Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

[GUIDE] Make your own VPN server - for Windows

DISCLAIMER : I am not responsible for any harm that could come out of installing and using a VPN Server. Be aware that this will open your home network to the Internet.

 

 

In this guide I will (try) to show you how to create a VPN Server on a Windows computer (a VPN server on a Linux or MacOS computer is possible, but this guide is specifically for Windows 10), so that you can use your home internet connection as a VPN, I have personally used this while on a trip in China so I can confirm that (at the time of writing) it works even to get around the Great Firewall of China!

 

 

Here are the different ways to create a VPN server ;

 

 

 

To start, you'll need a Dynamic DNS service, this is only for the Windows 10 VPN server and OpenVPN server as SoftEther comes with a free DDNS service that is activated by default. Meaning we're going to create an address that is going to redirect to your home IP, so even if your IP change the service is going to work. Alternatively, you could call your ISP and pay for a static IP, but a DDNS is just as good and is free ;)

 

 

Here is a list of free DDNS services, simply create an account and install the client on the PC you're going to use as the VPN server ;

http://freedns.afraid.org/
https://www.noip.com/free
https://dyndnss.net/eng/
https://www.duckdns.org/
https://www.cloudns.net/dynamic-dns/

 

 

 

And then, of course, you"ll have to do some port forwarding from your router to the computer hosting the VPN server ;

 

Windows VPN server : TCP, port 1723

SoftEther : TCP, port 1194 + UPD ports 500, 4500 (for L2TP/IPsec)

OpenVPN : TCP, port 1194

 

 

 

 

Windows 10 VPN server

Spoiler

For Windows 10 Built-in VPN service, the steps are quite easy ;

 

Open the Start menu, type ncpa.cpl and open that control panel item

WinVPN-001.PNG.f090678ac7e44ef7449b38af48178880.PNG

 

 

While in Network Connections, click on File>New Incomming Connetion

WinVPN-002.PNG.afdf51725787eaeed6898d6125439b5d.PNG

 

 

On the menu that open, select the user account that you want to your for the VPN connection (so that you can login to the VPN), you can also add a new account just for the VPN connection (that's what I suggest) by clicking on "Add someone...".

WinVPN-003.PNG.5c55e741a5e9bc9b066d3b420cd522b7.PNG

 

 

Next, check the option "Through the internet"

WinVPN-004.PNG.b994a70f5c16194b8e39508fe5de3170.PNG

 

 

 

Click next, and then "Allow access" and finally "close" 

 

 

 

Now, if you look in Network connections, you'll see a new device named "Incomming connections"

WinVPN-005.PNG.120b62f24f61aa0e00b0bec56334d204.PNG

 

 

Now , to connect to that VPN from a PC, go to the Settings app, then Network & Internet > VPN > Add a VPN connection and fill the informations for the connection (Windows VPN is a PPTP type), the setting are similar when using a phone ;

WinVPN-006.PNG.40ffa3938acacd543becb791f78bd93d.PNG

 

 

 

SoftEther VPN server

Spoiler

To get the SoftEther VPN server software, go to http://www.softether-download.com/en.aspx?product=softether and select the following, and click on the first download link (often a beta build, so if you're not confortable with a beta build, scroll down until you see an RTM release) ;

SoftEther-001.PNG.4008f8f3965044f1b124e3efe6227ec4.PNG

 

 

 

Once downloaded, run the .exe, click NEXT, then on the list select SoftEther VPN Server ;

SoftEther-003.PNG.ae8fbeff921f7f010353dfe96b28b2d0.PNG

 

 

Accept the licence agreement, leave everything as default and click NEXT for a few times, you can also change the install location if you want to ;

SoftEther-004.PNG.555048b76de1721bbc18845f4aae2089.PNG

 

 

 

Click NEXT until SoftEther starts installing, then FINISH and leave the box checked ;

SoftEther-005.PNG.227934b7fa576aed8bfcc3c4fe77a716.PNG

 

 

 

In the server manager, click CONNECT and enter a new password for the server admin ;

SoftEther-006.jpg.99eb4c3afa8e1d855d9f8bb942132c20.jpg

 

SoftEther-007.jpg.ac43f5aad4f8fd708d176c9c011e4041.jpg

 

 

 

Now, in the Bridge Easy Setup window, select "Remote Access VPN Server", then click NEXT, and YES on the popup ;

SoftEther-008.jpg.db3861380fb36770e6a615380b3dc702.jpg

 

