This short article describes how to install and connect Windows OpenVPN client to a server that runs OpenVPN. More importantly, it shows how to ensure that the Windows OpenVPN client starts automatically when the computer is connected to the server running OpenVPN.
Installation
- Download. The downloads for open source OpenVPN clients are somewhat hidden on their website. The best option is to search for "OpenVPN community downloads" and follow the (usually first) link found. It may lead to several different webpages, but they all seem to provide the same downloads. At the time of this writing, for example, you may have ended up at https://openvpn.net/index.php/open-source/downloads.html or https://openvpn.net/index.php/download/community-downloads.html, but they both contain the same links. Follow the link that is most appropriate for your system. For example, for 64-bit Windows 10 you may want to download the link that contains openvpn-install-x.x.x-I601-x86_64.exe in its name.
- Install. Run the downloaded file. Follow the instructions. On the "Select components to install" page MAKE SURE that OpenVPN Service, TAP Virtual Ethernet Adapter and OpenVPN GUI are selected. Some options, such as OpenVPN File Associations, OpenVPN Utilities and OpenVPN RSA Certificate Management Scripts, are optional. I usually uncheck OpenVPN File Associations as they are not needed.
If at the last step of the installation wizard you opted to start OpenVPN GUI immediately, you should see an icon in the system tray that looks like a grey monitor with an unlocked lock (this icon may be hidden in the collapsable tray by default). If you right click the icon now, you won't see anything interesting now, except for Settings and Exit menus. Neither option is useful at the moment.
Configuration
The installation directory (usually C:\Program Files\OpenVPN\) has a subfolder named config. By default, there is only one file README in the directory, which says the following:
This directory should contain OpenVPN configuration files each having an extension .ovpn. When OpenVPN is started as a service, a separate OpenVPN process will be instantiated for each configuration file.
We will talk about running OpenVPN as a service later, but for now we need to create a configuration file in this directory. So, instead of the subfolder config, go, first, to the subfolder sample-config, and open client.ovpn in any editor, such as Notepad (note that if you did not uncheck OpenVPN File Associations during installation, then double clicking this file will open it with OpenVPN, not in Notepad, so that in this case instead you need to right click the file and choose Open with... option). You will see a list of configuration options, some of which have to be changed.
| Configuration option | Value | Description |
| Connection settings | ||
| dev | tun/tap | Choose depending on the interface used by your server, comment out the other line. |
| proto | udp/tcp | Choose depending on the protocol used by your server, comment out the other line. Note that udp is the preferrable protocol, as it significantly reduces the amount of communication between the client and server. |
| remote | server port | For example, openvpn.example.com 1194. You may specify several servers to load-balance among them, for example, if you have many clients connecting to them; in this case case you may also want to use remote-random option. |
| Certificates and keys | ||
| You must have the following three or four files issued by your OpenVPN server: ca.crt, client.crt, client.key, and, preferrably, ta.key. If you followed my guide on the installation of OpenVPN on a VPS, you should know how to obtain these files. Copy them to a safe place on the client computer, and remember the path to use in configuration options below. | ||
| ca | "c:\\path\\to\\ca.crt" | Path to the server CA certificate (usually, ca.crt). Put the whole path and file name in double quotes and use \\ instead of usual \. |
| cert | "c:\\path\\to\\client.crt" | Path to the client certificate (for example, client.crt). Put the whole path and file name in double quotes and use \\ instead of usual \. |
| key | "c:\\path\\to\\client.key" | Path to the client key (for example, client.key). Put the whole path and file name in double quotes and use \\ instead of usual \. |
| tls-auth | "c:\\path\\to\\ta.key" 1 | (optional) Path to the TLS authentication key (usually, ta.key). Put the whole path and file name in double quotes and use \\ instead of usual \. Note 1 at the end. |
| Additional options | ||
| cipher | cipher_abbreviation | Make sure the cipher is set to the same value as on the server. |
| comp-lzo | This option should also be set or commented out on both server and client. | |
Once all settings are given corresponding values, Save As the file the Desktop, and then move it to the subfolder config mentioned above (on Windows 7 and later Notepad won't be able to write the file directly to the subfolder config). Once you moved the file, if OpenVPN GUI is already running, it should automatically detect the new configuration file. If it is not running, double click on the corresponding icon on the Desktop (the installation wizard should have created one for you). If when you start OpenVPN GUI this way, it produces a message that says something about it not being able to create a registry key, exit OpenVPN GUI by right-clicking its tray icon and clicking Exit, and start it again as administrator by right-clicking the desktop icon and choosing the corresponding option. In either case, now, right clicking on the tray icon should show more options. If it does not, then either you did not save the configuration file, or moved it to a wrong place, or you renamed it so that it lost its ovpn extension, or something else is wrong. Double check everything, until you see extra menu options.
