This guide is to assist you in making your VPN experience on Windows as seamless as possible. This guide can be used with both a public VPN service that you subscribe to and also a private VPN server you host yourself. This guide focuses only on the OpenVPN client side on your Windows computers and is written to be as easy to understand with the least amount of effort required to accomplish each of the following five goals:
- Automatic login to your VPN service without needing to manually enter the username/password each time you connect
- Shows you how to easily set which domains or IP Addresses should bypass your VPN when it's connected
- Enabling DNS leak protection which keeps your IP Address from leaking through DNS requests made by your computer
- Automatic start of your OpenVPN client and connecting to your VPN service when your computer starts
- Disabling OpenVPN launch windows and other GUI annoyances when it establishes new connections
You will need a Windows computer which is running either Windows Vista, 7, 8, 8.1, 10, 2008 R2 or 2012 R2. This guide does not support Windows XP and in-fact the DNS Leak Protection in this guide does not function on Windows XP.
You will also need the official OpenVPN client and GUI which you can download together in one installer from their official website: https://openvpn.net/index.php/open-source/downloads.html
After you've installed OpenVPN it is essentially ready to be used. You would at this point go to your VPN providers website and download their OpenVPN configuration files. These files use the .ovpn extension and you will be told to place them in the OpenVPN configuration folder found here:
C:\Program Files\OpenVPN\config
You should have one .ovpn file for each server or location (if they use central gateways into their regional server network). You will need to modify each of these files or only the ones you wish to make connections to. I recommend modifying all of them so that you won't accidentally use one that isn't configured by this guide and to give you greater choice with which servers you can use later on.
Once you've placed all the files in the folder we can begin modifying them for the five steps of the guide. You'll want to use Notepad to open these files however any other basic text editor will do.
Open one of the .ovpn files and find the line that says "auth-user-pass" and change that to "auth-user-pass auth.txt" like in the screenshot below. Do this for each and every .ovpn file present in the config folder.
This will make OpenVPN look for a username and password stored in a file called auth.txt which we will create in the same config folder as the .ovpn files.
This is what that file should look like, you can see I've populated it with a username called pippin and the password underneath.
And that is all that is required to automatically connect to your VPN's. But keep the config folder open as you'll need it for the next two sections of the guide.
Many torrent sites do not allow public VPN services to be used for browsing their websites. This means you will need to disconnect your VPN to access some websites and you may forget to disconnect from your VPN which could lead to staff penalties. So this part of the guide shows you how to make a custom config file which will detect services by their domain names and bypass your VPN tunnel using your normal internet access instead. This is also useful for sites that now block VPN use such as Netflix and Hulu.
We'll start by adding a reference to our custom config file at the very bottom of each .ovpn file you've obtained from your VPN provider like in the screenshot below:
Once you've created this reference OpenVPN will load the custom_configs.txt file each time it connects to any of your VPN providers servers. This allows us to quickly add new websites to be bypassed without needing to modify all the separate server .ovpn files in the future.
Now you'll want to create the custom_configs.txt file itself and populate it with the websites you want to bypass your VPN connection like in the screenshot below.
In the above screenshot I have provided exceptions for BTN, WCD and PTPC. You can add as many exceptions as you want, one per line. The only part you need to alter is the domain name, the 255.255.255.255 and net_gateway parts remain the same for all entries. If you're curious the net_gateway part tells OpenVPN to route connections to the specified domain name through your main network gateway instead of through your VPN connection.
You can if you prefer provide your routers IP Address but net_gateway is universal and will work even if you're on a public WiFi network without you needing to re-specify any network addresses. Below is a written example you can copy and paste for BTN.
route broadcasthe.net 255.255.255.255 net_gateway
I also strongly recommend adding an extra entry to the file for whatsmyip.org so that we can test the VPN bypass is functional. Here is an example of that entry:
route whatsmyip.org 255.255.255.255 net_gateway
After adding all the sites you wish to bypass your VPN you may save this file. If you were already connected to your VPN before making this change you will need to reconnect. To test that it's working please visit http://whatsmyip.org you should see your non-VPN address displayed back to you. Then check http://ipinfo.io and you should see your VPN address displayed as you did not make an exception for this website.