 

 

Choose whatever name you want for your VPN ;

SoftEther-009.jpg.c05abbdcb6edcff68252d5947f51620f.jpg

 

 

 

Now you can setup the SoftEther DDNS settings (you can leave it as-is, or change it for something else, then EXIT ;

SoftEther-010.jpg.f77f41595c4b963fa752917f37fb79ce.jpg

 

 

 

Now you can activate L2TP and change the IPsec shared key ;

SoftEther-011.jpg.ce3e3ba622023fe3532080ba400fe05d.jpg

 

 

 

Next option is to have Azure cloud VPN service, enabling it will give you another DDNS for free in case the SoftEther DDNS isn't working, since it's free, I suggest you enable it! ;

SoftEther-013.jpg.96df157413e27139fe116d8ea34fb3fe.jpg

 

 

 

Finally, you'll have to create users and select the Ethernet connection for the server (in case you have multiple Ethernet connections) 

 

Click on "Create Users" and fill out the informations and password for the user, you can also generate certificates from the create user window ;

SoftEther-014.jpg.3839c2436dacb9a56ed1ffb28311e103.jpg

 

SoftEther-015.jpg.1e4343133b07041cf4908becf20c4645.jpg

 

SoftEther-016.jpg.de2a82525b4a881f9deb6d373c2a3836.jpg

 

 

 

For the VPN connection setup, it's similar to the Windows VPN, simply fill out the information to what you setup on the SoftEther server ;

image.png.2a3acd2881bcef17c241e05840813bdb.png

 

 

 

OpenVPN server

 

Spoiler

 

Be aware that OpenVPN is NOT like the Windows VPN server or SoftEther, you will HAVE to go into the command prompt and copy/paste commands, if you're not confortable with this, you can consider the previous options.

 

Also not that I was not able to make OpenVPN work on my phone, but was able to have SoftEther and Windows VPN work.

 

 

 

To get the OpenVPN install, follow the link and select the Windows installer ;

https://openvpn.net/community-downloads/

 

 

Guide taken from ; https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide

 

 

When downloaded, start the install and selec the EasyRSA 2 certificate option ;

OpenVPN-001.JPG.6f4d839cc660aca00c29c156157cb2f8.JPG

 

 

 

Now, open an elevated command prompt window (run as admin) ;

OpenVPN-002.JPG.82b4f6c90e60cf4c80328f51dbbc6c8e.JPG

 

 

 

From the command prompt, navigate to the RSA folder ;


cd "C:\Program Files\OpenVPN\easy-rsa"

 

Then run the init-config.bat (simply type that in the command prompt) ;


init-config.bat

 

Next, open the vars.bat file in notepad ;


notepad vars.bat

 

 

Then edit the information below (not mandatory, you can put whatever you want ;


set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=OpenVPN
set KEY_EMAIL=mail@host.domain

 

Save the file and exit notepad

 

 

 

Now back in the command prompt, execute the following commands ;


vars.bat

clean-all.bat

 

 

Now, you have to build the certificate authority (CA) certificate and key ;


build-ca.bat

 

During that process, you'll be asked to fill the following ;


Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [mail@host.domain]:

These will be defaulted to what ever you entered in the notepad. For the Common Name, it's a good idea to write something.

 

Now, to build the certificate server and key ;


build-key-server.bat server

 

You will be prompted to fill similar information, when you get to the Common Name, enter SERVER, you can select a password if you want.

When prompted to sign the certificate, choose Y

When prompted to commit, choose Y

 

 

Now, to build the client's keys ;

 

For each client, choose a name to identify that computer, such as "mike-laptop" in this example.


build-key.bat my-laptop

 

When prompted, enter the "Common Name" as the name you have chosen (I choose "my-laptop", you can put what ever you want)

 

Repeat this step for each client computer that will connect to the VPN.

