OpenVPN on Windows Server: Complete Setup Guide with Our All-in-One PowerShell Script

Why Run OpenVPN on Windows Server?

While Linux dominates the server world, many enterprises run Windows Server for Active Directory, SQL Server, IIS, and .NET workloads. When you need VPN access to your Windows infrastructure, running OpenVPN directly on Windows Server makes perfect sense — no separate Linux VM needed, no split management, and direct access to your Windows network.

The challenge? Setting up OpenVPN on Windows Server traditionally requires downloading multiple tools, manually editing configuration files, generating certificates with OpenSSL or EasyRSA from the command line, configuring Windows Firewall, setting up NAT, and troubleshooting service registration. It’s a tedious, error-prone process that can take hours even for experienced admins.

That’s why we built the ZeonEdge OpenVPN Windows Server Manager — a single PowerShell script that handles everything through an interactive menu. Think of it as the Windows equivalent of the popular Nyr OpenVPN installer for Linux, but purpose-built for Windows Server with additional features like batch client creation, a status dashboard, and profile regeneration.

Download the Script

The script is open-source (MIT License) and available for download from our servers:

# Download directly on your Windows Server (PowerShell as Admin):
Invoke-WebRequest -Uri "https://zeonedge.com/scripts/openvpn_windows_manager.ps1" -OutFile "openvpn_windows_manager.ps1"

# Or from the VPN subdomain:
Invoke-WebRequest -Uri "https://vpn.zeonedge.com/scripts/openvpn_windows_manager.ps1" -OutFile "openvpn_windows_manager.ps1"

You can also view the source code in your browser before downloading — full transparency, no obfuscation.

Prerequisites

Before running the script, make sure you have:

• Windows Server 2019 or 2022 (also works on Windows 10/11 for testing)
• PowerShell 5.1+ (pre-installed on modern Windows)
• Administrator privileges (right-click PowerShell → Run as Administrator)
• Internet access (the script downloads OpenVPN and EasyRSA automatically)
• Firewall port open at your cloud provider level (default: UDP 1194). If you’re on AWS, open it in Security Groups. On Azure, open it in NSG. On Hetzner, it’s open by default.

Step 1: Run the Script

Open PowerShell as Administrator and execute:

powershell -ExecutionPolicy Bypass -File openvpn_windows_manager.ps1

Or if you’re already in an elevated PowerShell session:

Set-ExecutionPolicy Bypass -Scope Process -Force
.\openvpn_windows_manager.ps1

You’ll see the main menu. Since this is a fresh install, choose option 1) Install & Configure OpenVPN.

Step 2: Interactive Configuration

The script will guide you through each setting with sensible defaults:

Public IP Detection

The script automatically detects your server’s public IP address using external APIs. If it’s correct, just press Enter. If your server is behind a load balancer or has a different external IP, type it manually.

  [i] Detected public IP: 5.161.224.7
  Public IP or hostname [5.161.224.7]: <Enter>

Port and Protocol

The default OpenVPN port is 1194/UDP. UDP is recommended for better performance (less overhead than TCP). Only use TCP if your network blocks UDP traffic or you need to run OpenVPN on port 443 to bypass restrictive firewalls.

  OpenVPN port [1194]: <Enter>

  1) UDP (recommended)
  2) TCP
  Protocol [1]: <Enter>

DNS Servers

Choose which DNS servers VPN clients will use. Google (8.8.8.8) and Cloudflare (1.1.1.1) are the most popular choices. For enterprise environments, you may want to specify your internal DNS server.

VPN Subnet

The default 10.8.0.0/24 is fine for most deployments (supports up to 253 clients). Change it only if it conflicts with your existing network ranges.

NAT Configuration

Enable NAT to allow VPN clients to access the internet through the server. The script detects your server’s private IP and configures Windows NAT automatically. This means VPN clients will appear to the internet as your server’s IP — perfect for IP whitelisting.

First Client

Enter a name for your first VPN client (e.g., admin, laptop, or john-macbook). The script will generate a self-contained .ovpn profile file that includes all certificates — just import it into any OpenVPN client.

Step 3: What the Installer Does

After you confirm, the script performs these steps automatically:

1. Downloads OpenVPN (MSI installer from the official site) and installs silently
2. Downloads EasyRSA (certificate management tool) and extracts it
3. Initializes PKI (Public Key Infrastructure) for certificate management
4. Builds the CA (Certificate Authority) with proper CA:TRUE extensions
5. Generates server certificate with serverAuth extended key usage
6. Generates DH parameters (Diffie-Hellman for key exchange) — this takes 1-3 minutes
7. Generates TLS auth key for HMAC authentication (prevents DoS attacks)
8. Creates CRL (Certificate Revocation List) for future client revocations
9. Writes server.ovpn configuration with all your settings
10. Configures Windows Firewall rules to allow VPN traffic
11. Enables IP forwarding in the Windows registry
12. Sets up NAT (if enabled) so clients can access the internet
13. Creates the first client certificate and .ovpn profile
14. Registers and starts the OpenVPN Windows service
15. Saves metadata to JSON for future reference

The entire process takes about 3-5 minutes, with DH parameter generation being the longest step.

