We all know that Microsoft probably couldn't organise an orgy in a brothel, so I'm not sure why I was so surprised that their "Routing and Remote Access" service was interfering with other applications that may wish to add a route (in this case OpenVPN).
This tutorial will show you how to install and configure OpenVPN on Microsoft Windows 2003 (including Small Business Server).
- Client Key Configuration
- Diffie Helman
- Distributing Keys
- Configuration Files
- Starting the Server
- Firewall Settings
- Connecting a Windows Client
- Testing the Connection
- Finalising the Install
- Revoking Keys
First, browse over to OpenVPN and download the Windows installer (no GUI)
Open a command prompt (Start Menu -> Run -> cmd)
cd \Program Files\OpenVPN\easy-rsa
Now towards the bottom, you should see some variables called KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. Change the value of these to suit your deployment, so I set UK, Suffolk,Ipswich,MyOrg,firstname.lastname@example.org respectively.
Save and close notepad. Now back in our command prompt
The final command will begin building the Certificate Authority, and will ask you for some information. Most will default to the values we set in vars.bat, but you will need to specify the Common Name. Enter something reasonably memorable.
Then choose to sign and store the certificate (by entering y when prompted)
OK the server is ready to go! Next we need to create some certificates to authorise the client machines to connect;
Still in our Command Prompt? Good!
Run the following command
You can substitute client1 for a more memorable name if you wish!
Note: If you were overkeen and closed Command Prompt at the last step, reopen it and cd back to the directory, but don't forget to run vars again!
The system will ask whether you want to set a password for they key, this is completely your choice but if you do the user will need to enter the pass before they can connect. If you were planning on configuring the client to connect automatically, this can be a huge pain!
You need to repeat this step for every machine that is going to connect to your VPN, but you must use a unique name for each!
Diffie Helman is a cryptographic technique used by the OpenVPN server, so we need to generate this next;
The system will then run through creating the DH cert.
Before I explain where to find the generated keys and how to distribute them, we need to make sure one thing is very very clear;
Any key file ending in .key must be kept SECRET! It is these that allow connection to your VPN!!!
So, browse to C:\Program Files\OpenVPN\easy-rsa\keys in Windows explorer. You should see a list of files, of which the client needs the following (if you used a different name in the build-key command look for that instead of client1)
We'll discuss the correct way to distribute these shortly, but for now create a folder using the name client1.
Move client1.crt and client1.key into the folder
Copy ca.crt into the folder (the server needs a copy as well!)
Move the folder to the Desktop so we can access it more readily (if you've set up more than one client then repeat these steps for each)
We're almost ready to roll, now we just need to sort out configuration files for both server and client
If you browse to C:\Program Files\OpenVPN\sample-config you should see three files;
Lets begin by editing our server file, so right-click on server.ovpn and choose Open With --> Notepad.
There's two main areas that need editing;
Strictly speaking, we shouldn't need to change the port that OpenVPN listens on, but W2K3 is a pain and even with RRAS disabled it seems to hog the default port. So, to avoid this problem find the line port 1194 and change the 1194 to 11943
Next we need to set our key locations, generally the default should work with the commands we used but I've found sometimes you need to be explicit about the path to the keys so find the following lines;
key server.key # this file should be kept secret
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key" # this file should be kept secret
(In the non-windows world, a single backslash tells the system to ignore the next character, hence the double backslashes)
If you want VPN clients to be able to communicate with each other uncomment the line client-to-client
Now our config file will work, giving VPN clients an IP of 10.8.0.* (obviosuly if you are already using 10.8.0.0/24 you need to change this in the config too). There's one more step before we save this config;
Client access to other machines - At the moment, the config will allow clients to connect to the VPN, but will only be able to access the VPN server. If we want them to access other machines on the network we need to add a push rule.
push "route 192.168.1.0 255.255.255.0"
(If you use a different subnet then simply adjust to suit!)
Finally, File --> Save As
Browse to C:\Program Files\OpenVPN\config and save as server.ovpn
Server is now configured!!!!
We now need to create a config file for each of our VPN clients.
Within the sample-config directory there was a file called client.ovpn. Right click this and choose Open With -> Notepad
The first thing we need to change is the 'remote' directive. Set this to the URL/Public IP of your OpenVPN server (see below if your ISP gives you a dynamic IP address). Additionally set the port (the second number) to the port we will be using (11943)
Next we need to edit the keyfile settings.
Find the lines
and adjust to match the client name we used earlier (so in my case client1);
Now choose File --> Save As and then browse to the client folder we created on the desktop. Save the file in this directory as client1.ovpn
The next job is to get this folder to the client computer, given that it contains SECRET information, we should not use email (if you must then package it in an encrypted zip file). If possible, the best way is to use either a CD or a USB stick. Copy the folder onto the media of your choice and we'll come back to it shortly.
Our OpenVPN server is ready to roll, but before we start it as a service it's worth calling it manually for troubleshooting purposes. Open Command prompt and run the following;
cd \Program Files\OpenVPN\config
You should see lots and lots of output, finishing in an Initialization complete message. If all has gone well you won't be returned to the Command Prompt.
