How to autostart and autoconnect OpenVPN in Windows 10?

Question

Windows 10 startup seems to be strange, or at least new. Many programs don't autostart the way they did in previous versions, and a lot of people are asking how to get things to autostart. I know, because I'm constantly looking to autostart my programs I'm used to.

How can I get OpenVPN to start on boot, prevent Internet access until it's connected, and automatically log in to an OVPN profile?

I already have the credentials saved in a text file, so OpenVPN just needs to load the file, process it, and connect.

I used to have this working on Windows 7, but it seems I've forgotten how to do it,

Answer 1

The best way is to use services:

1. Install the OpenVPN service when you install the client;
2. Place your OpenVPN profiles (with the extension .ovpn, not .conf as is common on Linux) in the config subdirectory of the OpenVPN installation directory, probably C:\Program Files\OpenVPN\config.
3. Open the Services console (services.msc);
4. Find OpenVPNService, right click on it, Properties, and change startup type from “Manual” to “Automatic”.
5. Start the service, and OpenVPN will find and connect to the profiles in any .ovpn files. Keep in mind in most situations you need one TUN/TAP interface per connection file. In windows, I strongly advise to permanently associate an interface with their connection using the configuration files: dev-node TAP_Serv forces OpenVPN to bind the connection to the network interface named "Tap_Serv". Added after reading some comments: You need one interface per connection. In Linux this is trivial, but in windows it may be problematic. HAving two configurations that you can SEPARATEDLY test succesfully, doesn't mean they'll run together, as they may be competing for the same interface. OpenVPN is a ported program, and windows driver subsystem has allways been a pain in the a**.

You may want to investigate if there's a way to elaborate a whitelist to force the service to connect only to specific files, and not all. I've had some issues in the past with people who needed to have a VPN server as a service plus several vpn client files in the same machine that only connect every now and then. In those situations, if I wanted OpenVPN GUI to show them a beautifull list of available connections, it meant that the service saw those files and was trying to connect to them automatically. In those cases, I decided not to use services at all:

If using a service is not an option, you can pass extra command line arguments to the OpenVPN GUI invocation to make it automatically connect on startup (as well as showing the tray icon as usual):

openvpn-gui.exe --connect myprofile.ovpn

To get that to run when you log in, place such a shortcut in the usual startup folder. (For all users, %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup; or for the current user only, %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.)

---

I don’t know how to avoid the user to connect to the Internet before the VPN is set. The only way I can figure out if through Windows Firewall, and I'm not an expert on that subject. If you want to avoid a poweruser to be able to get to the Internet you need a firewall in your gateway to avoid so, or strong group policies to avoid privilege scalation.

For a normal user, you can configure the Windows client machine without a default gateway. Set a persistent static route to the VPN server on Windows clients using the following command (-P makes it persistent):

route -P add <target> mask <netmask> <gateway IP> metric <metric cost> if <interface>

Routes in Windows are stored under the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes

At this point a disconnected client only has access to the VPN server. Then you can add the following lines in the VPN server configuration file to add routes on clients when they connect:

To configure the VPN server as the default gateway:

push "redirect-gateway def1 bypass-dhcp"

To add a specific route through the VPN Server:

push "route 192.168.1.0 255.255.255.0"

Sometimes route pushing doesn't work on Windows. When this happens to me, I completly uninstall OpenVPN and its interfaces from Windows, restart the system and install the latest version of the software. Then, before establishing the first connection, I restart Windows. This has always solved the issues. However, Windows 10 Anniversary update (1607) is buggy with OpenVPN. There's a link to a deeper discussion in OpenVPN forums:

Connection problems with Windows 10 anniversary update

Keep that in mind when you setup your Windows 10 OpenVPN clients.

If you're a consultant looking to give advice to a client, please consider using some specific NATIVE Windows solutions, if your client's budget allows for it. I won't name any to avoid being flagged, but most known networking hardware companies offer solutions compatible with their devices that provide native drivers for any edge OS you may think of. Disclaimer: I don't work for any of those companies. For my own dialy life I use OpenVPN, but to remotely connect to my company they've a commercial solution bundled on the computers: I never had a single connection issue, while OpenVPN is usually more delicate. Don't take me wrong, I've delivered OpenVPN to production environments for clients with total success, but you need to be extra cautious (and put watchdog and recoverfy measures in place, or just train the user to "click reconnect" if something doesn't work properly).

Answer 2

Don't know if this is still relevant, but since OpenVPN 2.5.0 you can just put the config under "config-auto" instead of "config" and the connection will be brought up automatically when the service starts. No extra scripts or autostart required.

Answer 3

If you don't want to run it as a service, you can just copy DGoikos second answer and run it in a batch-file (e.g. openVPNautostart.bat). Simple if you want to send it around and have people run the script manually as administrators. I stole some code from here and adapted it to openVPN. If you're using regular install settings it should work.

@echo off
SETLOCAL ENABLEDELAYEDEXPANSION
SET LinkName=OpenVPN
SET Esc_LinkDest=%%ProgramData%%\Microsoft\Windows\Start Menu\Programs\Startup\openvpn-gui.lnk
SET Esc_LinkTarget=%%ProgramFiles%%\OpenVPN\bin\openvpn-gui.exe
SET cSctVBS=CreateShortcut.vbs
SET LOG=".\%~N0_runtime.log"
((
  echo Set oWS = WScript.CreateObject^("WScript.Shell"^)
  echo sLinkFile = oWS.ExpandEnvironmentStrings^("!Esc_LinkDest!"^)
  echo Set oLink = oWS.CreateShortcut^(sLinkFile^)
  echo oLink.TargetPath = oWS.ExpandEnvironmentStrings^("!Esc_LinkTarget!"^)
  echo oLink.Save
)1>!cSctVBS!
cscript //nologo .\!cSctVBS!
DEL !cSctVBS! /f /q
)1>>!LOG! 2>>&1

To edit the shortcut location (for all users/only current user) you can edit %%ProgramData%%\Microsoft\Windows\Start Menu\Programs\Startup\openvpn-gui.lnk (all users) to %%APPDATA%%\Microsoft\Windows\Start Menu\Programs\Startup\openvpn-gui.lnk (current user).