OpenVPN Client


  1. OpenVPN Client
    1. OpenVPN client for Windows
      1. Configuration
      2. Usage
    2. OpenVPN client for Linux
    3. Troubleshooting
  2. Accessing Facilities on the Office Network
    1. Using A Web Browser
    2. Using a workstation in the office via VNC
  3. Administrator's Questions For Users

OpenVPN Client

OpenVPN Client for Windows


Uninstall the old OpenVPN-GUI 1.0.3 if it's already installed in %PROGRAMFILES%\OpenVPN\ (...bin\openvpn-gui-1.0.3.exe and ...driver\tap0901.sys)

Go to and download the current most recent Windows installer. As of this writing that is version 2.3.4. This includes OpenVPN and the 'OpenVPN GUI for Windows' (originally from

The installer takes the form OpenVPN 2.3.4-I002. The Ixxx versions fix Windows-specific issues, such as issues with the software bundled only with the Windows version of OpenVPN; for example with 2.3.3-I001 that is:


Whilst logged in as an administrator, install OpenVPN with the default installation options.


Shortcuts are installed per-user so you may need to alter this, either putting them in All Users or giving each user a copy. We deal with amendments to shortcuts later.

System Clocks

System clocks between the VPN client and the VPN server need to be synchronised, so make sure your system time is set correctly by syncing with a time server:

Software / Personal Firewalls

If you're using Windows XP and the Windows firewall is turned on it will prompt you and you should choose to unblock OpenVPN.

Similarly other personal firewalls, such as ZoneAlarm, should prompt you to unblock OpenVPN.

Setup the VPN Connection

The Required Files

pfSense 1.x requires the certificate and key files be created using a separate program on another computer (for which I use TinyCA2). pfSense 2.x has its own facility for creating these files but I haven't extensively used this feature yet. "Any X509 key management system can be used or PKCS#12".

You should have one of the following:

OpenVPN Configuration File

If you already have the <certificate-name>.ovpn file, copy it to %PROGRAMFILES%\OpenVPN\config\. The option to use this VPN will now appear in the OpenVPN menu in the Windows notification area (AKA system tray), using either the 'Connect' option if you have only the one VPN connection configured, or by name if you have more than one.

If you don't already have the <certificate-name>.ovpn file then use this template to create one and save it in %PROGRAMFILES%\OpenVPN\config\. You'll need to at least change the settings for 'remote' and 'pkcs12' (or 'ca', 'cert' and 'key' in place of pkcs12 if your certificates are in separate files). Any spaces in the path to the certificates need to be in quotes, backslashes need to be double backslashes. This example uses the default location for certificates and keys in the Program Files directory, rather than in the certificate store, so you may also have to change that if you're instead using the certificate store (see later).

# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <IP address or reverse DNS entry of remote host> 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
#ca "C:\\Program Files\\OpenVPN\\config\\<CA certificate>.pem"
#cert "C:\\Program Files\\OpenVPN\\config\\<client certificate>.pem"
#key "C:\\Program Files\\OpenVPN\\config\\<client key>.pem"
pkcs12  "C:\\Program Files\\OpenVPN\\config\\<PKCS12 file>.p12"

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

(See and

Configure OpenVPN before using on Windows 7

On Windows 7, when you run 'OpenVPN GUI' desktop shortcut. With OpenVPN 2.3 it says "Error while creating HKLM\SOFTWARE\OpenVPN-GUI key". See The fix is to "Run the GUI as Administrator once. It will be able to create the keys then. ... You mean the actual Administrator? I was running it as a user with Admin privs. ... Yes, the admin group alone won't do the trick as long as you have UAC enabled.". Right-click on the shortcut and choose 'Run as administrator'.

The Certificate and Key Files

Now put the certificate and key (.p12 or .pem) files in the location you specified in the .ovpn file. Either the certificates and keys can be stored so that there is one set for all users on this workstation, or there can be a set for each user.

One Certificate For All Users

OpenVPN defaults to expecting the certificate and key files in %PROGRAMFILES%\OpenVPN\config\. If you put them there and specify the name of the files in the .ovpn configuration file without any directory name (for example 'pkcs12 <package-name>.p12 file' or 'ca ca-cert.pem', 'cert client-cert.pem' and 'key client-key.pem') then everything should now work. The disadvantage of this is that this certificate will be used by everyone who uses this workstation, rather than being user-specific, which may be OK for some situations and not OK for others.

