One of the lesser known features of the Windows version of OpenVPN is its ability to run it as a service. This allows OpenVPN to start and establish a VPN connection without a user logging in on the system. The OpenVPN service is installed by default, but is not started automatically.
In this recipe, we will show how the OpenVPN service can be controlled using the OpenVPN GUI application and how to perform troubleshooting on the service.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client computer was running Windows 7 SP1 and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf
, from the Server-side routing recipe in Chapter 2, Client-server IP-only Networks at hand. For the client, keep the configuration file, basic-udp-client.ovpn
, from the Using an ifconfig-pool block recipe in Chapter 2, Client-server IP-only Networks at hand.
[root@server]# openvpn --config basic-udp-server.conf
regedit
(using elevated privileges). Find the HKEY_LOCAL_MACHINESOFTWAREOpenVPN-GUI
key.config_dir
registry key, which is normally set to C:Program FilesOpenVPNconfig
.log_dir
, which is normally set to C:Program FilesOpenVPNlog
.HKEY_LOCAL_MACHINESOFTWAREOpenVPN
, and check the config_dir
and log_dir
keys again. They should be pointing to the same directories as for the OpenVPN GUI application.But do not start the service yet.
basic-udp-client.ovpn
, by changing the following lines:cert "c:/program files/openvpn/config/client2.crt" key "c:/program files/openvpn/config/client2.key"
Change these to the following:
cert "c:/program files/openvpn/config/client1.crt" key "c:/program files/openvpn/config/client1.key"
The client2.key
client certificate from Chapter 2, Client-server IP-only Networks, is protected by a password, whereas the client1.key
file is not. Save the configuration file as example9-6.ovpn
.
.ovpn
files to another directory to make sure that this is the only .ovpn
file in the config
directory.A Windows service is launched at system startup before a user is logged in. The OpenVPN service scans the directory pointed to by the registry key, HKEY_LOCAL_MACHINESOFTWAREOpenVPNconfig_dir
.
This starts an OpenVPN process for each file with the .ovpn
extension in that directory. The output of each of these processes is logged into the log directory pointed to by the registry key:
HKEY_LOCAL_MACHINESOFTWAREOpenVPNlog_dir
Here, the log filename is the same as the configuration name, but now with the .log
extension. For this recipe, the configuration file was C:Program FilesOpenVPNconfigexample9-6.ovpn
and the log file was C:Program FilesOpenVPNlogexample9-6.log
.
There is no need to launch the OpenVPN GUI to start these connections, but the GUI application does offer a convenient method of managing the OpenVPN service, if the right registry key is added.
There are a few important notes when using the OpenVPN service, which are outlined here.
To make the OpenVPN service start at system startup, open the Services administrative control panel by navigating to Control Panel | Administrative Tools | Services. Double-click on the OpenVPN Service to open the properties and set the Startup type field to Automatic:
Click on OK and close the Services administrative control panel. Reboot Windows and verify on the server side that the client is connecting at system startup.
When the OpenVPN service is used, the corresponding OpenVPN processes are normally run under the account SYSTEM, as can be seen in the following screenshot:
This has some implications regarding the permissions on the configuration files. Special care also needs to be taken when using the cryptoapicert
directive, as by default, those certificates end up in the user certificate store, which is not accessible to the SYSTEM account. It is possible to use the cryptoapicert
directive, but the imported certificate must be installed as a (local) system certificate and not as a user certificate.
3.21.93.139