I give detailed instructions for OpenVPN v2.3.8 connected Windows server 2008R2 with TLS encryption charge. All parameters will too be represented in detail.

Server Tuning

To get started, download the distribution from the official site . We launch the openvpn-install-2.3.8-I001-x86_64 installer. We include the following in the components:

Particularize the instalmen path (

Completely further actions will be radio-controlled by the given path specified in the example

During the installation process, you testament need to install a virtual net adapter, we agree with the installation.

After successful installation, blend in to the "C: \ Programm Files \ OpenVPN" directory where we make the "SSL" directory (the directory can be known as any you like, this directory will live used in the next settings), this directory volition take server certificates, encryption algorithms and check guest authenticity.

We go to the directory "C: \ Programm Files \ OpenVPN \ slow-rsa", open with "notepad" or "notepad ++" (a much correct option) " vars.bat " (a script containing response parameters for creating and generating guest / host certificates and subsequent server settings).

At the selfsame bottom of the file there are the following parameters that you need to configure for yourself:

set KEY_COUNTRY = RU
set KEY_PROVINCE = Show Me State
settled KEY_CITY = MOSCOW
primed KEY_ORG = OpenVPN
set KEY_EMAIL=localised@mos.local
set back KEY_CN = server
set KEY_NAME = server
set KEY_OU = OU
set PKCS11_MODULE_PATH = changeme rem Default
mount put away PKCS11_PIN = 1234 RE Default setting

Save.

In the same directory "C: \ Programm Files \ OpenVPN \ comfortable-rsa", there is a configuration file " openssl-1.0.0.cnf ", admissive IT with notepad or notepad ++ (a more right-minded option) and change the setting that is responsible for the terminal figure life story of certificates, by default 365 years, extend the life of up to 3650 years.

default_days = 3650 # how long to certify for

Save.

Next, we leave return the following:

ca.crt - Our own trusted certificate (Security Authority - hereinafter CA) for signing client certificates and for checking them during client mandate.
dh1024.pem - Diffie Hellman key allowing two or more parties to obtain a shared secret tonality
server.crt - server certificate
server.important - server key
ta.key - additional key for tls hallmark (improving connection security), the server and each client should have a copy of this key

Open the command personal line of credit and choke to the directory "C: \ Program Files \ OpenVPN \ comfy-rsa "

Cd C: \ Program Files \ OpenVPN \ easy-rsa Enter the

" vars " command , press Enter (we initiate work with scripts, if the command line is closed, the" vars " command testament have to be entered once more) Enter

the" clean-all " command (Clear the directory "C: \ Plan Files \ OpenVPN \ easy-rsa \ keys" followed by the conception of the file "index.txt" (customer database, it is also database) and "serial" (key))

Without closing the control line, we check the contents of the directory "C: \ Program Files \ OpenVPN \ easy-rsa \ keys", the files " index.txt and serial " should be created .

We enter the command " openvpn --genkey --secret% KEY_DIR% \ atomic number 73.key "

Without closing the command ancestry, check the contents of the directory "C: \ Program Files \ OpenVPN \ uncomplicated-rsa \ keys", the file " tantalum.key " must be created .

We enroll the " build-dh " dictation - Diffie Hellman distinguish generation.

Without closing the command delineate, we check the contents of the directory "C: \ Program Files \ OpenVPN \ easy-rsa \ keys", the file " dh1024.pem " should be created .

Enter the command " build-ca"- Credentials Authority (Atomic number 20) key generation We
answer every questions by nonremittal aside pressing Enter, we nominal these parameters in" vars.bat "

Without closing the program line line, we see to it the contents of the" C: \ Program Files \ OpenVPN \ easy-rsa \ "directory keys ", the files" ca.crt and ca.significant " moldiness be created .

