Monday, January 28, 2013

OpenVPN Server on Windows

UPDATE: Every once and a while someone will reach out to me about this and ask about if I have any plans to update it. I no longer use Windows as my primary OS (switched to Linux) and no longer use OpenVPN either. The below guide may have issues, especially on Windows 10, which I don't use.

OpenVPN is a wonderful VPN system, but it's not so simple to set up on Windows. When I first created this how-to, there wasn't a real cohesive and precise instruction set on how to get an OpenVPN server working on Windows where Windows clients could have all traffic go through the VPN (the alternative is where only directed traffic goes through the VPN: Split tunneling). I prefer all my traffic going through a VPN when connected, less likely for information to leak out.

NOTES:
 1. Throughout this guide I will use two words: over and over again: server and client1. Feel free to modify these, but be sure to modify them EVERYWHERE they are repeated. To help you out I bolded and italicized them everywhere you should change them (except in the config files, they need to be changed in those as well)

 2. Everywhere you see quotation marks, it is to signify what you should type (which would be the stuff inside the quotation marks), DO NOT TYPE THE QUOATATION MARKS UNLESS OTHERWISE SPECIFIED!

 3. I know this seems long, but it really isn't, I just broke everything down into as basic of steps as I could and explain everything as thoroughly as I can. In the end, it pays off, you have a secure multi-client VPN offering that definitely beats PPTP in terms of security and robustness.

 4. A relatively common practice with OpenVPN is to configure it to use TCP port 443, as this is the port normally associated with HTTPS, so even the most most draconian of firewalls won't block it. I don't cover this, instead cover OpenVPN using the default port of 1194 UDP. Changing it is simple, just edit the server and client configuration files to use proto tcp and port 443. Make sure to also change your forwarded port and firewall rules to match as well.

 5. This guide uses the 192.168.137.0/24 block for the OpenVPN network. This is the default for Internet Connection Sharing (a needed utility to get Internet through OpenVPN on Windows) for Windows 7, which is why I chose it (it should also be the default for Windows Vista, though I cannot test this) On Windows XP, ICS uses 192.168.0.0/24 by default, which isn't very useful for a VPN (as it's a popular subnet and would lead to conflicts in various situations). If you wish to change the subnet for OpenVPN, you must change it in the config file for the server as well as for ICS. This can be done through a registry setting. In HKLM\System\CurrentControlSet\services\SharedAccess\Parameters you will need to change ScopeAddress and ScopeAddressBackup to the first IP address in the range you wish to use. I am not certain if Windows XP can change it or not, but it's worth a shot. Here is a registry file of the 192.168.137.1 ICS configuration, change the network numbers and run it to change to a different subnet (or do it manually). You can also find it on PasteBin.

 6. You will also need to know your public IP address or set up a Dynamic DNS service. This can be done by visiting http://www.whatismyip.com/ on your server. Better is to set up no-ip on your server and use their free dynamic dns service (as it'll work even if your home IP changes). You will need to do this for PPTP VPN servers and SSH servers. I will mention this again when we get to the client configuration file.

Pre-Install

This guide assumes two things: You've properly set up a static IP for the will-be server and you have configured any firewall on the will-be server correctly. I will do a quick run-down of how to do this on Windows Vista/7 with Windows Firewall (which are the same in this matter).


Windows Firewall setup:
  1. run wf.msc
  2. Click Inbound rules on the left panel, and on the right panel click "New Rule..."
  3. Select Port for the rule type and click next. Image of steps 2-3 
  4. Select UDP and enter in port 1194 and click next
  5. Select Allow the connection and click next
  6. Select which networks to allow the rule, to be safe, allow for all and click next
  7. Name the rule "openvpn in" (without quotes) and click finish.

