OpenVPN/HowTo for Windows 2

From Secure Computing Wiki
Jump to navigation Jump to search

Creating your own installer and install configuration from ZIP file

This procedure will create an OpenVPN installer wrapper which will let you download the OpenVPN installation files on-the-fly, validate them by a simple MD5 and install a pre-configured configuration ZIP file in the proper place automatically.

To use this setup, it's expected that you:

  • Have access to a Web server where your users can download your files from the Internet
  • Prepares a ZIP file with a OpenVPN configuration file together with all other needed files for a proper configuration

The intention is that the user will download this OpenVPN installation wrapper and run only that. This wrapper takes care of the rest.

The advantage of this is that this installation wrapper do not need to be updated often. When OpenVPN releases a new, you just need to update your web server with the new OpenVPN installer and generate a new OpenVPN installer MD5 hash file.


Build the installer

  1. Open the OpenVPN-InstCfgWiz.nsi file in a text editor
  2. Locate the "Download URLs ... **MUST BE CHANGED**" section
  3. Change these three URLs to proper addresses where you will make the OpenVPN installer available. The variables you need to change are:
    • $URL_InstCfgWizHash - This file will be generated at the end. It will contain a MD5 hash of your install wrapper which you are preparing now
    • $URL_OpenVPNinstaller - A complete URL to the OpenVPN installer itself. If you don't want to rebuild this install wrapper when a new OpenVPN version becomes available, avoid using any version number strings and use a neutral name for the installer.
    • $URL_OpenVPNinstallerHash - A file which contains the MD5 hash of the OpenVPN installer executable
  4. Run the makensis program
    • Example: On Fedora with the mingw32-nsis package installed run:
$ makensis OpenVPN-InstCfgWiz.nsi
  1. Calculate the MD5 hash of the installer and OpenVPN files
    • Example: On Fedora:
$ md5sum OpenVPN-InstCfgWiz.exe | awk '{printf $1}' > OpenVPN-InstCfgWiz.exe.md5
$ md5sum openvpn-installer.exe | awk '{printf $1}' > openvpn-installer.exe.md5
    • Please note that the MD5 hash files must not contain any newline/CR-LF at the end of the line. The MD5 files should be 32 bytes.
  1. Copy the following files to your webserver in the location you defined in the NSIS script
    • OpenVPN-InstCfgWiz.exe.md5
    • openvpn-installer.exe.md5
    • openvpn-installer.exe
    • (optional) OpenVPN-InstCfgWiz.exe

Prepare the configuration ZIP file

After OpenVPN is installed via this wrapper, it will ask for a ZIP file containing the configuration setup. The contents of this file should be:

  • OpenVPN configuration file with .ovpn extension
  • If using static keys (either for --secret or --tls-auth)
    • ta.key (or whatever filename this file uses in your configuration file)
  • If using SSL certificates
    • The CA certificate (e.g. ca.crt)
    • The client SSL key (e.g. client.key)
    • The client Certificate (e.g. client.crt)
    • Or, if using PKCS#12 files instead - the .p12 file containing all of the above.

These files should be in the "root" of the zip file - meaning: Do not use subdirectories in the ZIP file. This file will be extracted in the OpenVPN/config directory which OpenVPN-GUI reads.


Send the prepared ZIP file together with either the OpenVPN-InstCfgWiz.exe file or a download URL to this file. Ask the user to run this installer and follow the instructions given on the way.

That's all folks!


I (David Sommerseth) am by no means familiar neither with Windows nor the NSIS installer. The NSIS script is hacked together in a style that it should work. But I do not guarantee it is free of bugs or is written in the most efficient way. For compiling the installer, I have used Fedora 11 and Fedora 12 with the ming32-nsis package. The installation is tested during the development by using wine. Feel free to send your updates to, and I will incorporate your changes.