Edit: Easiest way is to just buy the
TP-Link AX1500 Router or similar. It's just a checkbox to turn it into an OpenVPN server.
Below is how to turn a Windows server into your own VPN using OpenVPN. I pretty much spent the entire day piecing all this together. The OpenVPN documentation is very out of date, so the steps on their site do not work for Windows - for example, the init-config command in their docs is not recognized. Sadly, the devs/mods seem more interested in dismissing their users than actually fixing or providing help (ie
here and
here).
The steps I have in this post are sourced from the below links:
- Download latest OpenVPN (older ones use insecure hash):
https://openvpn.net/community-downloads/- Windows Server setup:
https://wiki.teltonika-networks.com/view/OpenVPN_server_on_Windows- Packet forwarding on the server via registry:
https://serverfault.com/questions/929081/how-can-i-enable-packet-forwarding-on-windows- Configuring DNS handling on the server:
https://forums.openvpn.net/viewtopic.php?t=20765Additionally, if you want to further secure with two-factor, you can install Duo as well:
https://duo.com/docs/openvpnThe exact version of OpenVPN Windows server install is 2.5.5 and can be downloaded below, so you don't end up with the mismatching setup instructions. I went through multiple installs and sites before finding the right version, and the OpenVPN site itself for some reason makes the self-hosted server download page hard to find:
https://drive.google.com/file/d/1PSutOoaeAleKAKiqdyaY5_nQzCTaXqz3/view?usp=sharingThe setup steps below are copied from the above sites in case the links ever go down:
0. Run and install the Windows OpenVPN download. Make sure to customize to include all options.
1. Open Command Prompt as admin.
2. Enter: cd "C:\Program Files\OpenVPN\easy-rsa"
3. Enter: EasyRSA-Start.bat
4. Enter: ./easyrsa init-pki
5. Go to C:\Program Files\OpenVPN\easy-rsa, create vars.bat in Notepad with the following lines (set to your specific info):
set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=OpenVPN
set KEY_EMAIL=mail@host.domain
6. Back in Command prompt, enter: vars.bat
7. Enter: ./easyrsa clean-all
8. Enter: ./easyrsa build-ca nopass
- Use ca as common name
9. Enter: ./easyrsa build-server-full server nopass
- Use server as common name
10. Enter: ./easyrsa build-client-full client nopass
- Use client as common name
11. Enter: ./easyrsa gen-dh
12. Enter: "C:\Program Files\OpenVPN\bin\openvpn.exe" --genkey --secret "C:\Program Files\OpenVPN\config\ta.key"
13. Close Command Prompt. In the PKI folder (and issued/private), copy the following files to config folder outside of easyrsa: ca.crt, ca.key, client.crt, client.key, server.crt, server.key, dh.pem
14. Copy to config folder from sample-config: client.ovpn, server.ovpn
15. Edit server.ovpn to replace the following lines with the absolute paths:
ca ca.crt
cert server.crt
key server.key
dh dh.pem
to:
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh.pem"
16. Additionally add the following lines to server.ovpn so client IP changes to the VPN IP:
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "register-dns"
push "block-outside-dns"
17. Open client.ovpn and edit the following line to your IP or domain with the correct port (recommended you use a different port on the router and forward it to 1194 locally so hackers don't find it easily):
18. Enable packet forwarding on the server via registry. Start > Run > regedit and go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - then set IPEnableRouter to 1 (create it as a REG_DWORD if it doesn't exist). Reboot.
19. On the server, go to Network settings where you can right-click the Ethernet adapter (or Wi-Fi if you're using Wi-fi on the server) and choose properties. Go to Sharing and check the box on sharing network connection, select the OpenVPN TAP network for the dropdown. This step has been hardest to find and is necessary for DNS to work and sites to load.
20. Open port 1194 for UDP on the firewall. As suggested, you'll want to have a router that redirects a different port number to 1194 from the outside, so it's less easy for hackers to find.
21. Launch OpenVPN GUI to start the server (server -> connect). If it's failing or wrong settings, make sure it's using the config folder in Program Files > OpenVPN and not the one in Users (this is set in OpenVPN GUI > Settings > Advanced). Also make sure the line endings for the OPVN files are Windows and not MAC (they came as MAC when I first downloaded).
22. Copy client.key/crt, ca.key/crt, ta.key, and client.opvn files to anyone who wants to connect to the VPN. Install OpenVPN connect and open the client.ovpn file with the crt/key files in the same folder to connect. Make sure you disable IP6 (uncheck the box) under your network adapter properties because IP6 isn't supported by most VPN yet and may still leak your network/location info.