Create client certificate and private key on the server
The process is similar to the server. First, from the server, generate the certificate request. This one will ask for a passphrase. Make sure you remember it.
cd /etc/openvpn/ca /etc/openvpn/easy-rsa/easyrsa gen-req greglaptop # Where greglaptop is the hostname of your OpenVPN client
No need to import the request into the CA because it’s already there. Review it to make sure.
cd /etc/openvpn/ca /etc/openvpn/easy-rsa/easyrsa show-req greglaptop # Where greglaptop is the hostname of your OpenVPN client
Sign as the client.
cd /etc/openvpn/ca /etc/openvpn/easy-rsa/easyrsa sign-req client greglaptop # Where greglaptop is the hostname of your OpenVPN client
Install the Windows OpenVPN Client
- From your Windows computer, download and install the OpenVPN client from the OpenVPN download site.
- Run the downloaded file. Choose “Install” when prompted.
Copy certificates and private key to the client
From the Windows client, run WinSCP as the administrator to pull the certificates and keys generated above from the OpenVPN server. Assuming the client is named greglaptop, here are the file names and server locations.
/etc/openvpn/ca/pki/issued/greglaptop.crt /etc/openvpn/ca/pki/private/greglaptop.key /etc/openvpn/ca/pki/issued/ca.crt
Copy them all from the OpenVPN server to C:\Program Files\OpenVPN\config on the Windows client.
Copy and customize the client configuration file.
- From the Windows client, run WinSCP as the administrator to copy the client configuration template, /etc/openvpn/client/OVPNclient2020.ovpn on the server to C:\Program Files\OpenVPN\config on the client. WinSCP might be the best tool to do this. You’ll need to run it as the Administrator.
- Rename it to match the certificate above.
- Edit – see the sections starting with “***?”
- Change the names of the CA certificate, client certificate, and key to match the names copied above from the server.
- Edit IP information to match your network.
- You will need super administrative permissions to edit the client config files. The easiest way to get this might be to launch a CMD window as the administrator, and then launch notepad from the administrator CMD window to edit the files.
Connect your client to the server
Start the OpenVPN GUI. It presents a graphic in the Windows System Tray on the right side of the taskbar, usually in the lower right corner of your Windows desktop. Right-click the graphic to connect, disconnect, or view status.
For the first connection, edit the “remote” line of your client config file to use the inside IP Address of your OpenVPN server. Connect to the server from inside your office network by right-clicking on the OpenVPN GUI in the Windows System Tray and clicking “connect.” Debug this connection. This should find and fix problems without any firewall issues getting in the way, because both the client and server are on the same side of the firewall.
Now edit the “remote line” of your client config file to use the public IP Address for your OpenVPN server. Bring the Windows client to an outside network and connect. Debug any issues.
Congratulations. You have an OpenVPN network ready for the rest of your client systems. Repeat this step for the rest of your clients. Since it may not be convenient to bring the rest of the clients inside the office, build keys and client config files as above, but copy them to a staging area visible to remote clients so the clients can download them. As soon as a client downloads its files, delete them from the public staging area.