Connecting to the server
Before you try to connect to the server, open any search engine in a browser and search for "my ip". It will show your current IP address before you get connected to the OpenVPN server.
Now, right click the OpenVPN icon in the system tray, and choose Connect. It should open up another window, showing the process of connection to the server. If everything is OK, the window should close after about 5-15 seconds, and the tray icon should turn green. You are connected!
If instead there is an error message, the best thing to do is to right click the tray icon again, and choose View Log option. This will open another window with log messages. Often these messages are very helpful. For example, if you misspelled the path to certificates and keys, it would say that those files were not found, if you used a wrong cipher, you would see corresponding messages, etc. In most cases the log provides the easiest and most useful way to resolve such issues.
Running OpenVPN as a Windows service
To being able to connect to OpenVPN automatically, we need to run it as a service in Windows. For this, we need to make certain changes in the Windows registry. First, disconnect from your OpenVPN server if it is connected (right-click the tray icon). Then, open Start menu and type regedit. Once the Registry Editor is open, open the following branch: HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI. You will see many parameters with values on the right. We need to make these changes:
| Parameter | Value | Description |
| allow_edit | 0 | Change this to 0 to hide connection settings from the menu: we changed and tested them already, why give any user on the computer an easy way to mess it up? |
| allow_password | 0 | Change this to 0 to hide password change from the menu. |
| allow_proxy | 0 | Change this to 0 to hide proxy settings. |
| allow_service | 1 | (important) Change this to 1 to allow the service. |
| service_only | 1 | Change this to 1 if you want to use automatic connection (through the service) only, and do not need any extra options in the menu. |
| show_balloon | 0 | Change this to 0 if you do not want to see a message every time it connects to the server. |
| show_script_window | 0 | Change this to 0 to prevent opening the window showing the process of connection to the server. |
| silent_connection | 1 | Change this to 1 to connect without any distracting messages or events. |
Close the registry, right click on the OpenVPN tray icon, and choose Exit. Then, start OpenVPN GUI again (do not start it as administrator, it is not needed now). If you now right click the tray icon, you should see options Connect, Disconnect, Reconnect, and a few others only. Try connecting, and you should probably get an error, something like Failed to open "OpenVPNService" (unless you started it as administrator again). If this happens, it is because your local Windows user (not administrator) does not have permissions to start/stop the service.
So, we need to be able to start and stop the service without administrative privileges. In the browser, search for subinacl, and follow the link "Download SubInAcl" to the microsoft.com website (it should be something like https://www.microsoft.com/en-us/download/details.aspx?id=23510). Ignore, that it does not list Windows 7 and above as a supported version, it will work anyway. Download and run the installation file. Follow instructions, remember the path it was installed to.
Once subinacl is installed, open Command Prompt as Administrator (right click Start button and see if there is a menu Command Prompt (Admin); if there is no, then open Start menu, type cmd, right click Command Prompt, choose Run as administrator). Then run the following command (ADAPT 2 THINGS ACCORDINGLY: change the path to subinacl.exe if it is different, AND change user to your Windows user name):
"C:\Program Files\Windows Resource Kits\Tools\subinacl.exe" /SERVICE "OpenVPNService" /GRANT=user=TO
Once you run it successfully (it should output 0 errors), try right clicking the OpenVPN tray icon and connecting again. It should work now!
Connecting to OpenVPN automatically
Now, since OpenVPN runs as a service, all we need to run it automatically is to start the service automatically after every reboot. Open Start menu and type services.msc. In the list find OpenVPN Service, right click it and choose Properties. This should open a window with the service properties. Change Startup type to Automatic. This means, that now, every time you restart your computer or reconnect to the Internet, your system will automatically connect through the OpenVPN server.
Now, try to restart your computer. You can then verify that you are connected via your OpenVPN server by checking your IP address as described above. After you reboot your computer, you should see your server IP address by default.
However, chances are, you won't see the tray icon after rebooting. This is because OpenVPN client now starts automatically and runs via OpenVPN service without starting OpenVPN GUI. To enable the GUI by default, open Start menu and choose Run (alternatively, just press Win+R). This should open the Run dialog. Type shell:startup. The command should open Explorer in the folder with links to programs that should start automatically when Windows starts (when you log in to Windows). Just copy (or move) the link to OpenVPN GUI from desktop to this folder.
Now, OpenVPN should connect to the server, and OpenVPN GUI should show the green icon every time you start Windows.