Step 4: Connect a Client

After installation, your first client profile is at:

C:\Program Files\OpenVPN\clients\client1.ovpn

Transfer this file to your device and import it:

• Windows/macOS: Download OpenVPN Connect, drag and drop the .ovpn file
• Linux: sudo openvpn --config client1.ovpn
• iOS/Android: Install OpenVPN Connect from App Store / Play Store, import the file

The .ovpn profile is self-contained — it includes the CA certificate, client certificate, client key, and TLS auth key all in one file. No separate certificate files needed.

Managing Clients After Installation

Run the script again to access the management menu:

  1) Add a new client
  2) Add batch clients
  3) Revoke a client
  4) Server status dashboard
  5) Regenerate all client profiles
  6) Remove OpenVPN configuration
  7) Exit

Adding a Single Client

Choose option 1 and enter a name. The script generates the certificate, creates the .ovpn profile, and saves it to the clients directory. Takes about 5 seconds.

Batch Client Creation

Need to onboard a team? Choose option 2 and specify a prefix, start number, and count. For example:

  Client name prefix [agent]: dev
  Start number [1]: 1
  How many clients? [5]: 10

This creates dev1 through dev10 with individual certificates and .ovpn profiles. Perfect for onboarding engineering teams.

Revoking a Client

Choose option 3 to see a numbered list of all clients. Select the one to revoke. The script revokes the certificate, regenerates the CRL, and deletes the .ovpn profile. The client will be disconnected on their next connection attempt.

Status Dashboard

Choose option 4 for a comprehensive view:

• Service Status — Is OpenVPN running?
• Port Status — Is the port actually listening?
• Connected Clients — Who’s connected right now, from what IP?
• NAT Rules — Current NAT configuration
• Registered Clients — All issued certificates
• Recent Logs — Last 10 lines from the OpenVPN log

Regenerating Profiles

Did your server’s public IP change? Migrated to a new provider? Choose option 5 to regenerate all client .ovpn profiles with the new server address. The certificates stay the same — only the connection details are updated.

Understanding the Security Architecture

The script configures OpenVPN with modern security best practices:

Certificate-Based Authentication

Every client gets a unique X.509 certificate signed by your private CA. No shared secrets, no passwords. If a device is lost or a team member leaves, revoke their individual certificate without affecting anyone else.

Encryption

• Data Channel: AES-256-GCM (with fallback to AES-128-GCM and ChaCha20-Poly1305)
• Control Channel: TLS 1.2+ with RSA-2048 certificates
• Authentication: SHA-512 HMAC
• Key Exchange: 2048-bit Diffie-Hellman parameters
• TLS Auth: Additional HMAC layer to prevent unauthorized connection attempts

TLS Auth (ta.key)

The TLS auth key adds an extra HMAC signature to all TLS handshake packets. This means that even before the TLS handshake begins, the server can verify the client has the correct ta.key. This prevents:

• DoS attacks against the OpenVPN port
• Port scanning detection (the server doesn’t respond to packets without valid HMAC)
• SSL/TLS vulnerabilities from being exploited by unauthenticated clients

NAT and Routing Explained

When NAT is enabled, the script configures Windows to translate VPN client addresses to the server’s private IP. Here’s the traffic flow:

1. VPN client (10.8.0.2) sends traffic to the internet
2. Traffic arrives at the Windows server through the VPN tunnel
3. Windows NAT translates 10.8.0.2 → server’s private IP (e.g., 172.31.33.68)
4. Cloud provider routes traffic to the internet
5. Response comes back, NAT reverses the translation
6. Traffic flows back through the tunnel to the client

This is essential for two scenarios:

• Internet access through VPN: Clients browse the web through the server’s IP
• IP whitelisting: All VPN clients appear as one IP to your other servers. Whitelist that single IP in your firewalls, security groups, or application configs

Cloud Provider-Specific Notes

AWS EC2

In your EC2 Security Group, add an inbound rule:

• Type: Custom UDP
• Port: 1194
• Source: 0.0.0.0/0 (or restrict to known IP ranges)

Also disable Source/Dest Check on the EC2 instance (required for NAT to work):

# AWS CLI
aws ec2 modify-instance-attribute --instance-id i-xxxx --no-source-dest-check

Azure

Add an inbound security rule to your NSG (Network Security Group) for UDP 1194. If using Azure Bastion, make sure the VPN subnet doesn’t conflict with Bastion’s subnet.