Install Process

  1. Download OpenVPN onto the will-be OpenVPN server and run the installer (as administrator if you are using Windows Vista/7)
  2. . When you get to the "Install Location" part of the setup, I highly recommend installing it to C:\OpenVPN rather than the default install path. Especially on Vista/7 as this will save you headaches. Proceed to finish the install
  3. Navigate to the installation folder (C:\OpenVPN if you followed my advice), then enter the config folder (C:\OpenVPN\config).
  4. Here, create a file server.ovpn. It should look like this:  http://pastebin.com/wU0MeHKL

    About the server.ovpn configuration file:

    You can modify the port number to any number you want, just remember what you set it to. Same for proto (short for protocol) you can change that to tcp, just remember you did so (udp will give you better performance, but may be blocked on some draconian networks)

    Line 5 is one that may need changing. First, you need to keep "server" as server (it's a configuration line dictating the VPN server IP range). Later on we'll enable Internet Connection Sharing and you may need to change 192.168.137.0 to match any IP address being forced on you by Internet Connection Sharing (for me this was 192.168.137.0/24 but it may be different for you) I'll remind you of this when we get to Server Configuration.

    You need to specify the DNS servers, I chose OpenDNS as it makes it easy to test if the tunnel is being used without running something like Wireshark (which is nice), but any DNS server will do.
  5. Open up the command line (As administrator on Vista/7)
  6. type "cd C:\OpenVPN\easy-rsa" (without quotes, everywhere you see quotes from now on, it's to signify what you should type) and hit enter
  7. type "init-config" and hit enter
  8. navigate to C:\OpenVPN\easy-rsa in explorer if you haven't already. find the vars.bat file, right-click it and edit it
  9. Edits to make to vars.bat:

    Mandatory: change HOME path from "%programfiles%\OpenVPN\easy-rsa" to "C:\OpenVPN\easy-rsa" (if you don't do this you will get an error complaining about unable to write random state)

    You also need to fill (found near the bottom of the file):

    set KEY_COUNTRY=
    set KEY_PROVINCE=
    set KEY_CITY=
    set KEY_ORG=
    set KEY_EMAIL=

    Technically, any value will do, including the default ones, but I suggest filling them in with your information

    You also need to set KEY_NAME and KEY_OU . I usually set name to my name and OU to VPNers just because it's simple.

    -------- DO NOT CHANGE KEY_CN, IT NEEDS TO BE CONFIGURED ON A PER-RUN BASIS ----------
  10. Save vars.bat and return to the command line (reopen it as administrator and navigate back to C:\OpenVPN\easy-rsa if you closed it)
  11. type "vars" and hit enter
  12. type "clean-all" and hit enter (it's normal for this to kick up an error, it just means the folder "keys" didn't exist before it was ran)
  13. type "build-ca" and hit enter. This will start the creation process for the ca.crt file. You will be prompted for various things. The default values are fine until you get to COMMON NAME
  14. WHEN YOU GET TO Common Name enter in "server"
  15. "build-key-server server"
  16. Leave the password blank unless you want to read OpenVPN documentation. same for company name
  17. answer "y" to signing and committing to the certificates.
  18. type "build-dh" and hit enter
  19. copy ca.crt, server.crt, server.key, and dh1024.pem from the keys folder in easy-rsa to C:\OpenVPN\config
  20.  type "build-key client1" and hit enter
  21. WHEN YOU GET TO Common Name enter in "client1"
  22. Leave the password blank unless you want to read OpenVPN documentation. same for company name
  23. answer "y" to signing and committing to the certificates.
  24. Install OpenVPN on the client computer EXACTLY the same as on the server (ok, it doesn't really need to be exactly the same, I'm just too lazy to tell you what you do and don't need)
  25. copy ca.crt, client1.crt, and client1.key from the server's keys folder to the client computer's OpenVPN config folder (C:\OpenVPN\config if you installed it like I said)
  26. in the config folder on the client, you will need to create a client1.ovpn file. It should look like this:  http://pastebin.com/42ekkJtL
About the client configuration file:

You need to use the same protocol as you specified on the server configuration file.

