Windows - running OpenVPN as a service

One of the lesser known features of the Windows version of OpenVPN is its ability to run it as a service. This allows OpenVPN to start and establish a VPN connection without a user logging in on the system. The OpenVPN service is installed by default, but is not started automatically.

In this recipe, we will show how the OpenVPN service can be controlled using the OpenVPN GUI application and how to perform troubleshooting on the service.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client computer was running Windows 7 SP1 and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf, from the Server-side routing recipe in Chapter 2Client-server IP-only Networks at hand. For the client, keep the configuration file, basic-udp-client.ovpn, from the Using an ifconfig-pool block recipe in Chapter 2Client-server IP-only Networks at hand.

How to do it...

  1. Start the server:
    [root@server]# openvpn --config basic-udp-server.conf
    
  2. Before starting the OpenVPN GUI application on the client side, we first launch the Windows registry editor, regedit (using elevated privileges). Find the HKEY_LOCAL_MACHINESOFTWAREOpenVPN-GUI key.
    How to do it...
  3. Take a note of the config_dir registry key, which is normally set to C:Program FilesOpenVPNconfig.
  4. Set the registry key allow_service to 1. Also, take note of the registry key, log_dir, which is normally set to C:Program FilesOpenVPNlog.
  5. Now, browse to the registry key, HKEY_LOCAL_MACHINESOFTWAREOpenVPN, and check the config_dir and log_dir keys again. They should be pointing to the same directories as for the OpenVPN GUI application.
  6. Close the registry editor.
  7. Launch the OpenVPN GUI. Right-click on the icon in the taskbar. A new menu option will have appeared.
    How to do it...

    But do not start the service yet.

  8. First, modify the client configuration file, basic-udp-client.ovpn, by changing the following lines:
            cert     "c:/program files/openvpn/config/client2.crt" 
            key      "c:/program files/openvpn/config/client2.key" 
    

    Change these to the following:

            cert     "c:/program files/openvpn/config/client1.crt" 
            key      "c:/program files/openvpn/config/client1.key" 
    

    The client2.key client certificate from Chapter 2Client-server IP-only Networks, is protected by a password, whereas the client1.key file is not. Save the configuration file as example9-6.ovpn.

  9. Move all other .ovpn files to another directory to make sure that this is the only .ovpn file in the config directory.
  10. Now, start the OpenVPN service. After a while, the VPN connection will be established, as can be seen on both the client and the server in the log files.

How it works...

A Windows service is launched at system startup before a user is logged in. The OpenVPN service scans the directory pointed to by the registry key, HKEY_LOCAL_MACHINESOFTWAREOpenVPNconfig_dir.

This starts an OpenVPN process for each file with the .ovpn  extension in that directory. The output of each of these processes is logged into the log directory pointed to by the registry key:

HKEY_LOCAL_MACHINESOFTWAREOpenVPNlog_dir 

Here, the log filename is the same as the configuration name, but now with the .log extension. For this recipe, the configuration file was C:Program FilesOpenVPNconfigexample9-6.ovpn and the log file was C:Program FilesOpenVPNlogexample9-6.log.

There is no need to launch the OpenVPN GUI to start these connections, but the GUI application does offer a convenient method of managing the OpenVPN service, if the right registry key is added.

There's more...

There are a few important notes when using the OpenVPN service, which are outlined here.

Automatic service startup

To make the OpenVPN service start at system startup, open the Services administrative control panel by navigating to Control PanelAdministrative ToolsServices. Double-click on the OpenVPN Service to open the properties and set the Startup type field to Automatic:

Automatic service startup

Click on OK and close the Services administrative control panel. Reboot Windows and verify on the server side that the client is connecting at system startup.

OpenVPN user name

When the OpenVPN service is used, the corresponding OpenVPN processes are normally run under the account SYSTEM, as can be seen in the following screenshot:

OpenVPN user name

This has some implications regarding the permissions on the configuration files. Special care also needs to be taken when using the cryptoapicert directive, as by default, those certificates end up in the user certificate store, which is not accessible to the SYSTEM account. It is possible to use the cryptoapicert directive, but the imported certificate must be installed as a (local) system certificate and not as a user certificate.

See also

  • The Windows - using the CryptoAPI store recipe earlier in this chapter, which explains how to use the Windows CryptoAPI store to store the user certificate and private key
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.21.93.139