Как настроить сервер OpenVPN на Windows
OpenVPN позволяет настроить VPN-сервер как на платформе Windows Server, так и версии для рабочего компьютера (Windows 10, 8, 7).
Установка OpenVPN Server
Переходим на официальный сайт OpenVPN и скачиваем последнюю версию программы для соответствующей версии Windows:
Запускаем скачанный файл — нажимаем Next — I Agree — и выставляем галочку EasyRSA 2 Certificate Management Scripts (нужен для возможности сгенерировать сертификаты):
. снова Next и Install — начнется установка. В процессе мастер может выдать запрос на подтверждение установки виртуального сетевого адаптера — соглашаемся (Install/Установить).
После завершения нажимаем Next — снимаем галочку Show Readme — Finish.
Создание сертификатов
Переходим в папку установки OpenVPN (по умолчанию, C:\Program Files\OpenVPN) и создаем каталог ssl.
После переходим в папку C:\Program Files\OpenVPN\easy-rsa, создаем файл vars.bat, открываем его на редактирование и приводим к следующему виду:
set «PATH=%PATH%;%ProgramFiles%\OpenVPN\bin»
set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set KEY_CONFIG=openssl-1.0.0.cnf
set KEY_DIR=keys
set KEY_SIZE=2048
set KEY_COUNTRY=RU
set KEY_PROVINCE=Sankt-Petersburg
set KEY_CITY=Sankt-Petersburg
set KEY_ORG=Organization
set KEY_EMAIL=master@dmosk.ru
set KEY_CN=DMOSK
set KEY_OU=DMOSK
set KEY_NAME=server.domain.ru
set PKCS11_MODULE_PATH=DMOSK
set PKCS11_PIN=12345678
* в каталоге easy-rsa уже есть файл vars.bat.sample — можно переименовать и использовать его.
** значение HOME не меняем, если оставили путь установки программы по умолчанию; KEY_DIR — каталог, куда будут генерироваться сертификаты; KEY_CONFIG может быть разным — его лучше посмотреть в файле vars.bat.sample или по названию соответствующего файла в папке easy-rsa; KEY_NAME желательно, чтобы соответствовал полному имени VPN-сервера; остальные опции можно заполнить произвольно.
Запускаем командную строку от имени администратора:
Переходим в каталог easy-rsa:
Чистим каталоги от устаревшей информации:
Снова запускаем vars.bat (после clean переопределяются некоторые переменные):
Теперь генерируем последовательность центра сертификации:
На все запросы нажимаем Enter.
Запускаем build-dh.bat (сертификат с использованием алгоритма Диффи-Хеллмана):
openssl dhparam -out keys\dh.pem 2048
* команда может выполняться долго — это нормально.
Генерируем сертификат для сервера:
* где cert — имя сертификата; на все запросы нажимаем Enter. В конце подтверждаем два раза корректность информации вводом y.
После переносим из папки C:\Program Files\OpenVPN\easy-rsa\keys в C:\Program Files\OpenVPN\ssl следующие файлы:
Настройка сервера
Переходим в папку C:\Program Files\OpenVPN\config и создаем файл server.ovpn. Открываем его на редактирование и приводим к следующему виду:
port 443
proto udp
dev tun
dev-node «VPN Server»
dh «C:\\Program Files\\OpenVPN\\ssl\\dh.pem»
ca «C:\\Program Files\\OpenVPN\\ssl\\ca.crt»
cert «C:\\Program Files\\OpenVPN\\ssl\\cert.crt»
key «C:\\Program Files\\OpenVPN\\ssl\\cert.key»
server 172.16.10.0 255.255.255.0
max-clients 32
keepalive 10 120
client-to-client
comp-lzo
persist-key
persist-tun
cipher DES-CBC
status «C:\\Program Files\\OpenVPN\\log\\status.log»
log «C:\\Program Files\\OpenVPN\\log\\openvpn.log»
verb 4
mute 20
* где port — сетевой порт (443 позволит избежать проблем при использовании Интернета в общественных местах, но может быть любым из свободных, например 1194, занятые порты в Windows можно посмотреть командой netstat -a); dev-node — название сетевого интерфейса; server — подсеть, в которой будут работать как сам сервер, так и подключенные к нему клиенты.