You may need to allow VPN connections through your firewall, if you have a software firewall this will need doing as well! Given the range of firewalls available, it's out of the scope of this article to explain how to configure your firewall to allow connections. However, a basic guide for hardware firewalls (i.e. probably your NAT router) is as follows;
- Log into the administration page
- Choose Firewall Rules/Services
- Add New rule
- Allow connections from ANY on port 11943 to (Your OpenVPN servers IP)
Whilst in the router settings, we need to set a static route so that the machines on your network know where to send packets destined for VPN clients. Look for 'Static Routes' and add the following information
Gateway: The IP of your OpenVPN server
Metric: 3 (you may need to adjust this depending on your network, it signifies the number of routers you have - including the OpenVPN server)
Theoretically our server is now ready for us to connect, so we simply need to prepare our client! We've got the configuration and keys on a CD/USB stick (or -shudder- email), so we simply need to install the client and import the configuration.
- On your client machine pop back over to OpenVPN and download the software again.
- Once installed, browse to C:\Program Files\OpenVPN in Windows Explorer
- Copy the directory on our USB/CD here (or unencrypt and extract the Zip file here) which should give us a folder called client1.
- Open a command prompt and run the following
cd \Program Files\OpenVPN\client1<
- OpenVPN should now connect
Congratulations, if all went well you are now connected to the VPN! We'll make the process simpler (at both ends) shortly.
As great as it is that we've connected, this only signifies that there's no firewall interference. We've not yet established whether or not the IP routes have been set correctly. Open a new command prompt and run
Hopefully you should see some replies, if not don't lose heart as W2K3 is infamous for messing up routes! See the troubleshooting note at the bottom of this page.
You should (assuming the former worked) also be able to ping other devices on the remote network, so if your router was 192.168.1.1 you should see some replies from
There's one other common problem at this stage, see Clashing IP's in the notes!
OK, if you got this far we have a working installation. At this point we've started everything manually and you may feel like you're expected to remember how to run everything from the command prompt, but worry not as we'll now finalise our configuration steps!
On the OpenVPN server;
- Close the Command Prompt window currently running OpenVPN (we'll restart OpenVPN in a minute)
- Start Menu -> Control Panel -> Administrative Tools -> Services
- Locate OpenVPNService in the list and double-click it. There's a dropdown menu currently set to disabled, change this to Automatic.
- Click the Start Button and then click OK.
OpenVPN is running and will start automatically whenever the system starts!
On the client:
Open notepad and enter the following
cd \Program Files\OpenVPN\client1
File --> Save As
Save the file on the Desktop as Connect_to_VPN.bat
Now to connect to the VPN you can simply doubleclick the batch file (there are GUI methods, but this is my preferred).
Sooner or later, it's going to happen - a user managed to accidentally lose/publish their key. Anyone with the key can now connect to your VPN and access your network!
As soon as you are made aware that the key has been compromised (or equally likely - the user forgot their password), you need to to the following;
Log onto the OpenVPN server and start a Command Prompt
C: cd \Program Files\OpenVPN\easy-rsa vars revoke-full [clientname]
Where clientname is the name we used when generating the key (e.g. client1). You'll then see some output including an Error 23 message, this means the key has been revoked.
We now need to enable the Certificate Revocation List so that the server will refuse any attempts to authenticate with the compromised key. Open the Server configuration file (server.ovpn) and locate the lines where we defined our keys (here)
Under these lines add the following
crl-verify "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
And then restart the OpenVPN Service (Start Menu -> Control Panel -> Administrative Tools -> Services). Now all connections will be compared to the revocation list and the connection refused if a match is found.
If you find your client will connect but you can't ping the other end (and there's no firewall interference) you need to add and additional set of directives to the config file on the server;
Open C:\Program Files\OpenVPN\config\server.ovpn in Notepad and insert the following two lines
You now need to restart the OpenVPN server so that it grabs the new config. If you've already configured it as a service, simply chose restart from the Services panel. If not close the Command Prompt running OpenVPN and follow the steps to start the server again. Thank Microsoft and their "Routing and Remote Access Service" for the inconvenience in your own special way!
It's an easy trap to fall into, the remote LAN has the same subnet range as the LAN you are connecting from (i.e. you are both using 192.168.1.0/24). Corporate users are unlikely to fall into this trap as they'll probably use a different range (10.0.0.0/24), but as home routers tend to default to 192.168.1.0/24 this can cause problems.
It is possible to work around, but that's outside the scope of this article. You may find it easier (if possible) to change the IP addresses used on the LAN you are on, but this isn't always an option. If so, Google should become your best friend!
So far, we've added just one client. This is fine for a home user, but may fall short in a corporate environment, thankfully adding new clients isn't too tricky at all;
On the OpenVPN server, open Command Prompt
cd \Program Files\OpenVPN\easy-rsa
Repeat as necessary whenever you need to authorise a new client, but don't share keys between machines (you can enable this in the server config, but it's best avoided).
Unfortunately, the OpenVPN client does need Administrator access to run. There is however a workaround suited to sidestepping this;
create a shortcut to your batch file
Open the shortcut properties and insert the following into the "Target" box before the batchfile's path.
runas /savecred /user:administrator
You've now got access to the remote network, but as it stands DNS names won't resolve so you have to access everything by IP address. This is doable, but highly inconvenient! Fortunately, a quick adjustment to the servers configuration file will resolve this issue for Windows clients (there are a few extra steps for non-windows clients)
Open the server configuration file (server.ovpn)
Locate the line where we pushed out routing information, and just below it add the following;
push "dhcp-option DNS [DNS ADDRESS]"
So in our example network, where 192.168.1.1 is the DNS server, our config file would read
push "dhcp-option DNS 192.168.1.1"
DNS names for systems on the remote network should now resolve, but you may need to use the FQDN rather than just the machines hostname (i.e myserver.mylan rather than myserver)
If you want to automatically mount samba shares from the remote network, see this short tutorial