vpn-gateway-vwan-config-openvpn-windows.md

author	cherylmc
ms.service	azure-vpn-gateway
ms.topic	include
ms.date	01/28/2025
ms.author	cherylmc

1. Download and install the OpenVPN client (version 2.4 or higher) from the official OpenVPN website.

2. Locate the VPN client profile configuration package that you generated and downloaded to your computer. Extract the package. Go to the OpenVPN folder and open the vpnconfig.ovpn configuration file using Notepad.

3. Next, locate the child certificate you created. If you don't have the certificate, use one of the following links for steps to export the certificate. You'll use the certificate information in the next step.

   • VPN Gateway instructions
   • Virtual WAN instructions

4. From the child certificate, extract the private key and the base64 thumbprint from the .pfx. There are multiple ways to do this. Using OpenSSL on your computer is one way. The profileinfo.txt file contains the private key and the thumbprint for the CA and the Client certificate. Be sure to use the thumbprint of the client certificate.

   openssl pkcs12 -in "filename.pfx" -nodes -out "profileinfo.txt"
   

5. Switch to the vpnconfig.ovpn file you opened in Notepad. Fill in the section between <cert> and </cert>, getting the values for $CLIENT_CERTIFICATE, $INTERMEDIATE_CERTIFICATE, and $ROOT_CERTIFICATE as shown in the following example.

      # P2S client certificate
      # please fill this field with a PEM formatted cert
      <cert>
      $CLIENT_CERTIFICATE
      $INTERMEDIATE_CERTIFICATE (optional)
      $ROOT_CERTIFICATE
      </cert>
   

   • Open profileinfo.txt from the previous step in Notepad. You can identify each certificate by looking at the subject= line. For example, if your child certificate is called P2SChildCert, your client certificate will be after the subject=CN = P2SChildCert attribute.
   • For each certificate in the chain, copy the text (including and between) "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
   • Only include an $INTERMEDIATE_CERTIFICATE value if you have an intermediate certificate in your profileinfo.txt file.

6. Open the profileinfo.txt in Notepad. To get the private key, select the text (including and between) "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" and copy it.

7. Go back to the vpnconfig.ovpn file in Notepad and find this section. Paste the private key replacing everything between and <key> and </key>.

   # P2S client root certificate private key
   # please fill this field with a PEM formatted key
   <key>
   $PRIVATEKEY
   </key>
   

8. If you're using the 2.6 version of the OpenVPN client, add the "disable-dco" option to the profile. This option doesn't seem to be backward compatible with previous versions, so it should only be added to OpenVPN client version 2.6.

9. Don't change any other fields. Use the filled in configuration in client input to connect to the VPN.

10. Copy the vpnconfig.ovpn file to C:\Program Files\OpenVPN\config folder.

11. Right-click the OpenVPN icon in the system tray and click Connect.