[GUIDE] Set up a OpenVPN Server on Windows

November 23, 2018

Intro

Hi, first of all this guide will focus particularly for one use case.
Use a VPN from an unsecure network (ex, your school, public hotspots, etc) and tunnel ALL the data over your server ISP, note that MiM attacks are still possible on the server network, presumably your home one.

Useful troubleshoot links

https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide

https://forums.openvpn.net/viewtopic.php?t=20765

https://openvpn.net/community-resources/how-to/

https://wiki.archlinux.org/index.php/Easy-RSA

https://wiki.archlinux.org/index.php/OpenVPN

https://site.elastichosts.com/blog/windows-l2tpipsec-vpn-server/

Server Setup-Guide

OpenVPN Download ---> https://openvpn.net/community-downloads/
Install it with all the features (easy-rsa, etc)
Remember to disable Windows Firewall, or create a specific rule for the server port you choose

Now open the cmd, and go into this directory with cd

 C:\Program Files\OpenVPN\easy-rsa

and run

init-config.bat

now open the vars.bat file with

notepad vars.bat

And edit the file at the bottom, and change the following settings to the one you like

set KEY_COUNTRY=US
set KEY_PROVINCE=CA 
set KEY_CITY=SanFrancisco 
set KEY_ORG=OpenVPN 
set KEY_EMAIL=mail@host.domain

Save the file, and run vars.bat, then clean-all.bat

Now we begin creating the certificates

Now, run

build-ca.bat

Edit or confirm the settings you put before

Then run

build-key-server.bat my-server

Make sure to put into Common Name the name of your server, which has to be different from the client or it will give an error
When prompted, sign the certificate and commit with "y"

Now we create the client certificates, you need one for each client are going to connect, with

build-key.bat x-client

As I said, make sure to choose another "common name" when prompted.

Now, create the dh file, it will take some time depending on the length you choose on the vars.bat file (defaults to 2048)

build-dh.bat

And for the last one, the ta.key

openvpn --genkey --secret ta.key

Server config

Now begin copying the certificates/keys you made into the OpenVPN/config folder

ca ca.crt 

cert my-server.crt 

key my-server.key

dh dh2048.pem

ta ta.key

Also, copy from the OpenVPN/sample-config folder the server.ovpn file into the OpenVPN/config folder, and begin modifying it

The config file is easy to read, the parameters you may need to modify are:

Port number
certificates location (make sure to fix all the names for: ca ca.crt, cert my-server.crt, key my-server.key, dh dh.pem, ta ta.key)
LZ4 compression (uncomment the compress lz4-v2 and push compress lz4-v2 by removing the ";")

Enabling the all-tunnel-traffic

Probably the major feature of the guide, without of this you will able to comunicate only with the server.

Go finding into the server.ovpn config

;push "redirect-gateway def1 bypass-dhcp"

and uncomment it by removing the ";"

If needed, also tell the clients to use the DNS you like by adding
Note: You'll need this if you are not using DCHP for getting the DNS, tweak the server config first by using the DNS you like in there

push "dhcp-option DNS 8.8.8.8"

Enable Windows ipv4 forwarding

Some steps are required in order to to this, first we need to use netsh

open a cmd and execute

netsh

then

int ipv4

show int

Then

show int X

where X is your TAP and/or Internet interface index number, this will show if the ipv4 forwarding is enabled

Once you found the X index number of your interfaces, type this

set interface X forwarding="enabled"

Do that for both interfaces if you like, just to be sure

NAT forwarding for Windows Server (Requires manual feature install called Routing and Remote Access Services on Windows Server from the server manager) --> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687740(v=ws.10)

Open services.msc
Search for "Routing and Remote access"
Right click on it, and set it to run automatically
Also manually start it

Make sure to set a restart policy to restart everytime an error occurs, like this (I know it isn't the right service, but the same applies)

Now open Routing and Remote access

Right click on your server name (Local) ---> Configure and enable Routing and Remote access ---> NAT

