OpenVPN Windows HowTo

Submitted by Jamie Neil on May 18, 2006 - 3:18pm

OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.

Although originally developed for Linux, OpenVPN is now widely used for providing VPN services for Windows clients. This document describes how we install and configure OpenVPN to work in a Microsoft Windows only environment.

Prerequisites

This how to assumes that you have various things already set up:

OpenVPN Server

You need a Windows system to act as the OpenVPN server. This can be a Windows 2000/2003 Server or 2000/XP Professional system.

OpenVPN Clients

One or more OpenVPN client systems. These should be Windows 2000/XP Professional, although 2000/2003 server should work equally well.

Networking

The OpenVPN server system needs to be publically reachable on UDP port 1194 (you can use another port if required but this is the standard port for OpenVPN). If the server is behind a NAT router then this will require address/port forwarding.

It's preferable for the server IP address to be static as this makes things more stable. If your server has a dynamic IP address then you will need to use a dynamic DNS service to provide a fixed hostname.

All systems should have an unfiltered Internet connection, or at least one that allows communication on UDP port 1194. It is possible to run OpenVPN through through more restrictive connections (e.g. a proxy server), but this is outside the scope of this article.

Names and addresses

The names and addresses used in this how to are examples only and should be changed to suit your environment.

  • Company Name: Acme Corp.
  • Public Domain Name: acme.com
  • Private (Windows) Domain Name: acme.com.local
  • Server Hostname: widget
  • LAN address: 192.168.0.0/24
  • Server public address: 1.2.3.4
  • Server private address: 192.168.0.1
  • VPN address: 10.8.0.0/24

Software

OpenVPN

We generally use the OpenVPN GUI package on Windows systems rather than the stock package, as this provides a system tray icon for controlling the application:

http://openvpn.se/download.html

Server Configuration

Install OpenVPN

OpenVPN GUI can be installed with default options (certificate wizard is not needed). Near the end of the install it will add a TAP-Win32 virtual adapter that is not signed, you need to tell Windows to install this as requested.

Once the installation is complete, you will need to create additional TAP-Win32 virtual adapters using the shortcut in the OpenVPN program group. One adapter is needed for each concurrent VPN user. Rename these adapters to "OpenVPN #n" where n is the adapter number. This is cosmetic only but helps identification.

Configure OpenVPN

Create the server configuration file in the OpenVPN config folder (c:\program files\openvpn\config\)

## server.ovpn ##
port 1194
proto udp
dev tun
ca ca.crt
cert widget.crt
key widget.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option WINS 192.168.0.1"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option DOMAIN acme.com.local"
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
verb 3

Values in italics should be changed to suit your environment.

In this example the max-clients has been set to 4, which would require 3 additional TAP-Win32 virtual adapters to be created.

Set up a Certificate Authority (CA)

You need a Certificate Authority (CA) to sign your client and server certificates. The easy-rsa scripts make this pretty straightforward.

First we need to initialise easy-rsa. You should only do this once as it will wipe out any existing certificates, keys and settings.

C:\Program Files\OpenVPN\easy-rsa> init-config

Next edit vars.bat and change the "KEY_" settings at the bottom of the file.

set KEY_COUNTRY=GB
set KEY_PROVINCE=London
set KEY_CITY=London
set KEY_ORG=Acme
set KEY_EMAIL=hostmaster@acme.com

Finally create the keys folder and the root certificate itself.

C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> clean-all
C:\Program Files\OpenVPN\easy-rsa> build-ca

You will be asked to enter some details for the root certificate. Most of these will default to the values that you entered into vars.bat, but you will need to choose a "Common Name" for the certificate.

Common Name (eg, your name or your server's hostname) []:Administrator

Keys and certificates are created in the keys subfolder. The ca.crt file (root certificate) should be copied to the OpenVPN config folder.

C:\Program Files\OpenVPN\easy-rsa> copy keys\ca.crt ..\config\

Important: Key files (.key) are very sensitive and should be kept safe and never sent over insecure (unencrypted) channels. The Certificate Authority key (ca.key) is particularly important - if it is lost or comprimised then you will have to replace all your keys and certificates.

Set up server key and certificate

Once the CA has been set up, we can generate a key and certificate for the server.

C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> build-key-server widget

Executing the vars.bat is not necessary if you do this straight after creating the CA because the environment will still be set (but it doesn't hurt).

As with generating the root certificate, most of the details will default to the correct values but you will need to enter a "Common Name". This is best set to the hostname of the server.

Common Name (eg, your name or your server's hostname) []:widget.acme.com.local

You can leave the challange password and optional company name blank.