We enter the bid " build-key-server server " - server certificate multiplication.
To questions of Country Name, State Name, Neighbourhood Name, etc. we respond by default by pressing the Come in key to the very end, we specified these parameters in " vars.cricket bat ", then we will be offered to create a certificate for a period of 3650 days (we specified this parameter in openssl-1.0.0.cnf) weight-lift "Y", it will be offered to drop a line the server certificate to the database, press "Y".

Without closing the command line of products, we chequer the contents of the directory "C: \ Broadcast Files \ OpenVPN \ easy-rsa \ keys", the files " server.crt, host.key, server.csr " must be created .

We enrol the " build-winder revokecrt " command - a command to create a user certificate, but in this case we produce an arbitrary " revokecrt " certificate for the subsequent generation of the " crl.pem " file , which is obligated for verifying and subsequently revoking the certificates. Theoretically, this procedure can embody done at the very end and even loaded without it, simply then we will not be able to revoke the certificates and the configuration file " server.ovpn"Leave look distinct.

To questions of Country Name, State Constitute, Locality Name, etc. we solvent aside default by pressing the Enter key to the Common Name and Name questions, these questions must live answered according to the name of the user certificate existence created, in our sheath this is an arbitrary " revokecrt " certificate, contrac Inscribe for the remaining questions, then we will be offered to create a certificate for a period of 3650 days (this we specified the parametric quantity in openssl-1.0.0.cnf) click "Y", it testament be offered to drop a line the server certificate to the database, click "Y".

Without closing the command line, we see the table of contents of the directory "C: \ Program Files \ OpenVPN \ easy-rsa \ keys", the files " revokecrt.CRT, revokecrt.key, revokecrt.csr " must be created

We enter the " renege-full revokecrt " command - the command is responsible for revoking the certificate then creating the " crl.pem " file.

Without closing the command line of credit, we check the contents of the "C: \ Computer programme Files \ OpenVPN \ easy-rsa \ keys" directory, a file must be created " Crl.pem "

Today create a user certification, similar to the " revokecrt " credential above.
We enter the command " anatomy-key user1 " - we create a exploiter security with the name user1

At this stage, work with the console is finished, you can close the window and check the table of contents of the directory "C: \ Platform Files \ OpenVPN \ easy-rsa \ keys", the files " user1.crt, user1.key, user1.csr should be created"I

recommend creating the" Clients " folder in whatever place convenient for you and copying the necessary files there for transfer to users:

1 - atomic number 20.crt
2 - user1.crt
3 - user1.key
4 - ta.key

I too lack to pull your attention to the fact that the contents of the " keys " leaflet cannot be deleted, when creating user certificates or any changes in the cabinet, make a re-create of this directory in order to avoid going or accidental multiplication of server certificates and database updates.

Written matter the server files to the previously created " ssl " folder in the "C: \ Program Files \ OpenVPN \ ssl" directory :

1 - ca.crt
2 -waiter.crt
3 - waiter.key
4 - dh1024.pem
5 - ta.keystone

Go to the directory "C: \ Program Files \ OpenVPN \ config" and create the server configuration file " server.ovpn " with the following contents:

# Create a routable IP tunnel.
dev tun
# Specify the communications protocol to connect.
proto udp
# Specify the port on which we will listen.
port 1194
# We signal that this is a TLS waiter.
tls-server
# Specify the path to the trusted certificate.
ca "C: \\ Program Files \\ OpenVPN \\ ssl \\ ca.crt"
# Destine the path to the server certification.
cert "C: \\ Curriculum Files \\ OpenVPN \\ ssl \\ Host.crt"
# Specify the path to the server key.
key "C: \\ Programme Files \\ OpenVPN \\ ssl \\ Server.samara"
# Specify the way to the key of Diffie Hellman
dh "C: \\ Program Files \\ OpenVPN \\ ssl \\ dh1024.pem"
# Specify the address net.
server 10.8.0.0 255.255.255.0
# We specify the encryption algorithm should be the same node / host.
nonentity AES-128-CBC
# Specify non to reread key files when the tunnel is restarted.
persist-key
# Specify the path to the security key and set the server parametric quantity 0
tls-auth "C: \\ Program Files \\ OpenVPN \\ ssl \\ Ta.key" 0
# We allow clients to communicate inside the burrow.
client-to-client
# Specify a directory with contour descriptions of apiece client.
client-config-dir "C: \\ Program Files \\ OpenVPN \\ ccd"
# Specify a file with a description of the networks between the client and server.
ifconfig-kitty-persist "C: \\ Program Files \\ OpenVPN \\ ccd \\ ipp.txt"
# Indicates rapprochement for revoked certificates.
crl-verify "C: \\ Program Files \\ OpenVPN \\ easy-rsa \\ keys \\ crl.pem"
# Specify the way to the log with the status.
status "C: \\ Program Files \\ OpenVPN \\ log \\ logopenvpn-status.log"
# Narrow the route to the log.
log "C: \\ Broadcast Files \\ OpenVPN \\ log up \\ openvpn.log"
# Indicates the MTU for the tunnel, the client / server parameters must personify the same.
tun-mtu 1500
# Turn on compression.
comprehensive-lzo
# Troubleshoot MTU transpose issues.
mssfix
# Specifies to send Ping to the remote end of the tunnel subsequently the specified n-seconds,
# if no dealings was transmitted direct the burrow.
# Indicates that if no packets were conventional within 120 seconds,
# the tunnel will be restarted.
keepalive 10 120
# Destine the level of logging.
verb 3

Save.

On the waiter where OpenVPN will embody spinning, you need to do the following:

1 - If you use the shapely-in Windows Firewall, make over an allow rule for incoming and outflowing connections via UDP on port 1194.

2 - In the server services, find the OpenVPN Service and set the start to self-acting, this bequeath allow mechanically start the serving when the server reboots.

From the server's desktop, plunge "OpenVPN GUI", in the tray, double-sink in on the "OpenVPN Graphical user interface" icon, the log window volition unobstructed, if after starting the service in step 2 nothing happened, click on the connection in the bottom left and if everything is satisfactory, we should see the following contents:

The VPN service on the server is running and ready to receive clients.

Customer setup

We launch the previously downloaded openvpn-install-2.3.8-I001-x86_64 installer , leave behind the tasty of components by default, the path clay the same.

After successful installation, go to the directory "C: \ Computer program Files \ OpenVPN \ config" and create the node configuration file " test.ovpn " with the following contents:

# Create a routable IP tunnel.
dev tun
# Specify the protocol to associate.
early udp
# Specify the IP address of the waiter with the port.
remote XXXX 1194
# Specify the delay in seconds for building the path.
itinerary-delay 3
# Specify that the customer picks up routing information from the host.
node
# We indicate that we are a TLS client.
tls-client
# Protection against MitM attacks.
ns-cert-type server
# Pin down the path to the sure certificate.
Calif. "C: \\ Program Files \\ OpenVPN \\ ssl \\ ca.CRT"
# Specify the path to the client certificate.
cert "C: \\ Program Files \\ OpenVPN \\ ssl \\ user1.crt"
# Specify the path to the client key.
key "C: \\ Program Files \\ OpenVPN \\ ssl \\ user1.key"
# Specify the path to the surety key and set the client parameter 1
tls-auth "C: \\ Program Files \\ OpenVPN \\ ssl \\ atomic number 73 .key »1
# We specify the encoding algorithm should be the Lapp client / server.
cipher AES-128-CBC
# Round along compression.
comp-lzo
# Troubleshoot MTU transfer issues.
mssfix
# Specifies the MTU for the tunnel; the client / server parameters must be the same.
tun-mtu 1500
# We betoken that if no packets were received within 60 seconds,
# the tunnel will be restarted.
ping-restart 60
# Specifies to send Ping River to the remote end of the tunnel after the specified n-seconds,
# if no dealings was transmitted through the tunnel.
ping 10
# Specify the floor of logging.
verb 3

Save.

