Networking/Virtual Private Network (VPN)/How To for windows

From Snom User Wiki

Jump to: navigation, search
Languages: English • Deutsch

Author: SK

This how-to describes the installation and configuration of OpenVPN on Windows (XP) with PKI authentication and the building of a VPN-tarball ready for snom370/820. For those who shy away from such an installation, ciphron ( offers an out-of-the-box solution called ciphwall. I assume that you will use the same server as OpenVPN server and SIP PBX server.


Installation of OpenVPN and easy-rsa

Before you start with the installation you need to download some software, like OpenVPN.

Required Software

  • OpenVPN GUI from [1] incl. TAP driver
  • 7zip [2]

Mandatory Software

  • Notepad++ [3]
  • HFS - HTTP File Server [4]

Install OpenVPN

Once you had download the OpenVPN GUI installer, run it by a double click. It will install OpenVPN, the OpenVPN GUI and the Tap-Drivers for Windows.

Click on NextAgree to the license
Click on NextClick on Install
Continue the installationClick on Next
Click on Finish

The Installation is now complete and you should see the OpenVPN GUI Icon in the taskbar. Image:openvpn_gui_install8.png

Configuration of OpenVPN

Create server configuration for OpenVPN

Edit the file C:\Program Files\OpenVPN\config\server.ovpn with your favorit editor:

Paste the following content into the file:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key 
dh dh1024.pem
keepalive 10 120
status C:\\openvpn-status.log
verb 6
If the file doese not exist, create it with "save as" funktion of your editor.
In the startmenu entry for OpenVPN is a shortcut to the config folder

Create client/phone configuration for OpenVPN

Paste the following content into the file c:\Program Files\OpenVPN\easy-rsa\keys\vpn.cnf

dev tun
proto udp
remote <Server-IP/-name> 1194
resolv-retry infinite
ca /openvpn/ca.crt
cert /openvpn/client.crt
key /openvpn/client.key
ns-cert-type server
verb 0 
ping 10
ping-restart 60

Remember to set the value for remote to your server's IP or fqdn.

Creation of certificates with easy-rsa

The creation of the necessary certificates and other files will be done on a command prompt. To open a command promt open Start -> run, enter "cmd" without the " and confirm this with the enter key.

Easy-rsa configuration setup

Before you start to create the files, you need rename some files in the easy-rsa folder of your OpenVPN installation. Usually this folder is in C:\Program Files\OpenVPN\easy-rsa. you need to rename vars.bat.sample to vars.bat and openssl.cnf.sample to openssl.cnf.

Now you need to edet the file vars.bat with your favorit editor.

The values for the creation of the certificates have to be set. Here is an example:

set KEY_CITY="Berlin"
set KEY_ORG="snom technology AG"
set KEY_EMAIL=""
KEY_COUNTRY must be only 2 characters long. The values must be like DE for Germany or UK for United Kingdom.

Certificate creation with easy-rsa

You need to run the following commands in a command prompt. You can open a command prompt with Start -> run -> enter "cmd" without the " and confirm

cd C:\Program Files\OpenVPN\easy-rsa

Creation of the ca-certificate

Run the command buld-ca.bat

The line Common name, you should enter the name of your company and add CA to that string

Creation of the server certificate

Run the command build-key-server server

On the line Common name you should enter the name of your server or the IP address
You can leave the password requests empty

Creation of Diffie Hellman parameter

Run build-dh.bat

Creation of client/phone certificates

Every client/phone should have its own certificate. It is necessary to give each certificate an individual name, e.g. the phone's MAC address, for example 0004132FFFFF

Copy the necessary files

Some of the certificates and other files need to be copied to th config dir of OpenVPN.

  • ca.crt
  • server.crt
  • server.key
  • dh1024.pem

You will find these files in the subfolder keys of the easy-rsa folder.

All the named files need to be copied to c:\Program Files\OpenVPN\config\

Starting the OpenVPN server

Now you are able to start the server. Rightclick the OpenVPN GUI icon in the taskbar and click on connect.
A log will appear and the OpenVPN GUI icon become yellow.

The OpenVPN GUI icon will become green if all is fine.

Provide VPN tarball to the phone

The phones need the configuration and certificate files within a tarball. The tarball must be provided to the phone by a web- or ftpserver.

Installation of the HFS webserver

Download the lastest HFS installation file from here. Run the installation file.

Creation of the VPN tarball

At first you have to make a copy the client files we had create 0004132FFFFF.crt and 0004132FFFFF.key. Rename the copy to client.crt and client.key.

Start 7zip an open the keys folder C:\Program Files\OpenVPN\easy-rsa\keys\, mark the files ca.crt, client.crt, client.key and vpn.cnf and click on the add button.

A new windows appears. Enter 0004132FFFFF.tar as the archiv name an press the OK button.

Provide the tarball

To provide the tarball via HTTP with HFS you need to open the directory C:\Program Files\OpenVPN\easy-rsa\keys\. Rightclick the file 0004132FFFFF.tar and press Addto HFS.

A new window will appear and show you the file. A new icon in you taskbar will also appear.

You are now able to download the file via webbrowser. Tryout with your Internetexplorer and the IP-address of your server.

Configure the phone

VPN settings

You need to activate VPN functionality in the webinterface of your phone, advanced -> security -> vpn set to on and save. You do not need to reboot the phone at this time. Two new line will appear. Enter the url to the tarball in the first of these new lines.

Now you need to reboot your phone.

The phone will fetch the tarball after restart and will again restart automatic if it got the tarball.
If all was successfull, you will see the VPN icon in the phone display after the second restart.

Identity settings

Enter the server's IP address as registrar and proxy in Configuration Identity/Login.

Personal tools