OpenVPN

OpenVPN server on Windows 2019 Server

  1. Install OpenVPN and EasyRSA
  2. Open a MS DOS prompt as administrator
  3. cd "C:\Program Files\OpenVPN\easy-rsa"
  4. Do the following once after installation:
    1. Run: init-config.bat
    2. Change the following values in the vars.bat file:
      set DH_KEY_SIZE=2048
      set KEY_SIZE=4096
      set KEY_COUNTRY=DK
      set KEY_PROVINCE=Copenhagen
      set KEY_CITY=Copenhagen
      set KEY_ORG=esignatur
      set KEY_EMAIL=${your_email_address}
      set KEY_CN=${your_openvpn_server_hostname_FQDN}
      set KEY_NAME=MakeUnique
      set KEY_OU=esignatur
      set PKCS11_MODULE_PATH=changeme
      set PKCS11_PIN=1234
      ... the above are sample data - change it so it reflect your setup.
    3. Run: vars.bat
    4. Run: clean-all.bat
    5. Run: build-ca.bat
    6. Run: build-key-server.bat server
    7. Run: build-dh.bat
  5. Now, for every client run: build-key.bat ${ClientName} - change ClientName for each client to generate unique client certificates.
  6. When the above command asks for the Name: (after asking for Common Name) make sure that you enter the same value as ${ClientName}
  7. If you need to add a client later on, run the vars.bat command before running the build-key.bat ${ClientName} command
  8. Open Windows Firewall → Advanced Settings. Add an inbound rule to allow TCP connections on port 1194
  9. Add the following server.ovpn to the OpenVPN config folder:
    port 1194
    proto tcp4
    dev tun
    ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
    cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
    key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"
    dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh2048.pem"
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist "C:\\Program Files\\OpenVPN\\log\\ipp.txt"
    client-config-dir "C:\\Program Files\\OpenVPN\\config\\ccd"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    duplicate-cn
    keepalive 10 120
    persist-key
    persist-tun
    status "c:\\Program Files\\OpenVPN\\log\\openvpn-status.log"
    log "c:\\Program Files\\OpenVPN\\log\\server.log"
    verb 4
  10. Launch the server


Clients

Ubuntu 18.04

  1. Install the network manager OpenVPN component: sudo apt -y install network-manager-openvpn network-manager-openvpn-gnome
  2. Open Network Settings for VPN
  3. Under Identity:
    1. Enter a Name - anything will do as it is for your own purpose
    2. Enter the public IP address in the Gateway field - this is the address your OpenVPN server listen on
    3. Set Type to Certificates (TLS)
    4. Locate the ca, user certificate and user key in the relevant fields
    5. Click Advanced
      1. In General select: custom gateway port 1194, use a TCP connection, set virtual device type TUN
      2. Leave the rest as is
  4. Under IPv4 make sure that Use this connection only for resources on its network is checked

Windows

Place the following content in a file in c:\Program Files\OpenVPN\config. The file suffix must be .ovpn but the filename itself is up to you.

You must place the relevant content of the CA certificate, user certificate and user key between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.

The -----BEGIN.. and -----END.. must be kept, so copy the entire content.

Change the ${remote-server-name} variable to the IP-address or server name of your OpenVPN server.

client
dev tun
proto tcp
remote ${remote-server-name} 1194
resolv-retry infinite
ns-cert-type server
keepalive 5 10
nobind
persist-tun
persist-key
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
<ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
<cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
<key>


RDP

The RDP gateway is 10.8.0.1 (this is the server IP on the other end of the OpenVPN tunnel)


Advanced Settings

Once the server and at least one client is set up so that traffic flows you should really change the Remote Desktop Shadow and Remote Desktop User Mode rules for both TCP and UDP connection so that:

... that way, only RDP connections comming via OpenVPN is allowed.

Before changing this, make sure that you have a Plan B if anything goes wrong. If it breaks you will loose connectivity to the server. So only do this on a pretty virgin server which is easy to re-install :-/