Tuesday, May 10, 2016

Install OpenVPN Client-Server Windows

Install OpenVPN Client-Server Windows step by step


1. Introduction:

To secure remote desktop access to the server we need to install OpenVPN. The installation is simple but you need to keep intention with the step of the firewall configuration.

We have a server and a client connected via internet. The server has a public IP address.

Let's assume this configuration:

Server:
  • 1 NIC Card with a public IP Address: 192.168.1.100 
  • The firewall is on for two zones Public and Private: Public for inbound and outboud internet connection. The private is for the indound and the outbound LAN connection.
Keep in mind, there's an importing change with the remote desktop in Windows Server 2012.
  • The RDP connection in Windows server 2008 R2 and 7 uses TCP Port.
  • The RDP connection in Windows Server 2012 and latest version  uses TCP and UDP Port.
2. Installing OpenVPN Server:

Download the installer OpenVPN from here and run it on the server computer.

Install OpenVPN


In this step OpenVPN will be install in the default location C:\Program Files (x86)\OpenVPN. Some how we will get error in the configuration step due to a permission access even executing the installer as administrator. So change the location to C:\Program Files\OpenVPN 


Accept the install of the device software. This will create a new virtual NIC for OpenVPN




Navigate to the C:\Program Files\OpenVPN\easy-rsa folder


Press Windows Key + R
Type "cmd.exe" and press Enter.
Go to "easy-rsa" folder
 
cd "C:\Program Files\OpenVPN\easy-rsa"
 

Initialize the OpenVPN configuration: 
 
init-config.bat
 

Open the vars.bat file in notepad
Edit the following lines in vars.bat, replacing "US", "CA," etc. with your company's information: 

set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=OpenVPN
set KEY_EMAIL=mail@host.domain

Save the file and exit notepad
Run the following commands:

vars.bat
clean-all.bat 


Create the certificate authority (CA) certificate and key
 
build-ca.bat

For your "Common Name," a good choice is to pick a name to identify your company's Certificate Authority. For example, "Server"


Create the server certificate and key

build-key-server.bat server
  • When prompted, enter the "Common Name" as "server"
  • When prompted to sign the certificate, enter "y"
  • When prompted to commit, enter "y"

Create client certificates and keys

build-key.bat client

When prompted, enter the "Common Name" as the name you have chosen, in this example "client"


Generate Diffie Hellman parameters (This is necessary to set up the encryption)

build-dh.bat


3. Configuring OpenVPN Server:

Navigate to "C:\Program Files\OpenVPN\easy-rsa"


Copy the four files "ca.cert, server.key, server.crt and dh1024.pem" to "C:\Program Files\OpenVPN\config"


Copy "server.ovpn" from folder "Sample-config" to "config" folder


Edit with notepad "server.ovpn"
Find the following lines:

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

 Edit them as follows:

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh1024.pem"


Save the file.

4. Installing OpenVPN Client:

In the client workstation, install the same setup OpenVPN.


5. Configuring OpenVPN Client:

Copy the files we configured in the previous step from "Server" to OpenVPN folder in the client workstation: "ca.crt" "client.crt" "client.key" and "client.ovpn"


Edit "client.ovpn" with notepad

Find the following line:

remote my-server-1 1194

Remplace "my-server-1" with the public IP address of the server

Find the following lines:

ca ca.crt
cert client.crt
key client.key

Edit them as follows:

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\mike-laptop.crt"
key "C:\\Program Files\\OpenVPN\\config\\mike-laptop.key"


Save "client.ovpn"

6. Connecting OpenVPN:

First we need to start OpenVPN in the Server. Execute "OpenVPN GUI"


Right click on OpenVPN, then "Connect"


Now OpenVPN is UP on the Server
As you see, a virtual IP address already assigned to the server "10.8.0.1"


We need to configure the server's firewall to accept connection via port UDP 1194
Click on "Advanced settings"


Select "Inbound Rules", in the right side click on "New Rule"


Select "Port"


Select "UDP" protocol and specify the local port "1194"


Select "Allow the connections"


Give a name for the rule


Click "Finish"


Now we are able to connect the client workstation to the server.

At this step, we can only connect OpenVPN but we need a remote desktop access through the VPN. As I mentioned before RDP connection uses UDP protocol on port 3389.
If you are using Windows 7 or Server 2008 R2, you need to enable the TCP port 3389

Go to "Remote Desktop - User Mode (UDP-In)" rule, right click on it and "properties"


Go to "Scope" tab, in "Remote IP Address" select "These IP addresses"


In "This IP address or subnet" enter the virtual IP address of the client. Or enter a range of IP addresses include the client address


Click "OK

Do not forgot to enable the rule


7. testing VPN connection:

Execute "OpenVPN GUI" client and click connect.




The VPN is connected

Testing RDP access. Open a "Remote Desktop Connection". Enter the Virtual IP address of the server and click "Connect"

RDP works perfectly. This virtual IP works only when the OpenVPN is up.