Setup a Windows VM as a VPN Gateway w/ICS and OpenVPN

This post has been a long time coming…

Since my ASUS router severely underperformed when used for OpenVPN, here’s how to configure a Windows VM (Server 2012 R2, in this case), with Internet Connection Sharing, as an OpenVPN gateway for your local network clients:

  1. Configure your VM per your usual specs (i.e. latest updates, disk sizes, etc.) with a single NIC (we only need 1 NIC for this).
  2. As of my writing this, OpenVPN 2.3.9 is the latest – using I601 for Windows Server 2012 R2:
  3. Leave all options for the install as default except for adding OpenSSL Utilities (I’m not quite sure you actually need this, but it’s in my notes from a year ago):

    Updated: The OpenSSL Utilities is not required for a gateway since all certs come from your VPN service provider; you can safely leave OpenSSL Utilites unchecked:
  4. Install the TAP NIC:
  5. Shouldn’t have any problems:
  6. I suspect most VPN providers have CA (certificate) files you grab as part of your access details — ca.crt, crl.pem — for PIA. Copy those and the appropriate .ovpn file (Germany.ovpn, in my example) to the config folder in your OpenVPN install folder: C:\Program Files\OpenVPN\config in my case:
  7. You will also need an authorization plaintext file for OpenVPN to auto-connect (contains only 2 lines, username and password). Copy that file to the OpenVPN config folder along with the files from step 6.
  8. Open properties of the TAP NIC and (I would suggest) disable DNS registration and IPv6. If you’re connected through RDP, now would be a good time to reconnect to the console session as the next steps are going to temporarliy disconnect your network connection.
  9. Now you want to share the TAP NIC so clients can use it as a gateway when it’s connected to your VPN provider:
    tap_nic-sharingCheck Allow other network users to connect through this computer’s Internet connection and un-check Allow other network users to control or disable the shared Internet connection.
  10. Windows will prompt you that it’s going to change your LAN NIC’s IP to – we’ll reset the IP back to our proper subnet after, so click Yes for now:share_nic-warning
  11. Now edit the TCP/IP settings for your LAN NIC back to its regular IP/gateway (an IP on your local subnet so your clients can reach it):
  12. Now it’s time to configure OpenVPN to automatically connect when the VM starts. Remember your auth.txt and the provider .ovpn file from steps 6 and 7? Edit the .ovpn file and add a couple lines:
    You’re basically telling OpenVPN where to find your username and password when it uses this profile.
  13. Last step, configure the OpenVPN Service startup type to Automatic (so it automatically connects after a reboot):
  14. Now, reboot and verify the OpenVPN Service is running (check the Germany.log file in the OpenVPN\log folder, in my case):
  15. Last step, adjust the TCP/IP settings of a client(s) to use that VM’s LAN IP as it’s gateway and check the public IP:
    Perfect! Public IP matches the logged IP.

Now you can modify clients to use this VM’s LAN IP as their network gateway and they will all appear to be from whatever location your VPN server is in!

That, and performance will kill anything the ASUS (or any other consumer-level router) could ever give.


Leave a Reply

Your email address will not be published. Required fields are marked *