The server also needs Diffie Hellman parameters.

C:\Program Files\OpenVPN\easy-rsa> build-dh

This may take a while...

Finally copy the key, certificate and DH file to the OpenVPN config folder.

C:\Program Files\OpenVPN\easy-rsa> copy keys\widget.crt ..\config\
C:\Program Files\OpenVPN\easy-rsa> copy keys\widget.key ..\config\
C:\Program Files\OpenVPN\easy-rsa> copy keys\dh1024.pem ..\config\

Setup VPN routing

Routing on the server should be enabled by enabling LAN routing in the Routing and Remote Access service, however we've found that this causes problems with the OpenVPN service so I would not recommend it. Instead use regedit to set the IPEnableRouter registry key to 1. 
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1)

To allow VPN clients to communicate with systems on the LAN (other than the VPN server), you need to add the VPN network to your router(s) configuration. For a simple stub network you would do this by adding a static route to the default gateway to direct traffic for 10.8.0.0/24 to the server.

Network: 10.8.0.0
Subnet Mask: 255.255.255.0
Next Hop Address: 192.168.0.1

To do this with on an IPCop firewall, add a line to the /etc/rc.d/rc.local file.

 #!/bin/sh
 /sbin/route add -net 10.8.0.0/24 gw 192.168.0.1

You can also add this route at the command line to avoid rebooting the router.

root@ipcop:~ # route add -net 10.8.0.0/24 gw 192.168.0.1

Finishing touches

We like to create a batch file called restartvpn.cmd in the OpenVPN config folder (and desktop shortcut) to restart the OpenVPN service in case it gets stuck.

net stop openvpnservice
net start openvpnservice
Configure the OpenVPN service to start automatically on boot using the services applet, and then start the service.

Client Configuration

Install OpenVPN

Again the OpenVPN GUI can be installed with default options.

I like to rename the TAP-Win32 (in Network connections) adapter to "OpenVPN". This is cosmetic only but helps identification.

Configure OpenVPN

Create the client configuration file in the OpenVPN config folder (c:\program files\openvpn\config\).

## acme.ovpn ##
client
proto udp
dev tun
remote 1.2.3.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert fred.crt
key fred.key
comp-lzo
verb 3

Values in italics should be changed to suit your environment.

In this example we assume that the name of the client is "Fred".

Set up client key and certificate

We will generate client keys and certificates on the server, which means you have to be careful to securely transport the client key to the client machine. To avoid this you could generate the key on the client along with a Certificate Signing Request (CSR) which can then be transported to the server where it is signed to create the certificate, however this is beyond the scope of this document.

Generate the client key and certificate on the OpenVPN server machine.

C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> build-key fred

Then copy the client key and certificate along with the root certificate securely to the config folder on the client machine. The simplest way of doing this is to just put the files on a USB key (or floppy disk).

C:\Program Files\OpenVPN\easy-rsa> copy keys\fred.crt a:\
C:\Program Files\OpenVPN\easy-rsa> copy keys\fred.key a:\
C:\Program Files\OpenVPN\easy-rsa> copy keys\ca.crt a:\

Then on the client machine

C:\Program Files\OpenVPN\easy-rsa> copy a:\fred.crt ..\config\
C:\Program Files\OpenVPN\easy-rsa> copy a:\fred.key ..\config\
C:\Program Files\OpenVPN\easy-rsa> copy a:\ca.crt ..\config\

Test

Right click the OpenVPN tray icon and select "Connect". It will open a status window showing the connection progress, and if everything is working ok then the status window should close and the icon should turn green.

To test the connection, try pinging 10.8.0.1 (the server VPN IP address), 192.168.0.1 (the server LAN IP address), the address of a PC on the remote LAN (e.g. 192.168.0.123), and then try pinging devices by name.

c:\> ping 10.8.0.1
c:\> ping 192.168.0.1
c:\> ping 192.168.0.123
c:\> ping widget
Subjects: 
runPCrun KBase
Tags: 
windows
vpn
openvpn

Comments

comment - January 8, 2007 - 3:23pm

hi Jamie,did you try setup a routing modem openvpn server on windows with signel nic only?

Jamie Neil - January 13, 2007 - 2:50am

Not entirely sure what you mean...can you clarify?

comment - January 26, 2007 - 12:52pm

Hi Jamie

I have a windows 2003 server setup as an open VPN server and I can connect to it no problem.

I cannot however ping the server's ip address e.g. 10.8.0.1 or 192.168.88.54

To rule out the machine I re-installed the openVPN server on another Windows 2003 server with the same result.