** так как в некоторых путях есть пробелы, параметр заносится в кавычках.
*** при использовании другого порта необходимо проверить, что он открыт в брандмауэре или на время тестирования отключить его.
В сетевых подключениях Windows открываем управление адаптерами — TAP-адаптер переименовываем в «VPN Server» (как у нас указано в конфигурационном файле, разделе dev-node):
Теперь открываем службы Windows и находим «OpenVpnService». Открываем ее, настраиваем на автозапуск и включаем:
Ранее переименованный сетевой интерфейс должен включиться:
VPN-сервер работает. Проверьте, что сетевой адаптер VPN Server получил IP 172.16.10.1. Если он получает что-то, на подобие, 169.254. выключаем сетевой адаптер — перезапускаем службу OpenVpnService и снова включаем сетевой адаптер.
Настройка клиента
На сервере:
На сервере генерируем сертификат для клиента. Для этого сначала чистим файл index.txt в папке C:\Program Files\OpenVPN\easy-rsa\keys.
Затем запускаем командную строку от имени администратора:
Connecting to Access Server with Windows
The OpenVPN protocol is not one that is built into Windows. Therefore a client program is required that can handle capturing the traffic you wish to send through the OpenVPN tunnel, and encrypting it and passing it to the OpenVPN server. And of course, the reverse, to decrypt the return traffic. So a client program is required, and there are some options here. We do not intend to limit our customers and cause a type of vendor lock-in situation. We try to keep connectivity and the choice of client software open, although we do recommend the official OpenVPN Connect Client of course.
The simplest one, and the one that comes with OpenVPN Access Server itself, is called OpenVPN Connect Client. This program is purposefully limited in its functionality in the sense that it only supports one active VPN tunnel at a time. Trying to connect to two different servers at the same time is a function we did not build into our official OpenVPN Connect Client. And we did so on purpose. Connecting to two servers at the same time means there are two different adjustments made to the routing table on the client computer. It is very easy therefore to make a mistake and break connectivity. Limiting this to one server makes this less likely to go wrong. The OpenVPN Connect Client is able to remember multiple different servers, but only one can be active at a time.
To obtain the OpenVPN Connect Client, log on to your Access Server’s web interface (not the /admin portion) and log on with valid credentials. The OpenVPN Connect Client will be offered for download automatically. Download and install it, and in the system tray (next to the clock on your screen) at the bottom right, you will see a new orange OpenVPN icon show up. Click it and navigate the menu to find the option to connect to your server, and you’ll be asked for credentials, or you’ll be connected immediately when you’re using an auto-login privileged account. Use the same tray menu to disconnect.
After initial installation you can use the system tray menu to start and stop the connection from now on.
This program is designed to function on Windows Vista, 7, 8, and Windows 10. Windows XP is no longer supported but you can still connect Windows XP clients by using the open source OpenVPN installer available on our website in the community downloads section. There is a build there specifically for Windows XP.
OpenVPN Connect v3
This is the official program that we recommend and support for OpenVPN Access Server and OpenVPN Cloud. This new OpenVPN Connect v3 client software offers client connectivity across 4 major platforms. On Windows, macOS, Android, and iOS, we now have a new client interface with new functionality.
Please note that we recommend that you download the OpenVPN Connect Client through your OpenVPN Access Server, as it will then come prepared with the correct settings to make a connection to your Access Server. You can download it by going to the client web interface of your OpenVPN Access Server and logging in as a valid user. You will then be offered the option of downloading the OpenVPN Connect v3 client for macOS. It is also possible to obtain a copy of a completely blank installer for OpenVPN Connect software below, but this installer will not contain any connection settings so you will have to take additional steps after installation to configure your OpenVPN Connect software to make a connection to your Access Server. If you are installing the file below on a computer that already has OpenVPN Connect v3 installed and configured, it will simply update it to the new version while retaining all settings.
OpenVPN Connect v2
This is the previous generation of OpenVPN Connect client software for OpenVPN Access Server. It is still supported but we recommend people to use OpenVPN Connect v3 instead.
