:
- <ca></ca>
- <cert></cert>
- <key></key>
Next, we will edit the line “my-server-1“, replacing it with the server’s public IP Address or Domain Name.
remote my-server-1 1194
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 69.16.236.167
;remote my-server-2 1194
Finally, we can save and close the file.
Copying the Client and Server Files to Their Pertinent Directories
Now we can copy these files from C:\Program Files\OpenVPN\easy-rsa\keys\ to C:\Program Files\OpenVPN\config\ on the server using the robocopy command:
- ca.crt
- ta.key
- dh2048.pem
- server.crt
- server.key
- server.ovpn
robocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\ " ca.crt ta.key dh2048.pem server.crt server.key server.ovpn
C:\Program Files\OpenVPN\easy-rsa>robocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\ " ca.crt ta.key dh2048.pem server.crt server.key server.ovpn
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Friday, December 27, 2019 12:16:02 PM
Source : C:\Program Files\OpenVPN\easy-rsa\keys\
Dest : C:\Program Files\OpenVPN\config\
Files : ca.crt
ta.key
dh2048.pem
server.crt
server.key
server.ovpn
Options : /DCOPY:DA /COPY:DAT /R:1000000 /W:30
------------------------------------------------------------------------------
4 C:\Program Files\OpenVPN\easy-rsa\keys\
100% New File 2482 ca.crt
100% New File 432 dh2048.pem
100% New File 10901 server.ovpn
100% New File 657 ta.key
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 0
Files : 4 4 0 0 0 0
Bytes : 14.1 k 14.1 k 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 452250 Bytes/sec.
Speed : 25.877 MegaBytes/min.
Ended : Friday, December 27, 2019 12:16:02 PM
C:\Program Files\OpenVPN\easy-rsa>
Now, we can copy the following files from C:\Program Files\OpenVPN\easy-rsa\keys\ on the server to C:\Program Files\OpenVPN\config\ for each client that will be using the VPN (e.g., david-laptop, in this example)
- ca.crt
- ta.key
- david-laptop.crt
- david-laptop.key
- david-laptop.ovpn
Starting OpenVPN
Next, on both the server and the client, we need to run OpenVPN from:
Start Menu -> All Programs -> OpenVPN -> OpenVPN GUI
Now, let’s double click the icon which appears in the system tray to start the connection. The subsequent dialog box will close upon an effective start.
Final Thoughts
Firewall Settings
If you have any connection difficulties, ensure you set up a rule on the server’s firewall allowing incoming UDP traffic on port 1194. (Win+R “wf.msc”)
Running OpenVPN as a Service
We can also run OpenVPN as a service, which will allow:
- OpenVPN to be run from a non-administrative account.
- OpenVPN to be started automatically on the systems startup. This is the preferred method to use on a server, as well as any clients which will be continually connecting to the server.
- To run the Windows Service administrative tool:
(Press Windows Key+R)
Type in “services.msc” and press ‘Enter’ to start the services.msc tool. Next, locate the OpenVPN service, and reset its Startup Type to “automatic.” Optionally, you can start the service now if desired.
Security Tips
We can also run OpenVPN as a service, which will allow:
- OpenVPN to be run from a non-administrative account.
- OpenVPN to be started automatically at the systems startup. This is the preferred method to use on a server, as well as any clients which will be continually connecting to the server.