Neither server has a local firewall.

I've set this up on XP Professional with no problems.

The weird thing is that I can telnet 10.8.0.1 or 192.168.88.54 on port 25, 110 but not on anything else.

Is it possible that there is a security policy on the Windows 2003 Server that I'm missing or that could be fitering certain ports. I've double-checked with the firewall engineer and I agree that once the tunnel is established there is not much else the firewall can do seeing it is an encrypted tunnel.

Hope this makes sense

Norbert

Jamie Neil - January 27, 2007 - 7:53pm

The most common problem that I've had with 2k3 is that the routing and remote access service seems to get in the way of OpenVPN configuring the routing properly. This could be related to that, but the fact that you can telnet into open ports on the server means that it's unlikely.

Look at the routing table (route print) on the server and see if there is a route to the vpn network (10.8.0.0/255.255.255.0). If there's not then there's a routing problem and you should try disabling routing and remote access service.

It could be a security policy, but I'd imagine you would know if it was, cause you would have had to set it up. Are these servers fresh installs? If not then try a fresh install with no other software on to see if you can replicate the problem.

Let me know how you get on.

 

comment - February 1, 2007 - 4:35am

Anyway of getting around Routing and Remote access?

I have to have Routing and Remote Access running but have found that if Routing and Remote access runs before openvpn service does that it tends to bugger openvpn up. The solution is to then stop routing and remote access, restart openvpn service, start routing and remote access and then it works. Just wondering if there is any kind of hack/fix for this?

Jamie Neil - February 1, 2007 - 6:35pm

Haven't found one that works yet. There's an option in OpenVPN that determines how the routes are added, but this seems to have no effect.

Try creating a batch script to restart the VPN at boot (or any other time). Something like this:

net stop RemoteAccess
net stop OpenVPNService
net start OpenVPNService 
ping -n 10 127.0.0.1
net start RemoteAccess

comment - February 8, 2007 - 12:48pm
I have similar problem. I am trying to make a tunnel with my roadcomputer and the newtwork home. Everything connects, but I can't ping server's VPN nor server local address. Funny is that I can telnet on port 25 and 110. I am using Windows XP on both computers. Roadcomputer: 192.168.3.0/255.255.255.0 Homecomputer: 192.168.2.0/255.255.255.0 VPN:10.1.1.0/255.255.255.0 I can see that on road computer route for 192.168.2.0 is added, but I can't see any route for 192.168.3.0 on home computer. Is this OK? What can be wrong?

Jamie Neil - February 8, 2007 - 5:14pm
If you are running the OpenVPN client on Roadcomputer then the only reason to have a route on Homecomputer for 192.168.3.0 is so that Homecomputer can reach other clients on network 192.168.3.0. This is probably not what you want. So just to be clear, when the VPN is connected you can telnet to ports on Homecomputer's LAN (192.168.2.x) and VPN (10.1.1.x) addresses, but you can't ping them? If that's the case then I suspect that there's some kind of packet filtering going, probably on Homecomputer, that is blocking the ICMP (Ping) packets.

comment - April 23, 2007 - 4:54am
I'm running a win2k server and have the following: server ip: 192.168.0.99 server LAN: 192.168.0.xxx subnet 255.255.255.0 tap interface IP: 10.8.0.1 when the client remotely connects, they can ping the server at 192.168.0.99 but they cannot see any other machines on the server LAN. between the server and the internet is a router with port forwarding of the VPN port to the server. do i edit the hardware router's table, the server's route table, and what command do i want to use?

comment - May 17, 2007 - 1:51pm
Does this tutorial work for a routing OpenVPN server on WindowsXP Pro with a single physical NIC only?

Dan White - May 17, 2007 - 5:14pm

Yes, and as I understand it's actually a bit easier than 2000/2003 server (no Routing and Remote Access service to get in the way)

comment - May 18, 2007 - 2:09pm
Great, thanks. I'll try it asap.

comment - June 28, 2007 - 5:15pm

I been working with OpenVPN for a few days now. I setup my server to use routing instead of bridging. I found that if you are using the dun tap you will need to make some adjustments to the router (i.e. Netgear/Linksys/Dlink) static tables to enable the client to see other machines in the network.

In my server configuration file I have the following entry for the server: "server 192.168.10.0 255.255.255.128"

The local ip is: "local 192.168.2.10"

Now, in my Netgear static routes I added the following:

Destination : 192.168.10.0
IP Subnet Mask: 255.255.255.252
Gateway IP : 192.168.2.10
Metric : 10

I don't know why I needed to use the 255.255.255.128 on the server IP, nor do I knew why I needed to use the 255.255.255.252 in the Netgear static route. However, I found more light in the FAQ from OpenVPN. It is a compatibility thing with Windows connecting as clients. Anyway, the last time I tested the connection I was able to logon to my NAS, Router Admin Pages, and see all computers remotely (VNC and RDP).

