install-win32.txt

OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authe

OpenVPN on Windows notes, Copyright (C) James Yonan, 2003-2004
--------------------------------------------------------------

THIS IS A BETA RELEASE.

Please report any bugs to the openvpn-users
list.

Before you post, check out the troubleshooting
guide for more info:

http://openvpn.sourceforge.net/trouble.html

Currently, OpenVPN runs on Win 2000/XP, Linux, Mac OS X,
Solaris, FreeBSD, NetBSD, and OpenBSD, making it one of the
most portable VPN packages today.

This document is also available in HTML:

http://openvpn.sourceforge.net/INSTALL-win32.html

What's new in the 2.0 Beta Series
---------------------------------

The 2.0 beta series is focussed on improving scalability and
offering centralized management for VPN configurations having
a large numbers of clients.

See the release notes for more info:

http://openvpn.sourceforge.net/20notes.html

What's new in 1.6.0
-------------------

This release is primarily focused on bug fixes and minor
feature improvements over 1.5.

See Change Log for more details:

http://openvpn.sourceforge.net/changelog.html

What's new in 1.5.0
-------------------

OpenVPN 1.5.0 is essentially just 1.5-beta14 with
the version number changed.

Below are the release notes which have been
built up over the course of development of
the 1.5 beta series.

The often-requested HTTP proxy feature
has been added to allow OpenVPN to connect
to its remote peer through an HTTP proxy
using the HTTP CONNECT method.
Basic HTTP authentication is supported as an
option.  For more info, see the --http-proxy
option.

The --redirect-gateway feature has been added
which redirects all IP traffic into the tunnel.

Many of the changes in this release involve
minor additions to the crypto layer.

The --secret and --tls-auth options now support
key directionality, where different keys
can be used for both data flow directions.
To use the new key directionality feature, you
must generate a new key with --genkey, then
add a direction parameter to --secret or
--tls-auth.  See the man page for details.

The --tls-auth option now accepts an OpenVPN
static key file generated by --genkey.
Freeform files can still be used with --tls-auth --
they will be hashed to generate an HMAC key.

The replay protection logic now exports two
parameters which previously were held
constant.  See the --replay-window option.

A --key-method option has been added which can
be used to select one of two different data
channel key generation methods to be used
in TLS mode.  Key method 1 is the original,
default key generation method.  Key
method 2 is new and uses the TLS PRF function.

A Certificate Revocation List capability has
been added.

None of the crypto changes affect key file or
protocol compatibility with previous releases,
however all of the new crypto options (with the
exception of --replay-window) require current
versions of OpenVPN on both sides of the connection.

OpenSSL 0.9.7c DLLs are now shipped with 1.5-beta9
and higher in response to an OpenSSL security
advisory.

An option has been added to the TAP-Win32 driver
advanced properties page that allows you to control
whether the adapter appears to Windows as
"Always Connected" or whether the connection status
is dynamically brought up and down by OpenVPN
("Application Controlled").

OpenVPN now supports the '--dev tun' option.
The TAP-Win32 driver has been extended to allow tun
device emulation.  This means that OpenVPN on
Windows can now connect with OpenVPN running
on any other platform.  For more information
see the "Notes -- TAP vs. TUN devices" section
below.

The --dev-node option is now optional when exactly
one TAP-Win32 adapter exists on a system -- such an
adapter will now be chosen automatically as
the default.

The --ifconfig option is now supported for
TAP-Win32 devices as well as TAP devices
on other platforms which OpenVPN supports.  The
--ifconfig option can be used to programatically
set the IP address and subnet mask of a
TAP-Win32 adapter.

Here is an example of how --ifconfig can simplify
configuration:

Config file for Machine A (server):

  dev tap
  ifconfig 10.3.0.1 255.255.255.0
  secret key

Config file for Machine B (client):

  remote A
  dev tap
  ifconfig 10.3.0.2 255.255.255.0
  ping 10
  secret key

It doesn't matter whether Machine A or B is
running Windows or Linux -- these config
files are essentially portable.

To tune the operation of the --ifconfig option
on Windows, the --ip-win32 option has been
added to control which Windows API/method is used
by OpenVPN to set the TCP/IP properties
on the TAP adapter.

A new --route option has been added which is
a convenience proxy for the functionally
similar but syntactically incompatible route
commands of the Windows and *nix worlds.

If you change the TAP-Win32 MTU by using
the adapter advanced properties dialog,
OpenVPN will automatically query the
adapter to get the new MTU.

Added two new options, --fragment and
--mssfix to help solve MTU fragmentation
problems.  --fragment performs internal
fragmentation and --mssfix tries to
keep TCP session packet size from
exceeding an upper bound.  Both
can be used together, i.e.:

  fragment 1400
  mssfix

--mssfix will try to keep TCP from needing
packet fragmentation in the first place,
and if big packets come through anyhow
(from protocols other than TCP), --fragment
will internally fragment them.

The --mtu-test option has been added
for empirical measurement of MTU, to assist
in determining whether the 'fragment' or
'mssfix' options should be used, and if so,
what the ideal settings should be.

The --tap-delay option has been added to delay
setting the TAP-Win32 adapter media state to
'connected' until TCP/UDP connection establishment
with peer.

The TAP-Win32 driver has been significantly
reworked for both efficiency and SMP capabilities.
As of beta8, the driver should be considered
experimental on SMP systems.  Driver versions
prior to beta8 SHOULD NOT be installed on
SMP systems.