On line 5, for remote, you need to specify the PUBLIC IP address of the server OR the DNS entry for it. Refer to Note #6 for this information. After the ip address or DNS listing, specify the port. This needs to be the same port as in the server configuration file.

Almost done! Just have some configuration left on the server to go.

Server Configuration

  1. On the server open up services (run services.msc). Find OpenVPN, right-click it and go to properties. Set it to automatic and start it.
  2.  Still on the server in services, find Routing and Remote Access (shorthand: RRAS). Set it to automatic and start it. NOTE: At least in a couple of my goes with this, enabling RRAS made my network indicator in the notifications tray signify I had no connection -- I Still had a connection despite being told otherwise. It only happened on a few of my computers, so it may or may not happen to you (if it does, see if you can access any website. If you can there's no problem)
  3. You will need to modify a registry entry, so open up regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. In there change IPEnableRouter to 1 (defualt is 0).
    IPEnableRouter.reg file download | PasteBin
  4. You may need to reboot before the registry change takes effect
  5. Still on the server, go Control Panel->Network and Sharing Center and click on "Change Adapter Settings"
  6. If you use my config it is necessary to change the TAP name (as the default name is random). Right-click the adapter that says TAP-Win32(or WIN-64) Adapter and select "Rename". Rename it to "MyTap".
  7. Right-click the newly-named MyTap and go to properties. Uncheck IPv6 if it's available (Vista/7 + some XP computers with it configured).

    Now we go onto Internet Connection Sharing (ICS) configuration. You may wish to review Note #5 as it covers some details on how to use a different subnet, as well as the "Some Things Very Important To Note" section for possible issues. A reminder is my guide assumes you are using 192.168.137.0/24, which is not the case on Windows XP. Edit as appropriate.
  8. This part is not necessary if you have checked the registry entry for ICS and made sure it is correct for your needs, but is a useful way to double-check as you'll get a warning popup. While still having the MyTap Properties open, Select IPv4 and click properties. Give it a static IP of 192.168.137.1 with a 255.255.255.0 subnet mask.
  9. Right-click your LAN adapter (the one you gave a static IP in step zero) and go to Properties. Go to the sharing tab (advanced on Windows XP) and check "Allow other computers to connect through this computer's Internet Connection"
  10. If there is a drop-down list you can select from, select MyTap. If not, don't worry: that just means you have no other adapters to share with other than MyTap. Image of Steps 9+10
  11. Uncheck the lower box titled "Allow other network users to control or disable the shared Internet Connection" if it is checked.
  12. Click OK. If you did optional step 8 for Server Configuration, you'll get a popup that says something about how MyTap will be set to 192.168.137.1. If yours said a different IP address, you will need to modify server.ovpn to use that subnet (same first 3 sets of numbers, last one a zero) and restart the OpenVPN service, alternatively you can set the ICS network range in your registry. Run this registry file to use the guide's 192.168.137.1 (Pastebin) or configure it manually using regedit and navigating to HKLM\System\CurrentControlSet\services\SharedAccess\Parameters and editing ScopeAddress and ScopeAddressBackup to use the desired IP address range (you specify the first IP address in the range). You can check to make sure that the IP address for MyTap is correct by running ipconfig /all in the command line and making sure it matches that in your server.ovpn config file.
Now you just need to port forward for OpenVPN so you can access it over the Internet.