Hope this helps.

http://openvpn.net/faq.html
Why does OpenVPN's "ifconfig-pool" option use a /30 subnet (4 private IP addresses per client) when used in TUN mode?

comment - November 1, 2007 - 12:42pm
Excelente tutorial.. todo funciona bastante bien.. solo que al final hay que hacer caso del comentario sobre la modificacion de los parámetros del router. Saludos

comment - November 22, 2007 - 10:35pm
thanks for the excellent tutorial, was able to set up OpenVPN just fine :)

comment - December 7, 2007 - 8:21am
First of all Thanks, then a question. How can i connect multiple clients on the same server. It is enough to create certificates and to set up clients or i have to do something else. 10x

comment - January 23, 2008 - 5:42am
I have a very similar setup, and with it the same issues.. If you've come up with a solution please, do tell.

Dan White - January 25, 2008 - 9:50am
Yep, create certificates, set up clients (and make sure you have enough OpenVPN TAP-Win32 adapters in Network connections to handle the maximum number of concurrent connections.

comment - March 1, 2008 - 5:44am
I just disabled the Remote Access service--now it works fine... Thanks, guys!

comment - March 22, 2008 - 6:25pm
first, thanks for this tutorial. I've got some troubles with setting up an openvpn between two LANs, I've followed many tutorials and howtos (less usefull for me than this one), unfortunatly I'am still in troubles, i suspect the fact that each LAN has its own firewall (MS ISA2004), the openvpn server is on the isa box LAN (a) and the client is behind an other isa box LAN (b), I tryed many times to establish a connection betwwen'em with no result till now, the openvpn server when launched turn green pick an address 10.3.0.1 the client can't pick an address when i try to connect turn yellow even i tryed to reconnect several times it doesnt change. I created some rules to allow the connection on UDP port 1194 on both ISAs. actual situation is simply: no connection with openvpn (server and client) no ping on the 10.3.0.1 no access to no any lan ressources falks, plz any help any suggestions or any simillar experience with openvpn which succed are welcome.

comment - March 22, 2008 - 6:44pm
First thanks for this tutorial I've a question about openvpn on MS isa2004 box. I want to use openvpn between two LANs each LAN has its own firewall MS ISA2004 as a SITE TO SITE VPN. I tryed to setting up a vpn connection without any success till now. any help or suggestions are wellcome.

comment - May 6, 2008 - 4:01am
Great tutorial and up to date. I was hoping you could write another for Ethernet-Bridged mode? I would really appreciate some server and client sample configuration files for Ethernet-Bridged mode. I can't get mine working. I'm using a single NIC adapter through my Netgear DG843Gv4 (latest firmware) router. I've forwarded the ports for IPSEC, PPTP and L2TP and 1194 for OpenVPN but clients still cannot connect to me. Also, I can't access local host from Firefox and the DynDNS port tool reports that 1194 'times out' (along with any other port I try). Help appreciated! Che.Fisher@gmail.com

comment - May 21, 2008 - 10:41am
Thank You, Thank You ! You made my day, this is the easiest guide to OpenVPN for Windows I've read. After few days of trials and errors my OpenVPN experience is successful!

comment - June 18, 2008 - 6:41pm
Some observations after having set up openVPN 2.1 on Windows Server 2003 behind a firewall: - I couldn't connect anything at first because I needed to rename the adapter and set that to match in the server config file - Then I could ping the server only, but nothing behind the server a) I had to turn on IP forwarding as shown above, and then started the RRAS service (did not use the config wizard). b) Firewall/ICS service had to be ON for some reason, even if I deactivated it in the firewall settings control panel

comment - July 2, 2008 - 7:09am
Hi, I'm trying to set up an openvpn-server. with just one client connected everything works fine, but if more then one clients try to connect, the all get the same ip assigned.So how to setup DHCP for only one client when connect on many computer. Thanks

comment - July 2, 2008 - 9:43am
what to do when you need more client certs and keys I need to add more certs due to an increase in number of clients without changing the ca.cert. Thanks

comment - July 13, 2008 - 1:11am
Hi! I have done and working but i can not ping LAN IP address. pls help me Thanks Best Regard,