Due to Windows built in behaviour of using multiple DNS servers simultaneously you will need to block all DNS queries which don't go through OpenVPN. Thankfully as of OpenVPN 2.3.9 there is a new feature called block-outside-dns which will automatically block all DNS queries which aren't made through OpenVPN when a VPN connection is active. That means you don't need to change anything when connecting or disconnecting to/from a VPN server, it will automatically block and unblock your non-VPN DNS calls automatically.
To use this feature you will need to open the custom_configs.txt you created above in Step 2 and add block-outside-dns to the file like in the screenshot below.
Save this file and now when you connect to your VPN server you'll be protected against DNS leaks. If you were already connected to your VPN before making this change you will need to reconnect.
To test it's working you can use https://dnsleaktest.com/ and https://ipleak.net/ I recommend you try them both before you make a determination on whether your DNS queries are leaking your non-VPN IP Address or not.
Since it will be very annoying to keep needing to manually connect to your chosen VPN each time you start your computer we're going to create a scheduled task in Windows which will launch OpenVPN and tell it to connect to your chosen VPN server on system startup.
To do this you'll need to create a new task in the Task Scheduler. You can find this application already present on your Windows computer by typing Task Scheduler into the start search bar.
Once the program is open you'll want to click on "Create Basic Task" in the far right pane of the program and then follow the screenshots below for each step.
In the screenshot below the arguments for the OpenVPN client have been cut off by the box. You'll want to write the following in that box: --connect Australian-VPN.ovpn and of course you will want to change the .ovpn file name to the server you want to connect to automatically when your computer starts.
Please note if your .ovpn file has a space in its file name for example "Australian VPN.ovpn" this will not work and you will need to replace the space with a dash not only in the argument box but in the actual filename of the .ovpn file inside your OpenVPN's config folder.
Once you've saved these options you should verify that the task is setup correctly. It needs to run with highest privlidges to stop UAC prompts and it should be set not to stop after any amount of time. To do this click on Task Scheduler Library in the far left pane then select the task you created from the list. Now click on Properties in the far right pane.
Inside you should match the General tab to the first screenshot below and the trigger options from the Triggers tab to the second screenshot below.
Now when your computer starts OpenVPN will launch and connect to the VPN server you have specified. It will also login automatically using the username and password you setup previously in Step 1, use your custom domain bypasses from Step 2 and enable DNS leak protection from Step 3.
If you've used OpenVPN previously you may have seen that it brings up balloon messages when it connects to a VPN server and it also brings up a connecting status window. If you find one or both of these annoying you can turn them off using the windows registry. If you like having these then you can disregard this step.
To disable either of these UI settings the first thing to do is access the OpenVPN registry settings, to do that open regedit.exe which you can launch through the windows start search system by typing in regedit. Once it's open expand HKEY_LOCAL_MACHINE and then expand SOFTWARE and finally OpenVPN-GUI you will find lots of options in this menu. Below is a screenshot of the menu so you know you're at the right place.
Once there you can double click to modify show_balloon to 0 as shown in the above screenshot in blue to stop balloon popups. And you can disable the connecting status window by double clicking on silent_connection and changing its setting to 1 as also shown in the above screenshot in green. Again both of these options are optional and you can choose to enable or disable them.
If you only want to hide these when your computer first boots up but still have them show when you manually connect to a VPN server you can leave these options as they were originally and instead add --silent_connect 1 and --show_balloon 0 to your earlier Task Scheduler launch arguments. If you've already made the task you can modify it in the Task Scheduler interface under "Task Scheduler Library" which you can select from the far left pane, you'll find the arguments under the Actions tab.
And that's it, you're now using OpenVPN with Windows with the least amount of maintenance required. You don't need to enter any login information, you don't need to start the program or connect to your favourite VPN server and you can use it all the time even while surfing sites that don't allow you to use public VPN services. If you have any questions feel free to reply in this topic.
If you use a Macintosh or Linux system some of this guide is still applicable to you, the website bypassing feature I described in Step 2 functions perfectly with the OpenVPN client for Linux and Tunnelblick for Mac OS X. But I still urge you to fully test it's working using the methods described above before using your VPN to access sites that do not allow public VPN use. The DNS leak protection setting is only applicable to Windows, you don't need this on Linux or OS X.