Install the OpenVPN service when you install the client;
Place your OpenVPN profiles (with the extension .ovpn, not .conf as is common on Linux) in the config subdirectory of the OpenVPN installation directory, probably C:Program FilesOpenVPNconfig.
Open the Services console (services.msc);
Find OpenVPNService, right click on it, Properties, and change startup type from “Manual” to “Automatic”.
Start the service, and OpenVPN will find and connect to the profiles in any .ovpn files. Keep in mind in most situations you need one TUN/TAP interface per connection file. In windows, I strongly advise to permanently associate an interface with their connection using the configuration files: dev-node TAP_Serv forces OpenVPN to bind the connection to the network interface named “Tap_Serv”.
You may want to investigate is there\’s a way to elaborate a whitelist to force the service to connect only to specific files, and not all. I\’ve had some issues in the past with people who needed to have a VPN server as a service plus several vpn client files in the same machine that only connect every now and then. In those situations, if I wanted OpenVPN GUI to show them a beautifull list of available connections, it meant that the service saw those files and was trying to connect to them automatically. In those cases, I decided not to use services at all:
If using a service is not an option, you can pass extra command line arguments to the OpenVPN GUI invocation to make it automatically connect on startup (as well as showing the tray icon as usual):
openvpn-gui.exe –connect myprofile.ovpn
To get that to run when you log in, place such a shortcut in the usual startup folder. (For all users, %ProgramData%MicrosoftWindowsStart MenuProgramsStartup; or for the current user only, %APPDATA%MicrosoftWindowsStart MenuProgramsStartup.)
I don’t know how to avoid the user to connect to the Internet before the VPN is set. The only way I can figure out if through Windows Firewall, and I\’m not an expert on that subject. If you want to avoid a poweruser to be able to get to the Internet you need a firewall in your gateway to avoid so, or strong group policies to avoid privilege scalation.
For a normal user, you can configure the Windows client machine without a default gateway. Set a persistent static route to the VPN server on Windows clients using the following command (-P makes it persistent):
route -P add mask metric if
Roues in Windows are stored under the following registry key:
At this point a disconnected client only has access to the VPN server. Then you can add the following lines in the VPN server configuration file to add routes on clients when they connect:
To configure the VPN server as the default gateway:
push “redirect-gateway def1 bypass-dhcp”
To add an specific route through the VPN Server:
push “route 192.168.1.0 255.255.255.0”
Sometimes route pushing doesnt work on Windows. When this happens to me, I completly uninstall OpenVPN and it\’s interfaces from Windows, restart system and install the latest version of the software. Then, before stablishing the first connection, I restart Windows. This has allways solved the issues, however, Windows 10 Anniversary update (1607) is buggy with OpenVPN. There\’s a link to a deeper discussion in OpenVPN forums:
Keep that in mind when you setup your Windows 10 OpenVPN clients.