You can now test that it works. If you're not logged in as an actual administrator, but are in an administrators group, then you'll need to right-click on the shortcut and choose 'Run as administrator' ("Windows does not provide a WHQL-approved method to allow the TAP-Win32 driver to make its virtual device node accessible from a non-admin account. OpenVPN needs the ability to add routes to the system routing table. This requires admin privileges."). You should be prompted for the Key Password.

A Certificate For Each User (I don't currently use this method)

If you instead want to keep the certificates and key files somewhere user-specific, you need to specify that in the .ovpn configuration file.

The files can either be located in a user's home directory, or in the Windows certificate store.

User's Home Directory

TODO... This only makes sense if either a generic location can be specified in the .ovpn file in the Program Files directory that will resolve to each user's Windows profile directory (which I don't know how to do, for example "~\\..." doesn't work); or, if OpenVPN can be configured to look in a user's home directory for user-specific .ovpn files (again, I don't know how to do this).

Certificate Store

"Microsoft Windows, from 2000 forward (except ME) offers secure certificate and private storage at the OS level in what is called a protected store. Offline, it's encrypted by a combination of the user's password and a session key stored on the filesystem. When the OS is running, the private keys stored are available to the logged in user, optionally encrypted with another password. The keys are stored in protected memory, so no applications can access them without going through the Microsoft CAPI calls. This code also is FIPS 140-1 level 1 (the best one can get for software cryptography modules) compliant." -

THIS IS DESCRIBED A LITTLE FURTHER ON, and there's another method hinted at in the next section's 'to-do' list.

Allow Non-Administrators to Use the VPN

Typically, to use the VPN your Windows user account must be an administrator. Running the computer as an administrator, especially when using Internet software, is inherantly insecure. When using the VPN we need the computer to be as secure as possible as it will be directly connected to the remote intranet - there won't be any firewalling software to protect the workstations and servers on that network. So running the VPN as an administrator isn't advised. However the next steps will configure the system to allow non-administrators to use the VPN software.

These were used as references but they're incomplete:

Other documents that were used to learn this are also referenced but each only provides some of the steps required to set this up and many have parts with the wrong advice.

You need to be Administrator the first time you run OpenVPN for it to create its registry keys. After that you don't have to be administrator just to run the program, however OpenVPN still requires the user to be administrator to run, but we will overcome this.

Unzip the certificate package.

RunAs Method (I currently use this method)

By Default the OpenVPN software runs as a regular interactive program, not as a service. In Windows 7 you can right-click on the shortcut and choose to 'Run as administrator'. In order to use it whilst logged in as a regular / limited / standard user you will instead want it to enable it to RunAs an administrator.

RunAs here needs to use the credentials of an actual administrator, not just someone in the administrators group.

"Keep in mind that by using this feature you are potentially giving your users a way to escalate their privileges to administrator rights. If your main reason for not running as administrator is to protect against malicious code on the web from executing with administrator rights in your computer, then this could be a good way to run OpenVPN, but if your users under no circumstances should be able to run other applications as administrator, you should NOT use this way to run OpenVPN either!"

Create an All Users shortcut with the following properties:

This is enough to now use the OpenVPN Client.


See for other methods such as a desktop shortcut.

Service Method (I don't currently use this method)

This is quite a lot of configuration. You need to use the 'Run-As Method' above, then the following:

Configure OpenVPN To Instead Run As A Service


Change the OpenVPN GUI to Instead Control the OpenVPN Service


Set the following (REG_SZ) registry values in HKEY_LOCAL_MACHINE/Software/OpenVPN-GUI/:

These are possibly also useful:

Give a restricted / limited user the right to control (start/stop/restart) the OpenVPN Service

"Normally starting and stopping a service requires administrator privileges, but you can assign a normal user the right to control an individual service. You do this with the subinacl.exe utility included in the Windows Resource Kit. You can also download it here:"

Install subinacl.

To give a user the right to start and stop the OpenVPN service, log on as administrator and run the following command:
%PROGRAMFILES%\Windows Resource Kits\Tools\SubInAcl.exe /SERVICE "OpenVPNService" /GRANT=<username>=TO

"You can also give a user the right to control a service through the use of Group Policies." See:;en-us;288129."