OpenVPN open source OpenVPN GUI program
The open source project has a client for Windows operating systems as well. It is called OpenVPN GUI and it is less limited in functionality than the OpenVPN Connect Client because it does support the option to connect to multiple OpenVPN servers at the same time, and it also comes with a service component that can automatically and silently start any auto-login profiles it finds in its config folder, even before a user has logged in yet. This service component can be set to automatically start at boot time via the services.msc panel in Windows.
On the other hand, it does miss some features that Connect Client does have as well like Python support for post-auth scripting and other functions that integrate Connect Client with Access Server, like the ability to import connection profiles directly from an Access Server, or the ability to authenticate any valid user on your Access Server and have them connect without having to install a connection profile for each separate user account. This is accomplished on the Connect Client with a universal server-locked profile which is not supported by the OpenVPN GUI program.
With this program there is a config directory, usually c:\program files (x86)\openvpn\config\, where you can save OpenVPN connection profiles. These can be of .conf or .ovpn file extension. You can for example download a user-locked or an auto-login profile from the OpenVPN Access Server web interface, and place it in the aforementioned directory. The tray menu in the system tray will then show you options to use this connection profile – to start or stop the connection. Server-locked profiles are not supported, as mentioned earlier.
This program does support connecting to multiple OpenVPN servers at the same time, but there is a catch. Aside from having to be careful not to implement conflicting routes and subnets when connecting to multiple OpenVPN servers at the same time, you also have to make sure there are enough virtual network adapters. OpenVPN works by creating a virtual network card or adapter in the Windows operating system. Only one OpenVPN tunnel can be connected to such a virtual network adapter. So if you need 3 simultaneous OpenVPN tunnel connections, you must add adapters manually. There are command line scripts in the Start menu that can be used to do this.
To obtain the program go to the community downloads section on our main website and download the installer for Windows. The OpenVPN GUI program comes included with this installer.
The program is limited to 50 connection profiles.
tunXten OpenVPN client
This is a program created by an external party, Eugene Mindrov. It is available only for Windows and is compatible with OpenVPN Access Server. It is a very good client to use as it has a very good GUI (Graphical User Interface) that offers the ability to import connection profiles directly from the Access Server, and it can support multiple simultaneous OpenVPN tunnel connections as well. It needs multiple virtual network adapters to do this, just like the open source version does, but it comes with a tool in the GUI itself to achieve this. You can simply keep adding adapters until you have the required amount to establish as many connections as you need. It comes with useful logging information, the ability to put custom icons on connections, renaming profiles from the GUI, setting connections to automatically connect at boot up, remember saved user names and passwords, and so on. It is truly an excellent client and we recommend it for powers users.
It can be obtained from the tunXten website.
Viscosity OpenVPN client
Another good OpenvPN client created by an external party, SparkLabs. It is available for Windows and Macintosh. It is compatible with OpenVPN Access Server.
It can be obtained from the SparkLabs Viscosity website.
A VPN Solution Engineered for SMB
Provide secure access to your private business network, in the cloud or on-premise.
Product Features
Thousands of businesses trust OpenVPN to create an economical , isolated , and secure private network.
Access Server pricing is based on the needed number of simultaneous VPN connections, which means you only pay for what you need.
With our subscription model, users can share keys across multiple servers, quickly scale connections up or down to maximize their usage and streamline the overheads of maintaining a secure network.
Access Server Use Cases
What our customers have to say about OpenVPN Access Server
Download For Free Today
Access Server comes with 2 free VPN connections for you to explore the features and capabilities.
Adjust to your network specific routing.
Every dollar counts for your growing business.
- Site-to-Site routing.
- Direct Connection.
- Routed Connection.
- Split-tunneling.
Cost Efficient, Flexible Subscription Model.
Every dollar counts for your growing business.
- Pay for concurrent VPN Tunnels only.
- Share your subscription across multiple Servers.
- Free VPN Clients BYOD Android, iOS, Linux, macOS, Windows.
- Pay as you go — Monthly or Yearly “20% off”
Cryptographic Services.
- OpenSSL provides the core for secure communications and cryptography.
- The crypto suite can be customized to suit your needs.