Client Configuration

  1. Still on the client, go Control Panel->Network and Sharing Center and click on "Change Adapter Settings"
  2.  If you use my config it is necessary to change the TAP name (as the default name is random). Right-click the adapter that says TAP-Win32(or WIN-64) Adapter and select "Rename". Rename it to "MyTap".
  3. You can try out OpenVPN now on your LAN to make sure all is working. Just change your client1.ovpn to connect to your server's LAN ip address (NOT the address you set for MyTAP on the server, but the static IP you set for the LAN adapter).
  4. Launch OpenVPN GUI (as Administrator on Vista/7). A tray Icon should appear for OpenVPN (a little red-monitored computer with a globe). Right-click it and select "Connect"
  5. A window like this will appear. After a few seconds to a minute, you should hopefully connect and be assigned an IP address. To verify traffic is going through the tunnel, assuming you used OpenDNS, you can test it simply using an OpenDNS check.
I know it's been a lot of work, but it's worth it. You now have a secure basic VPN setup More robust than Microsoft's default PPTP offering as well as allowing multiple clients. You can improve the security by looking into ta.key, maxclients, client filtering, choosing the cipher, and password authentication. You'll need to go elsewhere to learn how to do these, or I may cover them in a future post. Finally, there are a few things you should know

Some Things Very Important To Note

  • If you have issues with resolving DNS, uncomment register-dns from the client file.
  • On some networks with a short dhcp timeout, your client may have issues with getting a new address lease due to OpenVPN sending the request through the VPN. Disconnecting from OpenVPN and running "ipconfig /release" followed by "ipconfig /renew" in the command prompt will solve the issue (until it times out again).
  • Internet Connection Sharing (ICS) is a tricky one, but I've gotten it mostly figured out through the SharedAccess registry options. You can read up on configuring ICS here. On Windows XP it uses 192.168.0.1 by default and I've yet to verify if that can be changed.
  • Strictly speaking, the subnetting you are giving your OpenVPN server may not be absolutely correct. This doesn't matter for a handful (3) clients, but it may stop you from having too many clients. This appears to either be related to the version of Windows used, related to the NIC used, or related to whether the NIC used is a wireless NIC and cannot be changed. You should get subnet mask of 255.255.255.0, but may get less (lowest I got was 255.255.255.252 -- 3 clients + the server would max that out). When the OpenVPN client should pull the correct information when it connects, so as long as you don't exceed the limit, it's not an issue. Slightly related is the below:
  • I don't know if this was because my virtual machine is crashy, but I noticed that the MyTap adapter would randomly change to using APIPA (Automatic Private IP-Adressing) and therefore having the 169.254.0.0/16 block. It's simple enough to fix. NOTE: This happens when RRAS runs into an issue and the DHCP server fails, to fix this issue, follow the below 3 steps:
First, disable sharing on the LAN adapter.

Second, reset the MyTap to use a static IPv4 address (IP and default gateway the same, in my case 192.168.137.1).

Third, re-enable sharing on the LAN adapter for MyTap.
  • I suggest disabling sleep/hibernation on the server (I mean, if the server isn't online when you need to connect, it's kinda useless) anyway. And whenever you reboot for updates, just check to make sure the MyTap properly has the first IP address in the block your OpenVPN server gives.
  • I've yet to find a way to get the OpenVPN network to be identified by anything less than a Public Network on Windows 7. It doesn't make much of a big deal unless you want to access network shares on the OpenVPN server (which may not be possible since Windows may block sharing since it's a public network). NOTE: This is due to OpenVPN's network not having a default gateway. Some steps on potential workarounds can be found on the Internet.

16 comments:

  1. Very detailed.
    Several questions before starting:
    1) do i need 1 or 2 nics? If 2 then wher to I connect them to? Presumably one is connected to the 'target' lan and one is accessed from outside, either directly to the www or in the dmz

    2) how many concurrent users?

    sysman

    ReplyDelete
  2. 1. One NIC with Internet access is plenty. OpenVPN will create a "virtual" NIC.

    2. Concurrent users I'm not entirely sure on. Theoretically it should be as many as you want, but when I put the server on a Windows 7 box, it was limited to just 6 IIRC, but I'm unsure if that was a limitation of Windows 7 Home Premium or the fact that I was using a wireless NIC to share Internet. On a Windows Server 2003 box, the subnet size supported 253 clients, though I only connected two.

    ReplyDelete
  3. Hi

    Thanks for the answer. (what does IIRC mean?).

