Knowledge Base/Frequently Asked Questions/VPN

Configuring a Windows OpenVPN client or server

SalesEng
posted this on October 23, 2012 23:46

Microsoft Windows does not come with any OpenVPN server or client software. So if you will need to install and configure an OpenVPN Windows client on your PC if you wish to set up an OpenVPN connection to an Opengear console server within your remote data centre. Similarly if you have Opengear device servers distributed at the edge of your distributed network and you wish them all to securely tunnel to your central office Windows server you will need to install and configure an OpenVPN Windows server software on your central server. 

Console servers with firmware V3.5.2 and later will generate Windows client config automatically from the GUI (but only for Pre-shared Secret (Static Key File) configurations). 

 

Alternately OpenVPN GUI for Windows software (which includes the standard OpenVPN package plus a Windows GUI) can be downloaded from www.openvpn.se/download.html.

  • Once installed on the Windows machine, an OpenVPN icon will have been created in the Notification Area located in the right side of the taskbar
  • Right click on this icon to start (and stop) VPN connections, and to edit configurations and view logs

When the OpenVPN software is started, the C:\Program Files\OpenVPN\config folder will be scanned for “.opvn” files. This folder will be rechecked for new configuration files whenever the OpenVPN GUI icon is right-clicked. So once OpenVPN is installed, a configuration file will need to be created:

  • Using a text editor, create an xxxx.ovpn file and save in C:\Program Files\OpenVPN\config e.g. C:\Program Files\OpenVPN\config\client.ovpn 

    Here is an example of an OpenVPN Windows client configuration file:
    # description: IM4216_client 
    client 
    proto udp 
    verb 3 
    dev tun 
    remote 192.168.250.152 
    port 1194 
    ca c:\\openvpnkeys\\ca.crt 
    cert c:\\openvpnkeys\\client.crt 
    key c:\\openvpnkeys\\client.key 
    nobind 
    persist-key 
    persist-tun 
    comp-lzo
    And below is an example of an OpenVPN Windows Server configuration file:
    server 10.100.10.0 255.255.255.0 
    port 1194 
    keepalive 10 120 
    proto udp 
    mssfix 1400 
    persist-key 
    persist-tun 
    dev tun 
    ca c:\\openvpnkeys\\ca.crt 
    cert c:\\openvpnkeys\\server.crt 
    key c:\\openvpnkeys\\server.key 
    dh c:\\openvpnkeys\\dh.pem 
    comp-lzo 
    verb 1 
    syslog IM4216_OpenVPN_Server

    The Windows client/server configuration file options are:
    OPTION DESCRIPTION
    #description: This is a comment describing the configuration.Comment lines start with a ‘#’ and are ignored by OpenVPN
    client / server
    Specify whether this will be a client or server configuration file. In the server configuration file, define the IP address pool and netmask. For example, server 10.100.10.0 255.255.255.0
    proto udp / proto tcp
    Set the protocol to UDP or TCP. The client and server must use the same settings
    mssfix [max. size]
    Mssfix sets the maximum size of the packet. This is only useful for UDP if problems occur
    verb [level]
    Set log file verbosity level. Log verbosity level can be set from 0 (minimum) to 15 (maximum). For example,
    0 = silent except for fatal errors
    3 = medium output, good for general usage
    5 = helps with debugging connection problems
    9 = extremely verbose, excellent for troubleshooting
    dev tun / dev tap
    Select ‘dev tun’ to create a routed IP tunnel or ‘dev tap’ to create an ethernet tunnel. The client and server must use the same settings
    remote [host]
    The hostname/IP of OpenVPN server when operating as a client. Enter either the DNS hostname or the static IP address of the server
    port
    The UDP/TCP port of the server
    keepalive
    Keepalive uses ping to keep the OpenVPN session alive. 'Keepalive 10 120' pings every 10 seconds and assumes the remote peer is down if no ping has been received over a 120 second time period
    http-proxy [proxy server] [proxy port #]
    If a proxy is required to access the server, enter the proxy server DNS name or IP and port number
    ca [file name]
    Enter the CA certificate file name and location. The same CA certificate file can be used by the server and all clients. 
    Note: Ensure each ‘\’ in the directory path is replaced with ‘ \\’. For example, c:\openvpnkeys\ca.crt will become c:\\openvpnkeys\\ca.crt
    cert [file name]
    Enter the client's or server’s certificate file name and location. Each client should have its own certificate and key files.
    Note: Ensure each ‘\’ in the directory path is replaced with ‘ \\’
    key [file name]
    Enter the file name and location of the client's or server's key. Each client should have its own certificate and key files.
    Note: Ensure each ‘\’ in the directory path is replaced with ‘ \\’
    dh [file name]
    This is used by the server only. Enter the path to the key with the Diffie-Hellman parameters. Nobind ‘Nobind’ is used when clients do not need to bind to a local address or specific local port number. This is the case in most client configurations
    persist-key
    This option prevents the reloading of keys across restarts
    persist-key
    This option prevents the close and reopen of TUN/TAP devices across restarts
    cipher BF-CBC Blowfish (default) / cipher AES-128-CBC AES / cipher DES-EDE3-CBC / Triple-DES
    Select a cryptographic cipher. The client and server must use the same settings
    comp-lzo
    Enable compression on the OpenVPN link. This must be enabled on both the client and the server
    syslog
    By default, logs are located in syslog or, if running as a service on Window, in \Program Files\OpenVPN\log directory

    To initiate the OpenVPN tunnel following the creation of the client/server configuration files:
    • Right click on the OpenVPN icon in the Notification Area
    • Select the newly created client or server configuration. For example, IM4216_client
      OpenVPN connect 

    • Click Connect. The log file will be displayed as the connection is established
    • Once established, the OpenVPN icon will display a message notifying of the successful connection and assigned IP. This information, as well as the time the connection was established, is available anytime by scrolling over the OpenVPN icon

    Note: There are alternate OpenVPN Windows clients e.g. can be downloaded fromwww.openvpn.net/index.php/openvpn-client/howto-openvpn-client.html

Enable OpenVPN on the console server

For details on enabling and configuring the corresponding OpenVPN client or server on the console server end refer Configuring an OpenVPN connection

 
Topic is closed for comments