- The defaults are AES-256-CBC cipher for encryption, HMAC-SHA256 for authentication, Diffie-Hellman Group 1 4, and 2048-bit RSA key length.
Cloud Ready.
Images ready to deploy.
- Seamless Scalability
- Multi-Cloud Friendly
- Access Control System
- One Click VPN Client distribution
- One Click VPN Client distribution
- Multiple Authentication Modes
- Auto-Scaling
- AWS.Azure.GCP.Digital Ocean.Oracle Cloud.
- Global, Group, and User Hierarchy
- BYOD Android, iOS, Linux, macOS, Windows.
- Configuration Profiles
- 2FA RADIUS, LDAP, Active Directory, PAM
On Premises.
Access Server is available for Ubuntu LTS, Debian, Red Hat Enterprise Linux, and CentOS.
Virtual Appliances.
- Provides easier installation of Access Server.
- Virtual appliance available for VMware ESXi 5.0 and Microsoft Hyper-V
Start with Access Server For Free.
Access Server is free to install and use for a maximum of 2 simultaneous VPN connections, so you can try it without having to pay first.
Detailed Capabilities
Connection Support
Provides Layer 3 virtual private networking using OpenVPN protocol. OpenVPN protocol uses SSL/TLS with client and server certificates to perform key exchange and mutual authentication. OpenVPN is firewall and web proxy friendly as encrypted traffic is tunneled via UDP or TCP.
Database Support
Supports MySQL (defaults to SQLite database)
Client Configuration
IP address, DNS servers, WINS server, specific routes, client-side scripts.
Virtualization Support
Prepared VM images are available for Microsoft Hyper-V and VMWare ESXI
Authentication Methods
Supports local user database, Pluggable Authentication Modules(PAM), LDAP, secure LDAP, Active Directory, and RADIUS
X.509 certificate PKI solution is built-in. Integration with external PKI is available.
‘MAC address lock’ as an additional security method is supported.
Multi-factor authentication is supported in various forms. For example, Google Authenticator is built-in, and two-factor authentication using smart cards, Duo Security, or other TOTP based token generator can be added as a plug-in User name/password authentication
Security Protections
Software firewall can be configured with access control rules to specify which user or group has access to what IP addresses or subnets, and if VPN clients can route to each other or not Access to services can be controlled by IP address, protocol, and ports
Split-tunneling
Full-tunnel and split-tunnel redirection are possible (all VPN client Internet traffic goes through the VPN tunnel, or only specified traffic).
Client OS Support
OpenVPN Connect clients are available for Android, iOS, macOS, and Windows. OpenVPN open source client is included in all major Linux distributions.
Management Tools
Command Line Interface (CLI), XML-RPC API, and Administration web portal
Availability, Failover
Multiple Access Servers can be configured to form a Cluster allowing a VPN client to connect to any of the available Access Servers using the same credentials.
UCARP-based primary-secondary failover for LAN deployments.
Routing Support
Direct Connection (Server set in SNAT mode) – All communication needs to be initiated from the VPN clients in this mode
Routed Connection (Server in static route as gateway to VPN clients) – VPN clients as well as devices on the internal network can initiate connections
Site-to-Site routing using a suitable Linux-based system configured as Gateway at one site while using a routed connection to Server at the other site
Ease of Client Deployment
Users can download pre-configured client software, or connection profiles for their device directly from your deployed Access Server’s User Web Portal.
Scalability
A typical server can handle up to 1,500 concurrent connections carrying real-world traffic.
Reporting
Detailed client access logs are searchable, downloadable, and viewable.
Linux OS Support
Red Hat Enterprise Linux, CentOS, Ubuntu, and Debian.
Branding
Customizable Server Portal branding
Cloud Image Availability
Amazon Web Services (available from AWS Marketplace). Both BYOL and Tiered
Microsoft Azure (available from Azure Marketplace)
Google Cloud (available from Google Cloud Platform Marketplace)
Oracle Cloud (available from the Oracle Cloud Marketplace)
Digital Ocean (available from the Digital Ocean Marketplace)
To prepare for future updates, we are advising all customers to please upgrade to the latest version of Access Server.