Set up your installation as per article Open VPN Installation for IPCop. Do not proceed further until this has been installed and tested. You must do this as an Administrator
Import your certificate into the Windows Certificate Store
- Run the Microsoft Management Console
- Start | Run | mmc
- Add the Certificates Snap-in
- File | Add/Remove Snap-in
- Computer Account
- Local Computer
- Import your PKCS12 client certificate file
- Console Root
- Certificates (Local Computer)
- select Personal
- All Tasks
- Import... (Wizard comes up)
- find where your .p12 certificate is
- Files of type: Personal Information Exchange (*.pfx,*.p12)
- choose the file
- enter the associated password/passphrase
- choose 'Automatically select the certificate store based on the type of certificate'
- The certificate will be added to 'Certificates' below 'Personal'. Note: I had to exit MMC and restart it to see this certificate
- Get Thumbprint of Certificate
- double click on the certificate (it should be in Certificates, below Personal)
- Copy/Paste this somewhere for use later
- Note: I had to highlight it, then do a Ctrl-C (mouse keys don't work). I then created a text document on the desktop and pasted it in.
Extract the root certificate from your PKCS12 File
From a command prompt
cd "\Program Files\OpenVPN\config" ..\bin\openssl.exe pkcs12 -in yourkey.p12 -nokeys -cacerts -out somename-root-ca.crt
You will get the following (enter your password when asked)
WARNING: can't open config file: /usr/local/ssl/openssl.cnf Enter Import Password: MAC verified OK
This creates the file somename-root-ca.crt in your config folder. You will need it later.
Configure OpenVPN GUI to use Windows Certificate Store and root certificate
- Go to C:\Program Files\OpenVPN\config
- Edit your configuration file (???.ovpn)
- Add Line for Windows Certificate Store
- cryptoapicert "THUMB:your thumbprint"
- where your thumbprint is taken from the last step in Import your certificate into the Windows Certificate Store
- Example: cryptoapicert "THUMB:47 01 a6 c9 90 96 7b 3f 7b 09 1c 95 b6 44 a5 2a ca be 52 39"
- Add Line for name and location of Root Certificate
- ca "name and location of .crt file". You must double backslash the path. Backslash is an escape char, so it must be entered twice
- where name and location of .crt file is the complete path and filename of the ca your created in section Extract the root certificate from your PKCS12 File
- Example: ca "C:\\Program Files\\OpenVPN\\config\\myname-root-ca.crt"
- Remove all lines beginning with pkcs12 (put a pound sign in front to comment it out)
- Start OpenVPN GUI
- Right click on icon in systray (next to clock) and choose connect
- You should connect automatically.
== Set OpenVPN to run as a service ==
If all you want to do it give users the ability to run OpenVPN GUI without administrators rights, you need go no further. However, by completing the following steps, you can have the service started automatically and have the user logged into the VPN anytime their computer is online.
Edit the Registry
- Start | Run | Regedit
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\
- Create (if it does not exist) the keys allow_service and service_only
- Right Click on left pane when OpenVPN-GUI Highlighted
- Select New | String Data
- Set the values for allow-service and service_only to 1
- (Optional) Set the values of allow_edit and allow_password to 0
- Note: this enables (1's) and disabled (0's) menu options.
Give normal users the right to run the OpenVPN service
- Download and install subinacl from http://www.microsoft.com/download/en/details.aspx?id=23510 (''This is included in the Windows Resource Kits, so you might already have it).
- Open a command prompt
- %PROGRAMFILES%\Windows Resource Kits\Tools\SubInAcl.exe /SERVICE "OpenVPNService" /GRANT=username=TO
- %PROGRAMFILES% is generally a link to c:\Program Files
- username should be a Windows User Name
''You can also give users the rights to control services using Group Policies. See http://support.microsoft.com/default.aspx?scid=kb;en-us;288129 for additional information.
Set OpenVPN Service to run automatically
- Start | Control Panel | Administrative Tools | Services
- Right Click on OpenVPN Service and select Properties
- Change Startup Type to Automatic
- Click "Ok", Then File | Exit
All information was gathered from the following locations. All I did was consolidate them.
Automatically Connect OpenVPNGui to IPCop (Zerina)