 

Generate Diffie Hellman parameters (This is necessary to set up the encryption and can take a few minutes)


build-dh.bat

 


Generate a shared-secret key (Required when using tls-auth)
 


"C:\Program Files\OpenVPN\bin\openvpn.exe" --genkey --secret "C:\Program Files\OpenVPN\easy-rsa\keys\ta.key"

 

 

 

Copy the sample server configuration file to the easy-rsa folder


copy "C:\Program Files\OpenVPN\sample-config\server.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"


Edit server.ovpn in notepad


notepad "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"


In the config file, find the following lines:


ca ca.crt
cert server.crt
key server.key
dh dh2048.pem


And edit them as follows:


ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"

Save and close the file

 

 

Now for the client's config file, this is similar to the server configuration ;

 

Copy the sample server configuration file to the easy-rsa folder with client's Common Name as the file name (each client will have a different file name)


copy "C:\Program Files\OpenVPN\sample-config\client.ovpn" "C:\Program Files\OpenVPN\easy-rsa\keys\my-laptop.ovpn"


Edit client's config file


notepad "C:\Program Files\OpenVPN\easy-rsa\keys\mike-laptop.ovpn"


Find the following lines:


ca ca.crt
cert client.crt
key client.key


Edit them as follows:


ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\my-laptop.crt"
key "C:\\Program Files\\OpenVPN\\config\\my-laptop.key"

Notice that the name of the client certificate and key files depends upon the Common Name of each client.
You can also include the ca, cert and key content in the client file. You have to copy the file content inside the tag <ca></ca>, <cert></cert> and <key></key>.
Edit the following line, replacing "my-server" with your server's public Internet IP Address or Domain Name (see the DDNS section at the start of this post).


remote my-server 1194


Save and close

 

 

Copy these files from C:\Program Files\OpenVPN\easy-rsa\keys\ to C:\Program Files\OpenVPN\config\ on the server:


ca.crt
ta.key
dh2048.pem
server.crt
server.key
server.ovpn

 


robocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\ " ca.crt ta.key dh2048.pem server.crt server.key server.ovpn


NOTE: The space at the end of the path in each string is important.


Copy these files from C:\Program Files\OpenVPN\easy-rsa\keys\ on the server to C:\Program Files\OpenVPN\config\ on each client (my-laptop, in this example):
 


ca.crt
ta.key
my-laptop.crt
my-laptop.key
my-laptop.ovpn

 

 

 

 

Finally, to start OpenVPN, on both client and server, run OpenVPN from:
Start Menu -> All Programs -> OpenVPN -> OpenVPN GUI
Double click the icon which shows up in the system tray to initiate the connection. The resulting dialog should close upon a successful start.

 

On the server, you will need to go into the services and start the OpenVPN service and change it's startup type to automatic ;

OpenVPN-003.JPG.4e9cc39e0e50898e9eea8454d8a62a94.JPG

 

 

 

 

VPN traffic obfuscation.

 

The only server here that seems to support obfuscation is OpenVPN, if you're interested in that, then here are some ressources that could help ;

https://community.openvpn.net/openvpn/wiki/TrafficObfuscation

https://www.pluggabletransports.info/implement/openvpn/

https://hamy.io/post/000f/obfs4proxy-openvpn-obfuscating-openvpn-traffic-using-obfs4proxy/

https://www.sparklabs.com/support/kb/article/setting-up-an-obfuscation-server-with-obfsproxy-and-viscosity/

Edited by wkdpaul

If you need help with your forum account, please use the Forum Support form !

 

VPN server guide

Introduction to Mechanical Keyboard

Spoiler

My Gaming Rig - Motherboard: MSI Z370-A PRO CPU: i7-8700 RAM: 32GB DDR4 2400(4x8GB) GPU: Gigabyte GTX 1060 3GB OS SSD: 240GB Avexir E100 Storage: 2x 1TB Seagate PSU: Seasonic G650 OS: Windows 10 Pro 64bits Monitor: Acer 21in G205H + Lenovo 21in

 

Link to post
Share on other sites

Now we need the write up on how to do this using an SSL tunnel. If you work somewhere (or have an ISP) that has DPI (Deep Packet Inspection) then they can still see your are using a vpn and can restrict/limit it in various ways. Now if you wrap that VPN traffic in SSL then it looks like actual web traffic and they cannot see it as a vpn. This means you can go a little further in masking your activities to get around these various techniques. 

 

I mention this because finding a decent vpn that can do this for a reasonable price is a little difficult and if you have the bandwidth for a vpn then this is another nice trick you an use to make it even more powerful. For example you have an unlimited cell phone plan, but took the cheaper one with only 480p streaming. Now, if you were to use this nice fancy VPN you could stream at 1080p because they are unable to detect or see the traffic. 

Link to post
Share on other sites
  • 2 months later...
On 9/27/2019 at 2:46 PM, AngryBeaver said:

*snip*

Just realized SoftEther is a SSL VPN !