You can now run one or more OpenVPN tunnels as a
Windows service if you select the "OpenVPN Service"
option in the installer.

See "Running as a Windows Service" below for more
details.

Also new are are right-clickable
options on .ovpn files (The windows file
extension for OpenVPN config files), including the
ability to instantiate an OpenVPN process
on a given config file.

Other changes include a new start menu
shortcut to generate a static key, and a
few other useful shortcuts.

More work as well has gone into improving MTU
configurability in the TAP-Win32 driver.
See MTU notes below for more info.

Ease of installation has been dramatically improved
with the development a real windows
installer/uninstaller using the Nullsoft Install System.

The OpenVPN Windows distribution is now packaged as a
self-installing EXE which will automatically
install/upgrade OpenVPN, OpenSSL components,
the TAP-Win32 driver, and install the OpenVPN
service wrapper.

You can now create multiple TAP-Win32 adapter instances,
to allow several VPN tunnels to run concurrently
(See OpenVPN Start Menu shortcuts).

See Change Log for more details:

http://openvpn.sourceforge.net/changelog.html

How to Install
--------------

Download and Unzip the most recent OpenVPN distribution
from:

http://prdownloads.sourceforge.net/openvpn/

Choose the most recent self-installing distribution
with an .exe extension.

You can also download a source-only distribution by
selecting a .zip or .tar.gz file.

If you are upgrading from 1.5-beta2 or earlier,
you might want to uninstall the TAP
device using the device manager (Control Panel ->
System -> Hardware), reboot, then reinstall
from the self-installing exe to be sure that
all remnants of the previous driver installation
are removed from your system.  Going forward,
the new installer is designed to make upgrading
OpenVPN and the TAP-Win32 driver as automatic
as possible.

Running OpenVPN from a console window
-------------------------------------

First, create a config file.  A sample is provided
in \Program Files\OpenVPN\config\sample.ovpn.txt

Edit this file and save to a .ovpn extension.
Now, run OpenVPN by right clicking on the
.ovpn filename and selecting "Start OpenVPN
on this config file".

You can also run from a command prompt window:

  openvpn --config sample.ovpn

Running OpenVPN as a Windows Service
------------------------------------

When OpenVPN runs as a service it will start a
separate OpenVPN process for each configuration
file it finds in the
\Program Files\OpenVPN\config directory and will
output a logfile of the same name to the
\Program Files\OpenVPN\log directory.

When installed as a service, OpenVPN
will default to manual start mode.  You
can go to the Services control panel
in Control Panel -> Administrative Tools
to start the service or to set it to Automatic
Start mode.

A sample config file has been provided in
\Program Files\OpenVPN\config\sample.ovpn.txt
which can be adapted to your needs.

Service Notes:

* When you install OpenVPN as a service, you
  are actually installing openvpnserv.exe which
  is a service wrapper for OpenVPN, i.e. it
  reads the config file directory and starts
  up a separate OpenVPN process for each config
  file.  openvpnserv.exe performs the same
  function under windows as the
  /etc/init.d/openvpn startup script does
  under linux.

* When you stop the OpenVPN service, it will
  send a terminate signal to all OpenVPN
  processes which were started by it.

* If the OpenVPN service wrapper (openvpnserv.exe)
  encounters fatal errors, it will write them
  to the windows event log, which can be
  viewed in Control Panel -> Administrative Tools
  -> Event Viewer -> Application Log. 

* If the OpenVPN processes themselves encounter
  errors, they will write them to their respective
  log files in the log file directory.

* There is a one-to-one correspondence between an
  OpenVPN process, an OpenVPN config file, an
  OpenVPN log file, and a TAP-Win32 adapter which
  represents an endpoint of a VPN tunnel.

* OpenVPN tunnels are point-to-point in their
  simplest form, but can be made point-to-multi-point
  through the use of bridging or routing
  (see below).

* Multiple OpenVPN processes can run concurrently,
  each on a different TAP-Win32 adapter.

* openvpn.exe gets all configuration
  information from its config file, not from
  the registry.

* The openvpnserv.exe program (the service wrapper)
  gets several string parameters from the registry which
  can be modified by the user.  If you change any of these
  parameters, you should be able to upgrade OpenVPN to
  a new version without the installer overwriting your changes.

  HKLM\SOFTWARE\OpenVPN

  config_dir -- configuration file directory to scan, defaults to
                "\Program Files\OpenVPN\config"

  config_ext -- file extension on configuration files, defaults
                to "ovpn"

  exe_path   -- path to openvpn.exe, defaults to
                "\Program Files\OpenVPN\bin\openvpn.exe"

  log_dir    -- log file directory, defaults to
                "\Program Files\OpenVPN\log"

  log_append -- if set to "1", multiple instantiations of an OpenVPN
                process will append onto the same log file, if set
                to "0" (default), each new instantiation will
	        truncate the previous log file

  log_append -- if set to "1", multiple instantiations of an OpenVPN
                process will append onto the same log file, if set
                to "0" (default), each new instantiation will
	        truncate the previous log file

  priority   -- the windows priority class for each
                instantiated OpenVPN process, can be one of:

                (1) "IDLE_PRIORITY_CLASS"
                (2) "BELOW_NORMAL_PRIORITY_CLASS"
                (3) "NORMAL_PRIORITY_CLASS" (default)
                (4) "ABOVE_NORMAL_PRIORITY_CLASS"
                (5) "HIGH_PRIORITY_CLASS"

Bridging vs. Routing