Dan White - July 13, 2008 - 8:27pm

Without more information I couldn't tell you, however I recommend to most people to use OpenVPN 2.1_rc7 these days, especially if using Vista as I've seen a similar problem to what you describe using the older versions recently.
Just make sure you save your keys and install the newer OpenVPN over the top.

comment - July 15, 2008 - 8:58am
Hello to all and thanks for wirting this guide... i have one singles question.. i have 2 windows xp pc's connected each other through open vpn, but now I want to one of them (10.8.0.1) to access the network of the other (10.8.0.6) which is based on 192.168.1.xxx ip range.. can someone plz tell me how can i do that? thanks in advance

comment - July 17, 2008 - 4:18am
Hi! I followed all the steps and evertything seems to work fine. But, when i'm connected to the server, i lose the internet connection. I think the client is trying to get to the internet through the server default gateway. Don`t know how to fix it though. Hope you can help! Thanks

comment - July 29, 2008 - 12:33am
Hi Neil, I have installed OpenVPN on Windows 2003 server. I have DHCP configured on that. And also Link Sys Router. My Configuration is as Follows: Server WAN ip : 192.168.0.1 Server Local LAN ip : 192.168.1.100(Also DHCP Configured for private network) I have done forwarding on LInk SYs router and also open the 1194 port on Router. Forwarding on ROuter is as follows: Destination Address: 10.8.0.1 Mask: 255.255.255.252 Default Gateway: 192.168.0.1 Ip address for Router is 192.168.0.254 My Open VPN Server ip is 10.8.0.1 Now i can Connect to SErver Open VPN. But wen i try to connect from client it gives me error Like below: Tue Jul 29 10:09:06 2008 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Jul 29 10:09:06 2008 TLS Error: TLS handshake failed Tue Jul 29 10:09:06 2008 TCP/UDP: Closing socket I have check there is no issue of Windows Firewall I have updated IP Enable ROuter Key in Registry also. I have Got Routing and Remote Access already configured on my server .. I am not sure wat is blocking OPen VPN. Do i have to do any changes in ROuting and Remote Access.. Thanks & Regards Mohsin Memon

comment - August 11, 2008 - 1:10pm
I am trying to set up OpenVPN in a Windows (MojoPac) based virtual machine running on a USB flash drive. Is there some way to include the TAP-Win32 driver start-up in a config or batch file so that when OpenVPN GUI starts, just before it does so, it starts the TAP driver? I can’t find a news group or forum in which to ask this question. If any of you guys can help me solve this one I would be very grateful. The problem is that I although can manually start the TAP-Win32 driver each time, with the batch file OpenVPN installed (and then OpenVPN GUI will run and connect), the TAP virtual adapter does not start by itself, and when I restart the USB drive I have to go through the same process again as nothing has been written to the registry of course. Also, when the TAP installs, it requires a click OK acceptance since. I am assuming that if there is a way to do this automagically in a batch or config file, there will also be a an automagic acceptance variable. Many thanks, Terence.

Dan White - August 13, 2008 - 10:46pm

Please note, I've not tried this and I've not used MojoPac.

Under "Notes -- Manual Install/Update/Uninstall of the TAP-Win32 kernel driver"
Shows you the command line to install.

The "automagically acceptance" for the TAP driver is a tricky one as Windows is deliberately wanting you to manually accept an unsigned driver.
I imagine that using VBScript or AutoHotkey you could send the key presses needed to accept the driver, but it may be down to the individual PC configuration as to whether it will work.

comment - August 27, 2008 - 1:33pm
When trying to run openVPN client on Windows Server 2003 and you are receiving multiple warnings that route(s) could not be initialized/applied like the following: C:\WINDOWS\system32\route.exe ADD 10.x.x.x MASK 255.x.x.x 10.x.x.x Route addition via IPAPI failed [adaptive] Route addition fallback to route.exe ...then check the following: 1) Make sure the openVPN service is running. 2) Disable or stop the "Routing and remote access" service, which provides VPN and similar services on its own. 2) might be the cause for openVPN not being able to add or alter network routes. Additionally, if your Windows Server 2003 also acts as a DNS server, you should make sure that it only listens and serves on its primary IP address - not automatically on all IP addresses, which would include (often) automatically assigned IP addresses of openVPN connections. Having the Windows Server 2003 DNS service listen on those addresses, too, can break the IP resolution for openVPN connections. However, after connecting to a remote network using openVPN on Windows Server 2003, you can determine the IP of the remote DNS server and add it to the DNS servers forward list in your DNS server configuration. Your Windows DNS server will then try to resolve a IP via those servers if it cannot be resolved by your default gateway(s). If the following warning is issued during connecting to the remote site: ROUTE: route addition failed using CreateIpForwardEntry: Access denied. [status=65 if_index=65540] ...then you are probably trying to establish an openVPN connection as a regular user. However, openVPN client needs administrative privileges to add or alter routing for its virtual network interfaces.