Select your main internet interface

Then your OpenVPN tap one

Make sure the service is enabled and started. That's it

Alternative method for NAT forwarding (Not recommended, use it at last resort)

Open regedit and go into

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

And set IPEnableRouter parameter from 0 to 1

This should be an easy step, however it is a bit bugged, if you are using it on a server so you won't reboot frequently not a problem, because you will need to re-do this every time you reboot due to a never-solved ICS bug.
In windows server you can try this ---> https://site.elastichosts.com/blog/windows-l2tpipsec-vpn-server/ (Follow just the NAT part)
The steps consist in:

- Open Network Connection Manager

- Right click into your main net interface

- Share this connection through --> Select your TAP/OVPN network interface

That should be it.

Make OpenVPN Server start automatically

Open services.msc
Then find OpenVPNService, right click on it and set it to start Automatically (Delayed), it won't work for me if I set just Automatic
Make sure to make it restart automatically if an error occurs, as I said before, something like this

Note that this will run the server.ovpn file into OpenVPN/config

Create client .OVPN file

The .ovpn syntax is the following. Refer also to the client config in OpenVPN/sample-config. Also
https://wiki.archlinux.org/index.php/OpenVPN#The_server_configuration_file
https://wiki.archlinux.org/index.php/OpenVPN#The_client_config_profile

client
proto udp
remote openvpnserver.example.com
port 1194
dev tun
nobind

key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
# insert base64 blob from ca.crt
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
# insert base64 blob from client1.crt
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
# insert base64 blob from client1.key
-----END PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
# insert ta.key
-----END OpenVPN Static key V1-----
</tls-auth>

Basically is like the server file configuration, but you'll need to embed into the <tags> all the client keys and certificates mentioned, from ca.crt, x-client.crt, x-client.key and the ta.key

Once you are done, save the .ovpn and run it on an Android phone or on a OpenVPN client in your PC and test it.

Aaand that should be it

Oshino Shinobu · November 23, 2018

Nice guide.

Interestingly, I set this up on my server just the other day. Decided to go down another router though as I didn't like not being able to have usernames and passwords with it. Could use a Linux VM to get that, but decided to go down a different route.

November 23, 2018

5 minutes ago, Oshino Shinobu said:

Nice guide.

Interestingly, I set this up on my server just the other day. Decided to go down another router though as I didn't like not being able to have usernames and passwords with it. Could use a Linux VM to get that, but decided to go down a different route.

I think is far more easier to do that on Linux, seems to me OpenVPN is not meant to be run as a server on Windows at all, at least with the NAT thingy tunnel, which is a bit buggy.

Took me hours to understand why it didn't always worked, still I can't explain why you need to edit that registry key when netsh should enable ipv4 forwarding it does in fact but stops working on the client for no reason

Oshino Shinobu · November 23, 2018

37 minutes ago, Lukyp said:

I think is far more easier to do that on Linux, seems to me OpenVPN is not meant to be run as a server on Windows at all, at least with the NAT thingy tunnel, which is a bit buggy.

Took me hours to understand why it didn't always worked, still I can't explain why you need to edit that registry key when netsh should enable ipv4 forwarding it does in fact but stops working on the client for no reason

Yeah, it seems like it.

It's nice how many clients have OpenVPN apps so you can connect in, but it's disappointing in the lack of support for Windows based servers.

In the end, I went with SoftEther using L2TP IPSec and SSTP where available. I tried to set it up using Server 2016's native VPN role but for some reason it just doesn't work. The IKE IPSec services won't start.

I may look into it again, but right now SoftEther is working well. Really easy to manage and has a built in DDNS feature if you want to use it (I've tried, it works, but went with noip in the end for the ddns.net address). It's nice how you can set up different users with different authentication requirements if you want to. Right now I have mine set up to point to AD for usernames and passwords.

November 24, 2018

Found another way to do NAT forwarding for windows servers, definitely it is working better.

However the OpenVPN performance is very crapp*y compared to Linux, I get 50Mbps against 110 on Linux.