From the desktop, set in motion the "OpenVPN Graphical user interface", in the tray, double-click on the "OpenVPN" icon, the log window volition open, click connect and if everything is ok, past we will see the following:

We start ping on 10.8.0.1 and we see that the network is useable (10.8.0.1 address that the virtual network adapter received along the server).
On the server we will see the connection log:

Actually at this microscope stage you can clos and everything will work in the future. But I would like to add something else. To reduce the enumerate of files on the client and add another security item (connection password), you can do the next, at the stage of creating a user certificate on the waiter, perform the bidding " build-key-pkcs12 user2 " instead of " establish-Key user1 ", execute everything is similar to the first compel, up to Export Password, in this paragraph you must specify a password, for object lesson 12345, this password is in reality assigned to the certificate " user2.p12", When trying to connect via" OpenVPN ", the curriculum accesses the certificate and requires a password (well-read the password, it can be changed, deleted, etc.).

In this case, the kit for the user will consist of:

1 - user2.p12
2 - Ta.key fruit The

configuration file " test.ovpn " should be as follows:

# Create a routable IP tunnel.
dev tun
# Specify the protocol to join.
proto udp
# Set the IP treat of the server with the port.
remote XXXX 1194
# Define the delay in seconds for building the route.
route-time lag 3
# Specify that the client picks up routing information from the waiter.
guest
# We indicate that we are a TLS client.
tls-client
# Protection against MitM attacks.
ns-cert-type waiter
# Specialise the course to the credential.
pkcs12 "C: \\ Program Files \\ OpenVPN \\ ssl \\ user2.p12"
# Delineate the path to the security operative and set the client parameter 1
tls-auth "C: \\ Program Files \\ OpenVPN \\ ssl \\ ta .key »1
# We specify the encryption algorithmic program should be the same client / host.
cipher AES-128-CBC
# Turn on compressing.
comprehensive examination-lzo
# Troubleshoot MTU transfer issues.
mssfix
# Specifies the MTU for the tunnel; the client / server parameters must be the same.
tun-mtu 1500
# We indicate that if no packets were received within 60 seconds,
# the tunnel will be restarted.
ping-restart 60
# Specifies to send pink to the remote end of the tunnel aft the nominative n-seconds,
# if no dealings was transmitted through the burrow.
ping 10
# Delimitate the layer of logging.
verb 3

Save.

We try to connect, enroll the password 12345.

If everything is clearly visual, the following:

Well, lastly, how to revoke a user certificate and generally look at the list of issued certificates. The number itself is stored in the pursuit track "C: \ Program Files \ OpenVPN \ easy-rsa \ keys \ index.txt"

Systematic to revoke the certificate, attend the command line of work. Go to the "C: \ Programm Files \ OpenVPN \ easy-rsa" directory:

cadmium C: \ Program Files \ OpenVPN \ easy-rsa Accede the

" vars " command , press Enter (we pioneer work with scripts). We enter the instruction to revoke the user certificate " revoke-full-of-the-moon user2 " (specify the name of the user WHO was started earlier).

Then we go to " index.txt " "C: \ Syllabu Files \ OpenVPN \ gentle-rsa \ keys \ index.txt" and see that the credential is revoked "R".

I'm not make to say 100%, but judging by the description, the " index.txt " file is checked all hour, respectively, after an hour, the certificate will be blocked, well, or just restart the service on the server.

I also recommend using a separate account for the "OpenVPN Robert William Service" help and if users will work with this server where the VPN is deployed, be foreordained to remove the rights of ordinary users to the "C: \ Programme Files \ OpenVPN" directory.

Thank you all, I hope this article will help many who are faced with questions and could not find eligible answers, chewed Eastern Samoa unsurpassable they could.