comment - October 14, 2008 - 8:24am
ROUTE: route addition failed using CreateIpForwardEntry: Access denied. [status=65 if_index=65540] I have find this solution in Local Users of the computer The user must member of Network Confuguration Operator group in the Loacal computer. Then run OpenVPN succeusful. :) Best regards, Senol.

comment - October 23, 2008 - 2:39am
I have OpenVPn runnning and clients can successfully connect however none of the Internet traffic goes over the VPN. The server is running on Windows 2003 and the client is a Mac (Tunnelbrick). Any help or suggestions would be appreciated. ##Server## port 1194 proto udp dev tun ca ca.crt cert win2003.crt key win2003.key dh dh1024.pem server 10.5.0.0 255.255.0.0 ifconfig-pool-persist ipp.txt push "route 10.0.0.0 255.255.0.0" push "dhcp-option WINS 10.0.0.7" push "dhcp-option DNS 10.0.0.7" push "dhcp-option DOMAIN bashore.local" keepalive 10 120 comp-lzo max-clients 2 persist-key persist-tun status openvpn-status.log verb 3 ##client## client proto udp dev tun remote my.server.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.mine.crt cert miami.crt key miami.key comp-lzo verb 3 #####This is the log data##### Wed 10/22/08 10:35 PM: IMPORTANT: OpenVPN's default port number is now 1194 Wed 10/22/08 10:35 PM: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed 10/22/08 10:35 PM: LZO compression initialized Wed 10/22/08 10:35 PM: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Wed 10/22/08 10:35 PM: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Wed 10/22/08 10:35 PM: Local Options hash (VER=V4): '41690919' Wed 10/22/08 10:35 PM: Expected Remote Options hash (VER=V4): '530fdded' Wed 10/22/08 10:35 PM: UDPv4 link local: [undef] Wed 10/22/08 10:35 PM: UDPv4 link remote: my.ser.er.ip:1194 Wed 10/22/08 10:35 PM: TLS: Initial packet from my.sev.er.ip:1194 Wed 10/22/08 10:35 PM: VERIFY OK: depth=1 Wed 10/22/08 10:35 PM: VERIFY OK: depth=0 Wed 10/22/08 10:35 PM: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Wed 10/22/08 10:35 PM: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed 10/22/08 10:35 PM: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Wed 10/22/08 10:35 PM: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed 10/22/08 10:35 PM: Control Channel: TLSv1 Wed 10/22/08 10:35 PM: [win2003.bashore.local] Peer Connection Initiated with 69.136.89.8:1194 Wed 10/22/08 10:35 PM: SENT CONTROL [win2003.bashore.local]: 'PUSH_REQUEST' (status=1) Wed 10/22/08 10:35 PM: PUSH: Received control message: 'PUSH_REPLY Wed 10/22/08 10:35 PM: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: topology (2.0.9) Wed 10/22/08 10:35 PM: OPTIONS IMPORT: timers and/or timeouts modified Wed 10/22/08 10:35 PM: OPTIONS IMPORT: --ifconfig/up options modified Wed 10/22/08 10:35 PM: OPTIONS IMPORT: route options modified Wed 10/22/08 10:35 PM: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed 10/22/08 10:35 PM: gw 10.0.0.1 Wed 10/22/08 10:35 PM: TUN/TAP device /dev/tun1 opened Wed 10/22/08 10:35 PM: /sbin/ifconfig tun1 delete Wed 10/22/08 10:35 PM: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure Wed 10/22/08 10:35 PM: /sbin/ifconfig tun1 10.5.0.6 10.5.0.5 mtu 1500 netmask 255.255.255.255 up Wed 10/22/08 10:35 PM: /sbin/route add -net 10.0.0.0 10.5.0.5 255.255.0.0 Wed 10/22/08 10:35 PM: /sbin/route add -net 10.5.0.1 10.5.0.5 255.255.255.255 Wed 10/22/08 10:35 PM: Initialization Sequence Completed

comment - March 5, 2009 - 2:46pm
Hello guys I have a very strange problem i can not find anything about it in google. So i want to ask here can someone help me. I have installed and configured everything as i should lzo and openvpn are installed. I have generated all the keys for the server and i have done the server.conf file like this: dev tun proto tcp port 1194 ca ca.crt cert server.crt key server.key dh dh1024.pem user nobody group nogroup server 10.8.0.0 255.255.255.0 persist-key persist-tun #status openvpn-status.log #verb 3 client-to-client push “redirect-gateway def1″ #log-append /var/log/openvpn comp-lzo my crt and key files are in the same directory as my config file. but when i do ]# openvpn –config server.conf Options error: Unrecognized option or missing parameter(s) in server.conf:5: ca (2.0.9) Use –help for more information. I get this unusual error and i can not find out why it this happening whats wrong with ca ca.crt line Please help me.