 

https://www.softether.org/4-docs/2-howto/7.Replacements_of_Legacy_VPNs/1.Penetrates_Firewall_by_SSL-VPN

If you need help with your forum account, please use the Forum Support form !

 

VPN server guide

Introduction to Mechanical Keyboard

Spoiler

My Gaming Rig - Motherboard: MSI Z370-A PRO CPU: i7-8700 RAM: 32GB DDR4 2400(4x8GB) GPU: Gigabyte GTX 1060 3GB OS SSD: 240GB Avexir E100 Storage: 2x 1TB Seagate PSU: Seasonic G650 OS: Windows 10 Pro 64bits Monitor: Acer 21in G205H + Lenovo 21in

 

Link to post
Share on other sites
4 minutes ago, carrickwater said:

What's an SSL VPN please.

An SSL VPN is basically a VPN connection over HTTPS, so deep packet inspection (snooping on what your internet traffic is) is harder, but not impossible.

 

4 minutes ago, carrickwater said:

Also I tried SoftEther in the morning and remote access VPN server was greyed out. Try as I may I could not get any help to fix it. Can you please help. Thanks for your giude also.

Not sure what you mean, could you post some screenshots?

Edited by wkdpaul

If you need help with your forum account, please use the Forum Support form !

 

VPN server guide

Introduction to Mechanical Keyboard

Spoiler

My Gaming Rig - Motherboard: MSI Z370-A PRO CPU: i7-8700 RAM: 32GB DDR4 2400(4x8GB) GPU: Gigabyte GTX 1060 3GB OS SSD: 240GB Avexir E100 Storage: 2x 1TB Seagate PSU: Seasonic G650 OS: Windows 10 Pro 64bits Monitor: Acer 21in G205H + Lenovo 21in

 

Link to post
Share on other sites
2 minutes ago, wkdpaul said:

An SSL VPN is basically a VPN connection over HTTPS, so deep packet inspection (snooping on what your internet traffic is) is harder, but not impossible.

 

Not sure what you mean, could you post some screenshots?

Sure. Thanks again.

Link to post
Share on other sites
13 minutes ago, wkdpaul said:

An SSL VPN is basically a VPN connection over HTTPS, so deep packet inspection (snooping on what your internet traffic is) is harder, but not impossible.

 

Not sure what you mean, could you post some screenshots?

The screenshot.

Annotatigon 2019-11-29 213725.jpg

Link to post
Share on other sites

Great, might use this next time I go to China ? 

 

thanks for the guide!

Don't forget to use the "Quote" feature or mention me ( @Gegger) if you want me to see your reply!

Community Standards // Forum Quickstart Guide // Floatplane // Forum FAQ // The Parrot Gang
Banned by Linus in the "banning game" thread who added insult to injury by putting this crap in my sig >(

WE ARE THE DARK SIDE Don't be a light theme peasant

Spoiler

             ........:oo:........

           o//ssssssssyhhysssss+////o               .'''''''''''''''''. 

          mddmmm/::ddddddddddddddmmmyss::/mmN       |   PARTY OR DI  |

          o..+oodddmmmhhhhhhhhhhhdmmmmmdddooy       | ,................'

         h::oyyhddmmm+++///////////++++++mmmddy::s  |/

      Nyyo[[sddhyyyyy::::::::::::::::::::yyymmh//oyym

     h..:oohmm+:://///::::////////////////+mmmmms..sNN

     m++sddmmm+::hddhhy::+ddddddddddddddhhhmmmmmdhh+++d

    Nsssyyhmmhssooodmmhhh::+mmdyyyyyyyyddddddmmmmmmmmo::d

   mmd../mmmmmo::shhdmmhhh::+mmhooooooooyhhmmmmmmmmmmmyssdmm

  +++++smmdddo::///dmmhhh::+mmhooooooooooommmmmddddmmmdd/++m

 ``+hhhmmhoo/:::::oooooossymmhooooooooyyymmdoooooydddmmo//N

 ++:mmmmmy:::::::::::::/yyhmmhooooooooyhhmmd:::::+yyhmmyssddd

ooommmmmy:::::::::::::://ommhooooooooooommd:::::://shhdmm+..