Hetzner Cloud

Hetzner doesn’t have a firewall by default — all ports are open. If you’ve enabled the Hetzner Firewall, add a rule for UDP 1194.

DigitalOcean

If you use DigitalOcean Cloud Firewall, add an inbound rule for UDP 1194. The droplet’s internal firewall (what our script configures) handles the rest.

Troubleshooting

Service Won’t Start

Check the Windows Event Viewer (Application log) for OpenVPN errors. Common issues:

• TAP adapter not found: Reinstall OpenVPN with the TAP driver selected
• Port already in use: Check with netstat -an | findstr 1194
• Certificate errors: Ensure all cert files exist in C:\Program Files\OpenVPN\config\

Client Can’t Connect

1. Verify the port is open: Test-NetConnection -ComputerName YOUR_IP -Port 1194 (for TCP)
2. Check cloud provider firewall / security group
3. Check Windows Firewall: Get-NetFirewallRule -DisplayName "OpenVPN*"
4. Review logs: Get-Content "C:\Program Files\OpenVPN\log\openvpn.log" -Tail 50

No Internet Through VPN

1. Check NAT: Get-NetNat
2. Verify IP forwarding: (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters).IPEnableRouter should be 1
3. Check if the RRAS feature is installed: Get-WindowsFeature Routing
4. Try restarting the NAT: Get-NetNat | Remove-NetNat -Confirm:$false; New-NetNat -Name "OpenVPN-NAT" -InternalIPInterfaceAddressPrefix "10.8.0.0/24"

DH Generation Takes Too Long

DH parameter generation on Windows can take 1-5 minutes depending on the server’s CPU. This is a one-time operation. If it takes more than 10 minutes, the server may have very limited CPU. Consider using a pre-generated DH file.

Server Metadata

The script saves all configuration to a JSON file at C:\Program Files\OpenVPN\server-metadata.json. This includes the public IP, port, protocol, subnet, NAT settings, and a list of all clients. The script reads this file on subsequent runs to display the correct management menu.

{
  "public_ip": "5.161.224.7",
  "port": "1194",
  "protocol": "udp",
  "subnet": "10.8.0.0",
  "subnet_mask": "255.255.255.0",
  "dns1": "8.8.8.8",
  "dns2": "8.8.4.4",
  "nat_enabled": true,
  "installed_at": "2026-03-13 14:30:00",
  "clients": ["admin", "dev1", "dev2", "dev3"]
}

Security Recommendations

Beyond what the script configures, consider these additional security measures:

• Restrict the management port: Only allow RDP (3389) from your own IP or a bastion host
• Enable Windows Update: Keep the server patched
• Use unique client certs per device: Don’t share .ovpn files between devices
• Rotate certificates periodically: The script sets 10-year expiry, but you can revoke and recreate for better security
• Monitor the status dashboard: Run option 4 regularly to check for unexpected connections
• Back up your PKI: Copy C:\Program Files\OpenVPN\easy-rsa\pki\ to a secure location. If you lose the CA key, you’ll need to recreate all certificates
• Consider split tunneling: If you don’t need all traffic through VPN, remove the redirect-gateway directive from the server config to only route specific subnets

Comparison: This Script vs. Manual Setup

Using with ZeonVPN Dashboard

This script is the server-side component. For a complete team VPN management solution with web dashboard, SSO, IP whitelisting, and audit logs, check out ZeonVPN — our full-featured VPN management platform.

ZeonVPN works with any OpenVPN server, including ones set up with this script. It adds:

• Web-based team management dashboard
• Automatic IP whitelisting rules generation
• SSO/SAML integration
• Connection monitoring and audit logs
• Temporary access links for contractors
• Multi-environment support (staging, production, dev)

Contributing & Support

The script is open-source under the MIT License. Found a bug or want to add a feature? Visit our contact page or submit feedback through the ZeonEdge support portal.

For enterprise support, custom modifications, or managed VPN infrastructure, reach out to our team at zeonedge.com/contact.

Conclusion

Setting up OpenVPN on Windows Server doesn’t have to be painful. With the ZeonEdge OpenVPN Windows Server Manager, what used to take an hour of manual configuration now takes 5 minutes of answering simple questions. The script handles certificate management, NAT configuration, firewall rules, and service registration — leaving you with a production-ready VPN server and self-contained client profiles.

Download the script, run it on your Windows Server, and have your team connected in minutes. And when you outgrow a single script, ZeonVPN is ready to scale with you.