Connect OpenVPN on Windows startup.: Difference between revisions

From munkjensen.net/wiki
Jump to navigation Jump to search
Created page with "This is a copy of the answer given [https://superuser.com/a/1166051 here]. ''The best way is to install OpenVPN service when you install the client. Then run the following..."
 
No edit summary
Line 4: Line 4:


''The best way is to install OpenVPN service when you install the client.
''The best way is to install OpenVPN service when you install the client.
Then run the following command to show the services management console:
Then run the following command to show the services management console:
 
<code>services.msc</code>
services.msc
 
There, search for OpenVPN Service, right-click->Properties and set startup type to "automatic".
There, search for OpenVPN Service, right-click->Properties and set startup type to "automatic".
The OpenVPN service will look into the config directory and connect to every VPN profile that is stored here.
The OpenVPN service will look into the config directory and connect to every VPN profile that is stored here.
IMPORTANT: In linux, config files must have .conf extension. I'm not sure if this is required in Windows or if it uses .ovpn with the serice
IMPORTANT: In linux, config files must have .conf extension. I'm not sure if this is required in Windows or if it uses .ovpn with the serice
If using services is not an option, you can add the following parameters to the executable so it will automatically connect to myprofile.ovpn:
If using services is not an option, you can add the following parameters to the executable so it will automatically connect to myprofile.ovpn:
 
<code>--connect "myprofile.ovpn"</code>
--connect "myprofile.ovpn"
 
It will connect to .\config\myprofile.ovpn automatically on startup, and show the classic GUI icon.
It will connect to .\config\myprofile.ovpn automatically on startup, and show the classic GUI icon.
You can then place this shortcut in the classic startup folder.
You can then place this shortcut in the classic startup folder.
The All Users Startup Folder is located at the following path:
The All Users Startup Folder is located at the following path:
 
<code>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp</code>
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
 
The Current User Startup Folder is located here:
The Current User Startup Folder is located here:
 
<code>C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</code>
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
 
I dont know how to avoid the user to connect to the Internet before the VPN is set. The only way I can figure out if through Windows Firewall, and I'm not an expert on that subject. If you want to avoid a poweruser to be able to get to the Internet you need a firewall in your gateway to avoid so, or strong group policies to avoid privilege scalation.
I dont know how to avoid the user to connect to the Internet before the VPN is set. The only way I can figure out if through Windows Firewall, and I'm not an expert on that subject. If you want to avoid a poweruser to be able to get to the Internet you need a firewall in your gateway to avoid so, or strong group policies to avoid privilege scalation.


For a normal user, you can configure the Windows client machine without a default gateway. Set a persistent static route to the VPN server on Windows clients using the following command (-P makes it persistent):
For a normal user, you can configure the Windows client machine without a default gateway. Set a persistent static route to the VPN server on Windows clients using the following command (-P makes it persistent):


route -P add <target> mask <netmask> <gateway IP> metric <metric cost> if <interface>
<code>route -P add <target> mask <netmask> <gateway IP> metric <metric cost> if <interface></code>


Roues in Windows are stored under the following registry key:
Roues in Windows are stored under the following registry key:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes
<code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes</code>


At this point a disconnected client only has access to the VPN server. Then you can add the following lines in the VPN server configuration file to add routes on clients when they connect:
At this point a disconnected client only has access to the VPN server. Then you can add the following lines in the VPN server configuration file to add routes on clients when they connect:
Line 45: Line 31:
To configure the VPN server as the default gateway:
To configure the VPN server as the default gateway:


push "redirect-gateway def1 bypass-dhcp"
<code>push "redirect-gateway def1 bypass-dhcp"</code>


To add an specific route through the VPN Server:
To add an specific route through the VPN Server:


push "route 192.168.1.0 255.255.255.0"
<code>push "route 192.168.1.0 255.255.255.0"</code>


Sometimes route pushing doesnt work on Windows. When this happens to me, I completly uninstall OpenVPN and it's interfaces from Windows, restart system and install the latest version of the software. Then, before stablishing the first connection, I restart Windows. This has allways solved the issues, however, Windows 10 Anniversary update (1607) is buggy with OpenVPN. There's a link to a deeper discussion in OpenVPN forums:
Sometimes route pushing doesnt work on Windows. When this happens to me, I completly uninstall OpenVPN and it's interfaces from Windows, restart system and install the latest version of the software. Then, before stablishing the first connection, I restart Windows. This has allways solved the issues, however, Windows 10 Anniversary update (1607) is buggy with OpenVPN. There's a link to a deeper discussion in OpenVPN forums:

Revision as of 09:38, 23 June 2017

This is a copy of the answer given here.


The best way is to install OpenVPN service when you install the client. Then run the following command to show the services management console: services.msc There, search for OpenVPN Service, right-click->Properties and set startup type to "automatic". The OpenVPN service will look into the config directory and connect to every VPN profile that is stored here. IMPORTANT: In linux, config files must have .conf extension. I'm not sure if this is required in Windows or if it uses .ovpn with the serice If using services is not an option, you can add the following parameters to the executable so it will automatically connect to myprofile.ovpn: --connect "myprofile.ovpn" It will connect to .\config\myprofile.ovpn automatically on startup, and show the classic GUI icon. You can then place this shortcut in the classic startup folder. The All Users Startup Folder is located at the following path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp The Current User Startup Folder is located here: C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup I dont know how to avoid the user to connect to the Internet before the VPN is set. The only way I can figure out if through Windows Firewall, and I'm not an expert on that subject. If you want to avoid a poweruser to be able to get to the Internet you need a firewall in your gateway to avoid so, or strong group policies to avoid privilege scalation.

For a normal user, you can configure the Windows client machine without a default gateway. Set a persistent static route to the VPN server on Windows clients using the following command (-P makes it persistent):

route -P add <target> mask <netmask> <gateway IP> metric <metric cost> if <interface>

Roues in Windows are stored under the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes

At this point a disconnected client only has access to the VPN server. Then you can add the following lines in the VPN server configuration file to add routes on clients when they connect:

To configure the VPN server as the default gateway:

push "redirect-gateway def1 bypass-dhcp"

To add an specific route through the VPN Server:

push "route 192.168.1.0 255.255.255.0"

Sometimes route pushing doesnt work on Windows. When this happens to me, I completly uninstall OpenVPN and it's interfaces from Windows, restart system and install the latest version of the software. Then, before stablishing the first connection, I restart Windows. This has allways solved the issues, however, Windows 10 Anniversary update (1607) is buggy with OpenVPN. There's a link to a deeper discussion in OpenVPN forums:

Connection problems with Windows 10 anniversary update

Keep that in mind when you setup your Windows 10 OpenVPN clients.