Install OpenVPN Client-Server Windows step by step
1. Introduction:
To secure remote desktop access to the server we need to install OpenVPN. The installation is simple but you need to keep intention with the step of the firewall configuration.
We have a server and a client connected via internet. The server has a public IP address.
Let's assume this configuration:
Server:
- 1 NIC Card with a public IP Address: 192.168.1.100
- The firewall is on for two zones Public and Private: Public for inbound and outboud internet connection. The private is for the indound and the outbound LAN connection.
- The RDP connection in Windows server 2008 R2 and 7 uses TCP Port.
- The RDP connection in Windows Server 2012 and latest version uses TCP and UDP Port.
Download the installer OpenVPN from here and run it on the server computer.
Install OpenVPN
In this step OpenVPN will be install in the default location C:\Program Files (x86)\OpenVPN. Some how we will get error in the configuration step due to a permission access even executing the installer as administrator. So change the location to C:\Program Files\OpenVPN
Accept the install of the device software. This will create a new virtual NIC for OpenVPN
Navigate to the C:\Program Files\OpenVPN\easy-rsa folder
Press Windows Key + R
Type "cmd.exe" and press Enter.
Go to "easy-rsa" folder
cd "C:\Program Files\OpenVPN\easy-rsa"
Initialize the OpenVPN configuration:
init-config.bat
Open the vars.bat file in notepad
Edit the following lines in vars.bat, replacing "US", "CA," etc. with your company's information:
set KEY_COUNTRY=US set KEY_PROVINCE=CA set KEY_CITY=SanFrancisco set KEY_ORG=OpenVPN set KEY_EMAIL=mail@host.domain
Save the file and exit notepad
Run the following commands:
vars.bat
clean-all.bat
Create the certificate authority (CA) certificate and key
build-ca.bat
For your "Common Name," a good choice is to pick a name to identify your company's Certificate Authority. For example, "Server"
Create the server certificate and key
build-key-server.bat server
- When prompted, enter the "Common Name" as "server"
- When prompted to sign the certificate, enter "y"
- When prompted to commit, enter "y"
Create client certificates and keys
build-key.bat client
When prompted, enter the "Common Name" as the name you have chosen, in this example "client"
Generate Diffie Hellman parameters (This is necessary to set up the encryption)
build-dh.bat
3. Configuring OpenVPN Server:
Navigate to "C:\Program Files\OpenVPN\easy-rsa"
Copy the four files "ca.cert, server.key, server.crt and dh1024.pem" to "C:\Program Files\OpenVPN\config"
Copy "server.ovpn" from folder "Sample-config" to "config" folder
Edit with notepad "server.ovpn"
Find the following lines:
ca ca.crt cert server.crt key server.key
dh dh1024.pem
Edit them as follows:
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" cert "C:\\Program Files\\OpenVPN\\config\\server.crt" key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"
Save the file.
4. Installing OpenVPN Client:
In the client workstation, install the same setup OpenVPN.
5. Configuring OpenVPN Client:
Copy the files we configured in the previous step from "Server" to OpenVPN folder in the client workstation: "ca.crt" "client.crt" "client.key" and "client.ovpn"
Edit "client.ovpn" with notepad
Find the following line:
remote my-server-1 1194
Remplace "my-server-1" with the public IP address of the server
Find the following lines:
ca ca.crt cert client.crt key client.key
Edit them as follows:
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" cert "C:\\Program Files\\OpenVPN\\config\\mike-laptop.crt" key "C:\\Program Files\\OpenVPN\\config\\mike-laptop.key"
Save "client.ovpn"
6. Connecting OpenVPN:
First we need to start OpenVPN in the Server. Execute "OpenVPN GUI"
Right click on OpenVPN, then "Connect"
Now OpenVPN is UP on the Server
As you see, a virtual IP address already assigned to the server "10.8.0.1"
We need to configure the server's firewall to accept connection via port UDP 1194
Click on "Advanced settings"
Select "Inbound Rules", in the right side click on "New Rule"
Select "Port"
Select "UDP" protocol and specify the local port "1194"
Select "Allow the connections"
Give a name for the rule
Click "Finish"
Now we are able to connect the client workstation to the server.
At this step, we can only connect OpenVPN but we need a remote desktop access through the VPN. As I mentioned before RDP connection uses UDP protocol on port 3389.
If you are using Windows 7 or Server 2008 R2, you need to enable the TCP port 3389
Go to "Remote Desktop - User Mode (UDP-In)" rule, right click on it and "properties"
Go to "Scope" tab, in "Remote IP Address" select "These IP addresses"
In "This IP address or subnet" enter the virtual IP address of the client. Or enter a range of IP addresses include the client address
Click "OK"
Do not forgot to enable the rule
7. testing VPN connection:
Execute "OpenVPN GUI" client and click connect.
The VPN is connected
Testing RDP access. Open a "Remote Desktop Connection". Enter the Virtual IP address of the server and click "Connect"
RDP works perfectly. This virtual IP works only when the OpenVPN is up.