Storing Your Client Certificate Package in Windows' Certificate Store

"Another important issue is that the [OpenVPN] service can't handle password-protected keys [it has no means of passing back the request for the password to the logged in user]; the [password protected] key has to be stored in the Microsoft certificate store and the configuration file has to be changed accordingly. The [Windows] certificate store requires [the certificate as] a PKCS12 file [which is the form we have it in], which must be ... imported into the local machine's certificate store. It's very important to use the local machine's store, as this is the only location that the service can access." -

"Remember that the [OpenVPN] service is running as "Local System" (by default) so you must import the key/cert into the System account, not your user account" -

Login to Windows as an administrator (or Power User?).

Run the Microsoft Management Console (MMC): Start → Run... → mmc → OK

Add the Certificates snap-in to the MMC. From (which is mostly applicable to our situation but not completely - ignore the adding of the 'IP Security Policy Management'): File → Add/Remove Snap-in... → Add → Certificates → Add → Computer account → Next → Local computer → Finish → Close → OK (If you weren't an administrator you wouldn't be prompted for 'My user account / Service account / computer account')

Import your PKCS12 client certificate file. Console Root → Certificates (Local Computer) → select Personal → Action → All Tasks → Import... → Next → Browse → find where your .p12 certificate is → Files of type: Personal Information Exchange (*.pfx,*.p12) → choose the file → OK → Next → enter the associated password/passphrase → choose 'Automatically select the certificate store based on the type of certificate' → Next → Finish. The certificate will be added to 'Certificates' below 'Personal'.
(what about 'Mark this key as exportable. This will allow you to back up or transport your keys at a later time'?). Two certificates will appear: '<organisation> CA', the CA Root certificate, and <VPN user's name> - the particular user's certificate.

(By 'Personal' it doesn't seem to mean that you have to do this for the specific user)

Get the thumbprint for later (a unique identifier for the key). In the MMC, double-click on the certificate → Details → Thumbprint. -

Extract the Root Certificate From Your PKCS12 File

(I think this is possible on Windows but I've not tried it, I've used Linux)

Issue the command:
openssl pkcs12 -in <client-cacert>.p12 -nokeys -cacerts -out <organisation>-root-ca.crt.
You get asked "Enter Import Password:" and if it worked get "MAC verified OK". - From

(Or could we get it from the .zip file?)

Save the resulting certificate (<organisation>-root-ca.crt), which doesn't need to remain secret, somewhere on the workstation [where? C:\Documents and Settings\<user who'll use the VPN>?]

Configure OpenVPN to use the Windows Certificate Store for the Client Certificate and Key

Note: all OpenVPN config is per-machine, not per-user.

"In the configuration file, the lines for 'pkcs12' or 'cert' and 'key' have to be replaced with: cryptoapicert "THUMB:<your thumbprint>"

The thumbprint is a unique identifier for the key and can be found on the Details page if the key is opened in the MMC." -

Remove any 'pkcs12' and/or 'cert' and 'key' line(s) from the beginning of the OpenVPN configuration file.

Configure OpenVPN with the Name and Location of the CA Certificate

Despite the CA file going into the Windows Certificate Store it doesn't appear that OpenVPN will use it from there (TODO: check this). Instead the OpenVPN configuration file needs to have the name and location of the CA certificate on disk using the setting ca "<name and location of .crt file>", for example ca "c:\\Documents and Settings\\<user you're running it as>\\<organisation>-ca.crt".

If you don't do this you get the error "Options error: You must define CA file (--ca)", a "Certificate authority file in .pem format containing root certificate".

"I'm not sure why we need this when the CA stack should be available from the Microsoft CryptoAPI" -

To Do

Learn pre- and post- config so can create drive mappings to mirror my netlogon.bat:
"If a batch file named xxx_pre.bat exists in the config folder, where xxx is the same name as an OpenVPN config file, this will be executed before OpenVPN is launced. If a batch file named xxx_down.bat exists in the config folder, where xxx is the same name as an OpenVPN config file, this will be executed on disconnect, but before the OpenVPN tunnel is closed. Registry value "show_script_window" controls whether _up, _down and _pre scripts should execute in the background or in a visible cmd-line window. Registry value "[pre/dis]connectscript_timeout" controls how long to wait for each script to finish."