comment - March 5, 2009 - 6:23pm
I have a problem running OpenVPN, using Windows 2003 Server, with multiple clients using Windows Xp. For every computer, I created a .bat file to run OpenVPN-GUI and connect the VPN automatically at Windows startup. The problem: all clients connect to the server, but can't ping to it. Only after I restart the connection at the server, then everything works fine. Does anybody knows what's the cause and how to solve this? Configuration for the server: proto udp dev tun tls-server keepalive 10 60 ping-timer-rem comp-lzo persist-key persist-tun server 10.0.0.0 255.255.255.0 dh keys/dh1024.pem ca keys/ca.crt cert keys/server.crt key keys/server.key ifconfig-pool-persist ipp.txt float ——— Configuration for one of the clients: remote nonamed.no-ip.org proto udp client pull dev tun tls-client comp-lzo keepalive 10 60 ping-timer-rem persist-key persist-tun dh keys/dh1024.pem ca keys/ca.crt cert keys/client1.crt key keys/client1.key ns-cert-type server float Thank you for your attention.

comment - March 13, 2009 - 8:04pm
The best OpenVPN article I have ever read! Excellent!

comment - April 15, 2009 - 12:27pm
I am using Open vpn as client and i have some problems to use it... it is about password , when i put on a password i can't delete it... I want to use it without password help me for that, please...

Dan White - April 15, 2009 - 9:17pm

I don't understand. Be precise please.

comment - July 26, 2009 - 10:24pm
Any Chance you could tell me what to do different if I want to Ethernet Bridge to allow NetBios? -Justin Bowen, IIP Promotions's web-tech section

