wiki:Easy_Windows_Guide

Version 5 (modified by eliyak, 11 years ago) (diff)

--

Easy Windows Guide

This page will contain a no-frills guide to getting OpenVPN up and running on a Windows server and client(s). For a more detailed understanding of setting up OpenVPN and its advanced features, see the HOWTO page.

Download and Install OpenVPN

  1. Download the installer from here and run it.

Create Certificates and Keys

Preperatory steps

  1. Navigate to the C:\Program Files\OpenVPN\easy-rsa folder in the command prompt:
    1. Press Windows Key + R
    2. Type "cmd.exe" and press Enter.
      cmd.exe
      
    3. Navigate to the correct folder:
      cd "C:\Program Files\OpenVPN\easy-rsa"
      
  1. Initialize the OpenVPN configuration:
    init-config
    
    • NOTE: Only run init-config once, during installation.
  1. Open the vars.bat file in a text editor:
    notepad vars.bat
    
  1. Edit the following lines in vars.bat, replacing "US", "CA," etc. with your company's information:
    set KEY_COUNTRY=US
    set KEY_PROVINCE=CA
    set KEY_CITY=SanFrancisco
    set KEY_ORG=OpenVPN
    set KEY_EMAIL=mail@host.domain
    
  1. Save the file and exit notepad.
  1. Run the following commands:
    vars
    
    clean-all
    

Build Your Certificates and Keys

  1. The certificate authority (CA) certificate and key:
    build-ca
    
    • When prompted, enter your country, etc. These will have default values, which appear in brackets. For your "Common Name," a good choice is to pick a name to identify your company's Certificate Authority. For example, "OpenVPN-CA":
      Country Name (2 letter code) [US]:
      State or Province Name (full name) [CA]:
      Locality Name (eg, city) [SanFrancisco]:
      Organization Name (eg, company) [OpenVPN]:
      Organizational Unit Name (eg, section) []:
      Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
      Email Address [mail@host.domain]:
      
  1. The server certificate and key:
    build-key-server server
    
    • When prompted, enter the "Common Name" as "server"
    • When prompted to sign the certificate, enter "y"
    • When prompted to commit, enter "y"
  1. Client certificates and keys:
  1. For each client, choose a name to identify that computer, such as "mike-laptop" in this example.
    build-key mike-laptop
    
    • When prompted, enter the "Common Name" as the name you have chosen (e.g. "mike-laptop")
  2. Repeat this step for each client computer that will connect to the VPN.
  1. Generate Diffie Hellman parameters a.
    build-dh
    

Configuration Files

  1. Find the sample configuration files:
    Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files
    

Server Config File

  1. Open server.ovpn
  1. Find the following lines:
    ca ca.crt
    cert server.crt
    key server.key
    
    dh dh1024.pem
    
  1. Edit them as follows:
    ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
    cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
    key "C:\\Program Files\\OpenVPN\\config\\server.key"
    
    dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
    
  1. Save the file as C:\Program Files\OpenVPN\config\server.ovpn

Client Config Files

This is similar to the server

Further Considerations / Troubleshoting

Port Forwarding

If your server is behind a router, you will need to forward the port chosen for OpenVPN (in this example UDP 1194) to the server. Consult your router's documentation for details on this.

To set up port forwarding, you will likely need to set up the server with a static local IP address instead of the default dynamic (changing) IP. Instructions for Windows XP may be found here. Make sure to choose a static IP address that is not in the range your router might assign as a dynamic IP.

Static Internet IP

Your server will need to have a static internet IP or Domain Name to be accessible over the long term. One solution is to sign up for an account with DynDNS and install the DynDNS Updater on your server. When signing up you will determine the static DNS of your server. (For example, "myserver.dyndns.org")