    I will describe the setup that I want & maybe you can tell me if your set up is ok with that or what changes I need.

    I have a lan which is situated behind an industrial strength router/firewall (Juniper). The Lan is 192.168.0.0/21 [ie from 192.168.0.0 to 192.168.7.254]

    I want to be able to connect up to this lan from outside (ie in the www) and to feel as though I am sitting in my office within the lan & be able to connect up to all the resources that I am used to. I envisage several users being able to connect up concurrently. I would like to reserve several ips for these users, say 192.168.7.100-150.
    I cant change the lan IPs.

    Does this seem reasonable?

    ReplyDelete
  4. IIRC: If I Recall Correctly.

    I don't actually have a running Windows implementation of OpenVPN. This was a write-up for other people. A lot of people I know are Windows-only but wanted a quality VPN.

    OpenVPN assigns addresses out of its own subnet. Traffic is then routed between subnets. My example above is designed for a full VPN instead of a split-tunnel VPN. It's designed for web traffic and server communication only, though. I didn't test it to communicate with other clients on the same subnet as the server, but not on the OpenVPN subnet. It might work, it might not -- I didn't test it. It's definitely possible with routing pushes from OpenVPN, but that's beyond the scope of this article. You'll probably have to poke a few holes on the client firewalls to get it working. I was helping someone else debug their OpenVPN implementation. They had set up a routing path to the remote LAN from the VPN LAN. It worked for their Linux servers, but they couldn't ping the Windows desktops. Turned out Windows Firewall was detecting the pings came from an out-of-scope subnet and was blocking them.

    I also believe it's possible to run OpenVPN in bridged mode and for it to assign addresses via another DHCP server, but that's not easy. Routing is much easier.

    ReplyDelete
  5. Hi
    Your guide is really helpful. I followed your instructions set up the ICS, the OpenVPN. Ping from server to client and vice versa is both OK. The server is connected to the internet. But the client can't access the internet. Help please.

    ReplyDelete
  6. 1. Are you using any firewall?

    2. What OS are you using for both the server and client?

    3. What IP ranges are being used on the Server LAN, Client LAN, as well as the VPN LAN?

    4. Can you Ping the Gateway of the Server LAN?

    5. What happens when you tracert google.com?

    ReplyDelete
  7. Outpost Security Suite (closed when testing VPN)

    Server: Windows 7 32bit, campus LAN 172.23.9.168, Wifi (obtain IP automatically, Internet access which I want to share)

    Client: Windows 8 64bit, campus LAN 172.21.153.162,(can use socks proxy of server through campus LAN perfectly but can't ping)

    My VPN is set according to your guide, server 192.168.137.1, client 192.168.137.6

    On client, can't ping 172.23.9.1 ,even can't ping client's gateway 172.21.153.1, but can ping 192.168.137.1

    When I tracert google.com from client, "Unable to resolve target system name google.com."

    ReplyDelete
  8. It's very strange to me. I can't ping server's lan gateway from client, but I can tracert it using tcp and udp. Maybe icmp is blocked on client's lan.
    Then can I share my wireless internet access over VPN?

    ReplyDelete
  9. I've dealt with the symptoms you're describing before, and in every case it's always been a firewall somewhere causing the problems, usually Windows Firewall.

    ReplyDelete
  10. I closed Outpost and Windows firewall on both server and client and the situation didn't change.
    Additional test shows when ping client from server, Outpost shows the connection but still 'request timed out'. When ping server from client there's no connection shown on server.
    Maybe there's a firewall on client's gateway that deny all icmp from inside the subnet.
    But udp and tcp are ok and ping is ok on the built-up vpn.
    What is port forwarding? Do I need it to setup the vpn?

    ReplyDelete
  11. Yes, it's definitely possible the network firewall is blocking stuff.

