How to Configure Windows 10 Built-in VPN Client for OpenVPN Connections Using Certificates and Auth Files


1 views

The standard OpenVPN configuration consists of several key components:

  • auth.txt containing username/password credentials
  • ca.crt as the Certificate Authority file
  • my-nat.pem for SSH key authentication

Here's the OpenVPN client configuration we're working with:

client
dev tun
proto udp
remote some-ip-here some-port-here
ca /etc/openvpn/keys/ca.crt
auth-user-pass /etc/openvpn/keys/auth.txt
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher AES-128-CBC
comp-lzo
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3

To use this configuration with Windows 10's built-in VPN client, follow these steps:

1. Install Required Certificates

First, install the CA certificate:

certutil -addstore -f "Root" ca.crt

2. Create a New VPN Connection

Using PowerShell:

Add-VpnConnection -Name "MyOpenVPN" -ServerAddress "some-ip-here" -TunnelType "Ikev2" -EncryptionLevel "Required" -AuthenticationMethod Eap -RememberCredential $true

3. Configure Authentication Settings

Modify the connection to use certificate authentication:

Set-VpnConnection -Name "MyOpenVPN" -AuthenticationMethod Eap -EapConfigXmlStream ([xml]@"
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
  <EapMethod>
    <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
    <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
    <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
    <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
  </EapMethod>
  <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
    <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
      <Type>13</Type>
      <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
        <CredentialsSource>
          <CertificateStore>
            <SimpleCertSelection>true</SimpleCertSelection>
          </CertificateStore>
        </CredentialsSource>
        <ServerValidation>
          <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
          <ServerNames></ServerNames>
        </ServerValidation>
        <DifferentUsername>false</DifferentUsername>
        <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
        <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
      </EapType>
    </Eap>
  </Config>
</EapHostConfig>
"@)

For more advanced configuration, you can edit the phonebook file directly:

[MyOpenVPN]
MEDIA=rastunnel
Port=VPN2-0
Device=WAN Miniport (IKEv2)
DEVICE=vpn
PhoneNumber=some-ip-here
AreaCode=
CountryCode=0
CountryID=0
UseDialingRules=0
Comment=
FriendlyName=
LastSelectedPhone=0
PromoteAlternates=0
TryNextAlternateOnFail=1
  • Error 789: Verify your certificate chain and authentication method
  • Connection timeouts: Check firewall settings and UDP port availability
  • Authentication failures: Ensure username/password in auth.txt match VPN server requirements

The standard OpenVPN configuration you're using contains several critical elements that need to be adapted for Windows 10's native VPN client:

client
dev tun
proto udp
remote some-ip-here some-port-here
ca /etc/openvpn/keys/ca.crt
auth-user-pass /etc/openvpn/keys/auth.txt
cipher AES-128-CBC

First, ensure your certificate files are in the correct format for Windows:

  1. Convert the PEM certificate to PFX format if needed: 
    openssl pkcs12 -export -out certificate.pfx -inkey my-nat.pem -in ca.crt

Use PowerShell to create the VPN connection:

Add-VpnConnection -Name "OpenVPN Conversion" 
-ServerAddress "some-ip-here" 
-TunnelType "Ikev2" 
-EncryptionLevel "Required" 
-AuthenticationMethod "Eap" 
-SplitTunneling $false 
-RememberCredential $true

For certificate-based authentication:

$vpn = Get-VpnConnection -Name "OpenVPN Conversion"
Set-VpnConnectionIPsecConfiguration -ConnectionName $vpn.Name 
-AuthenticationTransformConstants "SHA256128" 
-CipherTransformConstants "AES256" 
-EncryptionMethod "AES256" 
-PfsGroup "PFS2048" 
-DHGroup "Group14" 
-IntegrityCheckMethod "SHA256"

Import the CA certificate and user certificate:

Import-Certificate -FilePath "C:\path\to\ca.crt" -CertStoreLocation Cert:\LocalMachine\Root
Import-PfxCertificate -FilePath "C:\path\to\certificate.pfx" -CertStoreLocation Cert:\CurrentUser\My

If you prefer to keep username/password authentication:

Set-VpnConnection -Name "OpenVPN Conversion" 
-AuthenticationMethod "MSChapv2"

Here's a complete PowerShell script to automate the setup:

# Create VPN connection
Add-VpnConnection -Name "OpenVPN-Win10" -ServerAddress "your.server.com" -TunnelType IKEv2

# Configure IPSec settings
Set-VpnConnectionIPsecConfiguration -ConnectionName "OpenVPN-Win10" 
    -AuthenticationTransformConstants SHA256128 
    -CipherTransformConstants AES256 
    -EncryptionMethod AES256 
    -IntegrityCheckMethod SHA256

# Import certificates
$caCert = Import-Certificate -FilePath "C:\certs\ca.crt" -CertStoreLocation Cert:\LocalMachine\Root -Verbose
$userCert = Import-PfxCertificate -FilePath "C:\certs\user.pfx" -CertStoreLocation Cert:\CurrentUser\My -Verbose

If the connection fails:

  • Verify the server supports IKEv2
  • Check event logs for certificate errors
  • Ensure the time is synchronized between client and server