There's a patched version of OpenVPN GUI for non-admin use at but it is an older version.


--allow-nonadmin [TAP-adapter] - (Standalone) Set TAP-adapter to allow access from non-administrative accounts. If TAP-adapter is omitted, all TAP adapters on the system will be configured to allow non-admin access. The non-admin access setting will only persist for the length of time that the TAP-Win32 device object and driver remain loaded, and will need to be re-enabled after a reboot, or if the driver is unloaded and reloaded. This directive can only be used by an administrator.


For users with a Windows administrator account
For users with a Windows Limited / Restricted or Power User account

Right-click on the notification area icon and choose Connect | Disconnect | Reconnect. If you've connected successfully you should see at the end of the log file 'initialization sequence completed'.

OpenVPN client for Linux

Using NetworkManager

In Debian and Ubuntu, install the package 'network-manager-openvpn-gnome'.

Extract the contents of the .zip file that came from pfSense (i.e. firewall-udp-1194-<pfSense username>.zip), revealing a .ovpn configuration file (i.e. firewall-udp-1194-<pfSense username>.ovpn) and a .p12 file containing certificates and key (i.e. firewall-udp-1194-<pfSense username>.p12).

Copy these files somewhere that you are happy for them to remain, either on the PC's internal drive, or on a USB flash drive.

Select the notification area in the top right of the screen → VPNNetwork settings+Import from file then navigate to your .ovpn configuration file.

Name: give it any name you like to indicate the name of the network you will VPN into
Gateway: you will likely be given pfSense's address on the local area network you will VPN into, but you instead need to use the external, Internet facing, public IP address of the network you will VPN into (which you can get by Googling for "IP" whilst inside that network).
Type: Password with Certificates (TLS)
User name: name used for this person's account in pfSense
Password: password as used for this person's account in pfSense (may be saved in the keyring, which you'll be prompted to allow access to the first time you use it). You have to re-enter this password each time you go into this VPN configuration section.

The following are filled in automatically (though may need to be changed to point to the location of your .p12 file):
User Certificate: the client certificate in .p12 format - firewall-udp-1194-<pfSense username>.p12
CA Certificate: the CA certificate in .p12 format - <firewall-udp-1194-<pfSense username>.p12
Private Key: the client key in .p12 format - firewall-udp-1194-<pfSense username>.p12

Private Key Password: same password as used for this person's account in pfSense. You have to re-enter this password each time you go into this VPN configuration section.


So that Internet access continues to work when you have IP addresses clashing between the remote network and the local network: IPv4 → Routes... → Use this connection only for resources on its network

Using the Command-Line

In Debian or Ubuntu install the package 'openvpn'.

This assumes you have the CA certificate, client certificate and key in a .p12 package. I haven't tried command-line access using PEM format certificates and keys.

Setup the tunnel:
# openvpn --dev tun0 --mktun

# openvpn --remote <IP address or hostname of VPN server> --dev tun0 --pkcs12 <filename of certificate>.p12 --client --comp-lzo --tun-mtu 1400

Available options:
--ca file
--dh file [do we need to specify this?]
--cert file
--key file
--pkcs12 file - specify a PKCS#12 file containing local private key, local certificate, and root CA certificate. This option can be used instead of --ca, --cert, and --key.

(Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server')

(keysize 128 - is this the 'Cryptography: BF-CBC (128-bit)'?)

(key-method 2)


The addressing scheme of the local intranet your computer is initially connected to (i.e. or could clash with that of the remote intranet or, less likely, the remote VPN network ( I think that even if they do, this is only a problem if there is a specific IP address clash, such as both a device / computer on the local intranet having the same IP address as a device / computer you're trying to connect to.

Firefox: you might get the message "The connection has timed out. Server at taking too long to respond". You'll still have Internet access but is the VPN connection up and running? Hopefully you can find this out by looking at the OpenVPN log. Another way is to go to the command-line or terminal (Start → Run → cmd [Enter] in Windows) and enter "ping" (your IP address may differ). See if you get a positive response, such as: '64 bytes from icmp_seq=3 ttl=240 time=113 ms' or a negative response, such as: 'Destination Host Unreachable'.

"You get the Initialization Sequence Completed message but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.

Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center → Windows Firewall → Advanced and unchecking the box which corresponds to the TAP-Win32 adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below)."