    Given that you're asking about port forwarding, I take it that you don't administer the campus LAN? Port forwarding is where you take a Port and connect a specific private IP to the public IP using that port. It is a requirement to make the VPN useful, as without that, the most you can do is connect while on the private network. You won't be able to connect when outside of campus (and depending on how the campus network is set up: even when on the campus network in some places).

    As I said, the problem you're experiencing has always been firewall related in my experience, so my gut is still telling me it's firewall-related. I know a lot of public wifi networks have the network firewall block pinging between clients for a little bit of added security and to try to mitigate ICMP flooding. Another possibility is it's related to Windows 8, since I've not tested this yet with Windows 8. I'll look into this further if you want, but unless you can put the VPN server on a network you control, you probably won't be able to get much use out of the VPN.

    ReplyDelete
  12. Defron,
    Thank you so much!
    My OpenVPN connection was set up and working already but I didn't find a way to tunnel the traffic from the client through it. I'm using a vserver with Windows Server 2012 and it works like a charm!
    Thanks!

    ReplyDelete
  13. Thnx for the detailed info.
    But somehow, I manage to do something wrong :(
    The problem is that both on the server (Vista) and the client (Windows 8), the "MyTap"-connection is not connected.
    In then Network Connections-window, it says that the networkcable isn't attached...

    When I check with "ipconfig/ all", both computers say that the MyTap-adapter is disconnected.

    On both computers, opened UDP-port 1194 in both the McAfee and the Windows Firewall and I did also in the firewall which is in the router.

    ReplyDelete
  14. I assume you are using my config files.

    I'd start with disabling any non-Windows Firewall firewalls as well as any antivirus.

    The fact that MyTap isn't connected even on the server suggests that either something is interfering (hence the above precautionary steps) or that you don't have something configured right. Most likely culprits would be the RRAS stuff or OpenVPN isn't running. I'd re-verify that the server setup was done properly after disabling all security software.

    Though, to be sure: MyTap is the name you're using, right? Not MyTap-adapter. My config files specifically specify the adapters be named MyTap, otherwise you'll have to edit my config files as needed.

    ReplyDelete
  15. Hello, yesterday I sent you a message about the fact that 'MyTab' has no connection. Luckely, I managed to solve this problem.
    First of all, I think it happened because Tab-window has been updated after you wrote this excellent manual, so I had just bad luck.
    Here's the solution:
    In addittion of server configuration point 7, when you uncheck IPv6, hit OK and then again, right-click the MyTab and go again to properties. Now, you go to configure. Then got to the Advanced-tab and select Media Status. Change the value in the pulldown-menu in "Always Connected". Click OK and the miracle will happen and the MyTap is now connected and has the desired IP-adress:). Because of a lack of time, I haven't been able to check if OpenVPN is now working correct, but at leas this point is solved.

    PS: I run the OpenVPN-server on a Vista-machine and contraday to your manual, Vista is also using the 192.168.0/24-range for ICS, so I had to change it to 192.168.137.0/24

    ReplyDelete
  16. First I want to thank the author for an amazing guide.

    I had two problems and this is how I fixed them:

    1) When I started the OpenVPN Server on a Windows 2008R2 server, I got an error that there was no MyTap adapter. I double and triple checked and there it was correclty named. It was until several hours later (of frustration) that I realized I named it MyTAP (notice the uppercase TAP). When i tried to rename it, it again showed MyTAP. It was until I renamed it to something different (like xxx) and then back to MyTap that windows made the change. I thought that being windows and not linux, uppercases where not important, but now I know they are.

    2) MyTap adapter was shown as Cable Disconnected. It was until I followed The anonymous instructions right here that I was able to enable it:

    n addittion of server configuration point 7, when you uncheck IPv6, hit OK and then again, right-click the MyTab and go again to properties. Now, you go to configure. Then got to the Advanced-tab and select Media Status. Change the value in the pulldown-menu in "Always Connected". Click OK and the miracle will happen and the MyTap is now connected and has the desired IP-adress:).

    ReplyDelete