comment - August 6, 2009 - 1:02pm
Hi There, I dont know where im going wrong but maybe someone can help me.. I have set up everything i can connect to my server i can ping my VPN server and the server can ping my client back, but i cannot connect to any other machine on my network.. MY setup is as follows.. Open VPN server is set up on a windows 2003 domain controller which is also my DNS server.. And my client is on windows XP I use a netgear FVX538 firewall and have added the following static route in there.. Destination IP address : 192.168.10.0 (VPN address) Subnet mask : 255.255.255.252 Interface : LAN IP Address : 192.168.109.1 (Router IP address) My server Config is as follows : ## server.ocpn ## port 1194 proto udp dev tap ca ca.crt cert server.crt key server.key dh dh1024.pem mode server tls-server server 192.168.10.0 255.255.255.128 push "route 192.168.109.0 255.255.255.0" push "route 192.168.109.1 255.255.255.0" push "dhcp-option WINS 192.168.109.2" push "dhcp-option DNS 192.168.109.2" keepalive 10 120 comp-lzo max-clients 20 persist-key persist-tun status openvpn-status.log verb 3 "" My client Config Is ## client proto udp dev tap remote x.y.z.q 1194 resolv-retry infinate route-method exe route-delay 2 nobind persist-key persist-tun ca ca.crt cert robert.crt key robert.key comp-lzo verb 3 ## The routing tbale from my laptop when im connected via VPN ketplaner-Miniport =========================================================================== =========================================================================== Aktive Routen: Netzwerkziel Netzwerkmaske Gateway Schnittstelle Anzahl 0.0.0.0 0.0.0.0 90.186.156.67 90.186.156.70 1 90.186.156.64 255.255.255.248 90.186.156.70 90.186.156.70 30 90.186.156.70 255.255.255.255 127.0.0.1 127.0.0.1 30 90.255.255.255 255.255.255.255 90.186.156.70 90.186.156.70 30 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 169.254.0.0 255.255.0.0 90.186.156.70 90.186.156.70 20 192.168.10.0 255.255.255.128 192.168.10.2 192.168.10.2 30 192.168.10.2 255.255.255.255 127.0.0.1 127.0.0.1 30 192.168.10.255 255.255.255.255 192.168.10.2 192.168.10.2 30 192.168.109.0 255.255.255.0 192.168.10.1 192.168.10.2 1 224.0.0.0 240.0.0.0 90.186.156.70 90.186.156.70 30 224.0.0.0 240.0.0.0 192.168.10.2 192.168.10.2 30 255.255.255.255 255.255.255.255 90.186.156.70 90.186.156.70 1 255.255.255.255 255.255.255.255 192.168.10.2 3 1 255.255.255.255 255.255.255.255 192.168.10.2 2 1 255.255.255.255 255.255.255.255 192.168.10.2 10007 1 255.255.255.255 255.255.255.255 192.168.10.2 192.168.10.2 1 Standardgateway: 90.186.156.67 =========================================================================== and finally the log file from the client. Thu Aug 06 14:54:39 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 Thu Aug 06 14:54:39 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Thu Aug 06 14:54:39 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Thu Aug 06 14:54:39 2009 LZO compression initialized Thu Aug 06 14:54:39 2009 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] Thu Aug 06 14:54:39 2009 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Thu Aug 06 14:54:39 2009 Local Options hash (VER=V4): 'd79ca330' Thu Aug 06 14:54:39 2009 Expected Remote Options hash (VER=V4): 'f7df56b8' Thu Aug 06 14:54:39 2009 UDPv4 link local: [undef] Thu Aug 06 14:54:39 2009 UDPv4 link remote: x.y.z.q:1194 Thu Aug 06 14:54:40 2009 TLS: Initial packet from x.y.z.q:1194, sid=e72f77ae 046684c6 Thu Aug 06 14:54:42 2009 VERIFY OK: depth=1, /C=DE/ST=BB/L=Berlino/O=EDV/CN=administrator/emailAddress=edv@arinnaag.com Thu Aug 06 14:54:42 2009 VERIFY OK: depth=0, /C=DE/ST=BB/O=EDV/CN=server/emailAddress=edv@arinnaag.com Thu Aug 06 14:54:46 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Aug 06 14:54:46 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Aug 06 14:54:46 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Aug 06 14:54:46 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Aug 06 14:54:46 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Thu Aug 06 14:54:46 2009 [server] Peer Connection Initiated with x.y.z.q:1194 Thu Aug 06 14:54:48 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Thu Aug 06 14:54:48 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.109.0 255.255.255.0,route 192.168.109.1 255.255.255.0,dhcp-option WINS 192.168.109.2,dhcp-option DNS 192.168.109.2,route-gateway 192.168.10.1,ping 10,ping-restart 120,ifconfig 192.168.10.2 255.255.255.128' Thu Aug 06 14:54:48 2009 OPTIONS IMPORT: timers and/or timeouts modified Thu Aug 06 14:54:48 2009 OPTIONS IMPORT: --ifconfig/up options modified Thu Aug 06 14:54:48 2009 OPTIONS IMPORT: route options modified Thu Aug 06 14:54:48 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Thu Aug 06 14:54:48 2009 TAP-WIN32 device [LAN-Verbindung 4] opened: \\.\Global\{8922E7CE-B8FE-4DB3-ADA0-B2FA4B7EE99A}.tap Thu Aug 06 14:54:48 2009 TAP-Win32 Driver Version 8.4 Thu Aug 06 14:54:48 2009 TAP-Win32 MTU=1500 Thu Aug 06 14:54:48 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.10.2/255.255.255.128 on interface {8922E7CE-B8FE-4DB3-ADA0-B2FA4B7EE99A} [DHCP-serv: 192.168.10.0, lease-time: 31536000] Thu Aug 06 14:54:48 2009 Successful ARP Flush on interface [4] {8922E7CE-B8FE-4DB3-ADA0-B2FA4B7EE99A} Thu Aug 06 14:54:50 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up Thu Aug 06 14:54:50 2009 route ADD 192.168.109.0 MASK 255.255.255.0 192.168.10.1 Thu Aug 06 14:54:50 2009 route ADD 192.168.109.1 MASK 255.255.255.0 192.168.10.1 Hinzufgen der Route fehlgeschlagen: Der angegebene Maskenparameter ist ungltig. (Ziel & Maske) != Ziel. Thu Aug 06 14:54:50 2009 Initialization Sequence Completed I really need to get this sorted out ASAP and would be very greatfull if someone could help me out here. Regards Rob

comment - October 22, 2009 - 7:36am
Hi, I'am running OpenVPN in my router Linksys WRT610N with DD-wRT firmware. Now I use the OpenVPN client to build a vpntunnel to my router. Can I use another client that I can run from a USB stick or via webinterface to build a vpntunnel? If so which client is best to use? Thanks, Hans

Dan White - October 24, 2009 - 9:46am

How about OpenVPN Portable ?