To solve some issues it can be helpful to refresh the TAP Windows interface using Programs → TAP-Windows → Utilities →

Accessing Facilities on the Office Network

Connect to a Share on a Windows Server

Using Debian

You need to have the Debian package "smbclient" installed for this.

Open the file manager.

Select "+ Other Locations" in the bottom of the left hand pane.

In the "Connect to Server" portion at the very bottom of the screen, enter smb://server or smb://<IP address of server>.

You should see "shared" and be able to navigate into it.

Enter dredentials to access the share

Right-click on "shared on server" in the left hand pane and select "Add Bookmark", or instead drag and drop it to the left hand pane to do the same.

You can use the eject icon to disconnect.

Accessing Intranet Services - Using A Web Browser

Using a web browser you can access email in particular using Squirrelmail and groupware features using eGroupWare.

Accessing Intranet Services - Using a workstation in the office via VNC


Administrator's Questions For Users

What operating system, and specific version, are you using?

For example 'Windows XP Home, Service Pack 2'

If you're to use Windows XP it's probably going to be an absolute must that you have Service Pack 2 installed (it's a service pack specifically focusing on fixing an enormous amount of the legacy poor security practices that Microsoft had built up going back years)

To find out, press the Windows key, then with it depressed, press the pause/break key, it will bring up a window that should say under 'System:' somethine like: 'Microsoft Windows XP Professional Edition Version 2002 Service Pack 2' (if you don't have those keys you can go to 'System' in the Control Panel)

What priviliges does the user you login to your operating system have? (i.e. if Windows then administrator, power user, or restricted user?)

To find out, using Windows XP in Classic mode go to Start → Settings → Control Panel → User accounts → and it should give you a list of the accounts with wording describing them as something like 'Computer administrator', 'Limited account' etcetera. Look for the name you login as and see what type of accuont it is

(I ask because if you're logged in as administrative user, browsing random web pages, then you're vulnerable to the many security vulnerabilities that crop up in Windows where-by a web page can have malicious code built into it that can do _anything_ to your computer, such as delete all your files, install software. Almost invariably you are only at risk from such maliciousness only if logged in as an Administrator, and probably as a Power User, which is why at work and elsewhere I set people up to have only 'Restricted' / 'Limited' accounts.

Is your operating system regularly updated with fixes for security vulnerabilities?

What firewalling software (whether personal firewall or stand-alone firewall) do you use?

how do you connect to the Internet? is it through a DSL modem? if so then is it connected to your computer using a USB cable or a networking cable? what make and model is it?

What are you using it for?

i.e. are you browsing random web pages, for example?

do you know if your Internet service provider gives you a 'static' or a 'dynamic' IP address?

we don't need it to be for the VPN, but for reference it would be useful to have it if you can get it

What software at work do you need to use?

Exactly what software do you have installed on your computer? If you go to Control Panel → Add/Remove Programs it wil give you a list. Tell me everything apart from the Windows updates / security fixes (if it shows them) - sorry I don't know a reliable way to copy and paste a list of installed software

What places on the network do you need to have access to, i.e. S: on the server?

Exactly what software do you have installed on your computer?

What computer are you using - tell me what you can of the CPU and it's speed; amount of memory (AKA RAM)

if you use Windows XP, do you have the Windows XP firewall turned on?

if you use Windows XP, does it have Windows Automatic Updates turned on (Control Panel → Windows Automatic Updates) and is it running properly, installing updates?

Does anyone else use your computer? if so what do they use it to do?

Would you be averse to having an additional computer in your home that worked as a firewall?

(I'm not saying it's necessary but it would be useful to know if it's plausible)

would you be willing to not use the operating system thats installed on your computer and instead boot off a CD when you wanted to do work, using a GNU/Linux operating system

(that we know was untainted as it ranoff CD) (again, it may not be necessary, just need to know whats plausible)

I doubt now it'll be necessary, but for reference it wouldn't be that different. Such a method is the easiest option of all from a security perspective, as if we did it we wouldn't have to consider any other aspect of how the computer was being used or setup etcetera

What web browser and version do you use?

If it's locked down in order to be more secure, please describe in what way.

what email program is either of you using?

What anti-virus software is being used and is it regularly auto updating itself? (both the program and its definitions/updates)?