yyhmmh++/::::::::::::::::+mmhooooooooyyymmd::::::::/++hmm+//

dddmmh++/::::::::::::::::+mmhooooooooyhhddh:::::::::::hmmysshhd mmmmmdhhs::::::::::::::::+mmhoooooooohhhhhy:::::::::::hmmhhh``+ mmmmmh++/::::::::::::::::+mmdhhsooooodmm++/:::::::::::hmmsss``+ dddmmhoo+::::::::::::::::+dddddyssyyydmm::::::::::::::hmmsoo++o dddmmdhho::::::::::::::::+hhdmmddddmmmmm::::::::::::::hmmsooNNN mmmmmh///::::::::::::::::+hhdmmmmmmmmddd::::::::::::::hmmsoo++/ yyhmmdss+::::::::::::::::/ooydddmmmmmsoo::::::::::::::yddhyy::+ ++ommmmmy:::::::::::::::::::ohhdmmddd/::::::::::::::::shhdmmsssNNNmmN ..+mmmmmy:::::::::::::::::::://shh+//:::::::::::::::::://dmmmmdoo+..o ``+dddmmhss+:::::::::::::::::::+++/::::::::::::::::::::::ooodddhhysshNNy++m ``+hhdmmdhhs///:::::::::::::::::::::::::::::::::::::::::::::yyymmmmmmmmo++hNNmdd ``+hhdmmdhhhhh+:::::::::::::::::::::::::::::::::::::::::::::::/hhhhhdmmmmmsoo... ``+ddmmmdhhhhhyyyyyyyyyyyo:::::::::::::::::::::::::::::::::::::+++++sdddmmdhhsss//+ ``+mmmmmhsshhhhhhhhhhhhhhy++/:::::::::::::::::::::::::::::::::::::::+ssyyydmmddd///hhd ``+mmmmmy::shhhhhhhhhhhhhhhhs:::::::::::::::::::::::::::::::::::::::::::::ymmmmmmmh../ ``+mmmmmy:://////////////ohhhyy+::::::::::::::::::::::::::::::::::::::::::///hddmmmhhs++s ``+mmmmmhssssssssssssssssydddddysssssssssssssssssssssssssssssssssssssssssssssdddmmmmmy::s ``+mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmhooh

 

Link to post
Share on other sites
  • 4 weeks later...
  • 2 weeks later...
On 12/6/2019 at 8:39 AM, carrickwater said:

Your guide worked. About SoftEther, apart from the SSL is there anyway else to hide that you're using a VPN, or is it better for me to use a remote desktop connection?

Depending on how it is done.. then using the SSL port would hide it about as well as you can hope.

 

That is assuming they are just using ssl to encapsulate the already encrypted VPN connection. If they so it properly they can make it looks like any other web traffic over ssl so that dpi won't detect the underlying vpn.  Now the initial connection request will still be seen unless you are using a encrypted dns service too.

 

So they would see the packet info calling out for vpn.nohands.killme or whatever. Then it would be gobbledygook. You remove that possibility with encrypted dns.

Link to post
Share on other sites

Since a lot of networks I would use this on such as hotel or school networks block most ports beside like 80 would I need to change something for it to work properly? And if so how would I go about that?

Link to post
Share on other sites
  • 2 weeks later...
On 1/16/2020 at 6:57 PM, AngryBeaver said:

Depending on how it is done.. then using the SSL port would hide it about as well as you can hope.

 

That is assuming they are just using ssl to encapsulate the already encrypted VPN connection. If they so it properly they can make it looks like any other web traffic over ssl so that dpi won't detect the underlying vpn.  Now the initial connection request will still be seen unless you are using a encrypted dns service too.

 

So they would see the packet info calling out for vpn.nohands.killme or whatever. Then it would be gobbledygook. You remove that possibility with encrypted dns.

I just saw this. I checked some sites a few days ago and my DNS was exposing me. The question is how do I use an encrypted DNS from the same connection as the VPN? If I use another service it will still expose it. Thanks

Link to post
Share on other sites
8 hours ago, carrickwater said:

I just saw this. I checked some sites a few days ago and my DNS was exposing me. The question is how do I use an encrypted DNS from the same connection as the VPN? If I use another service it will still expose it. Thanks

This is very dependant on how you want to set it up. If you are connecting to the VPN at your router this will be hard or impossible to do. If you have something like a pihole server then it is just a few extra steps.

 

If you are doing it from the actual devices then google DNS over https for your browser. Firefox and chrome have both made it rather easy to set this up.  You can also do it for your entire machine it just requires a little more setup. You can also just download cloud fares offering on the easy side of things too.

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×