HowTo use OpenVPN on Win32 to setup a simple VPN through firewall/NAT for gaming

[automatic translated italian version]

I had recently re-installed Windows as Falcon4AF is the only needed apps that do not have better equivalence on Linux, and the Wine emulation is not perfect with DX9. The reason to create a VPN on Win32 come from the need to permit to all gamers of our association PVI to connect in one network gaming with the F-16 combat flight simulator Lead-Pursuit Falcon4 Allied Force. Here in Italy many users had subscribed to a provider Fastweb that offer a bidirectional fiber optic LAN connection with a speed of 10 Mbps. The problem is that the connection is a LAN connection, so they give private IP address, and the NAT/Firewall shelf is at provider buildings. Users have no configuration access to Port Forwarding. Every Falcon4AF client (also if you do not host a game), operate as a server, listening on 2934 and 2935 UDP port to exchange packets with all the players.

Using a VPN, we create a geographical LAN, so:
1 - we can all use private address, and inside the VPN no port forwarding is required.
2 - in this manner two or more computers can share the same public IP address, like a dedicated Falcon server and a computer used for human flight in the same house.
3 - as a side effect the VPN encrypt all the traffic inside a pipe, and so no one can see, sniff  or log our traffic. So we can share files, using the simple and insecure Windows File Sharing protocols but protected in the VPN pipe. Win32 File Sharing normally is a LAN only protocols, isn't possible to use it on the internet. Used inside a VPN, it can be used as a geographical protocol. With this method we exchange Briefing, ACMI files, tools, joystick and Mumble/Teamspeak profiles, shot images, movies, gigabytes scenery, and so on ...

Falcon4AF is an old application that is written with a technology that run well on Windows only, and Win32 miss a secure VPN implementation. So we had to choose one available on the net.

We do not choosed Hamachi because it is not open source, so:
1 - When you connect your computer through Hamachi client, it connect to Hamachi server. All traffic pass through the Hamachi servers. We do not know what they do with our packets, they can sniff, copy, save, log, ... so a privacy threat is on. Surely they have back-door, because they keep the program closed source.
2 - The Hamachi servers are often very overloaded. You will experience lag, lot of latency, freeze and so on. The problem here is that thousands of clients from around the world connect to few Hamachi servers.
3 - We have at least ONE network connection that is an ADSL, so we can manage that NAT/PortForwarding configuration. We use the PC behind that connection to host the VPN, we all connect to that VPN server, and then anyone of us can host the Falcon4AF campaign/TE.

We choose OpenVPN because:
1 - it is opensource (so no back-door)
2 - is cross-platform (work on Linux too)
3 - is very well documented and supported.
4 - permit to choose where to put the server for the VPN.
We use a dedicated fixed IP VPN server with 4Mbps bidirectional bandwidth, that is always free for us and so very responsive, but is not required, sometimes someone with managed ADSL router host the VPN.
On the NAT/Firewall of the VPN server only, you need to forward the OpenVPN UDP port 1194 as standardized by  IETF RFC.

OpenVPN is very generic, work in different operative system, can emulate a L2 VPN or L3 VPN, point to point or multi-point, support routing and lot of advanced net options. The configuration can be a little difficult if you do not know much of IP protocols and Ethernet LAN. I read the HowTo on the Web site, tried the steps with two friends, and wrote this simple step by step guide for Falcon4AF on Win32 only. Now we use OpenVPN two days a week for our net flight. From the documentation does not seem OpenVPN have a limit on the number of clients that can connect all together. In the configuration file you can limit to 100 or what you want. We really tried in 15 player maximum from all around Italy.

OpenVPN program install (for Server and Clients, do only first time)

01 - Open your browser, type address:

02 - click on "Community Project" on top and then on "Download" on drop down menu. It point to:
03 - download the last stable realease, on Dec 2010 is the link: "openvpn-2.1.4-install.exe"
     It point to:
04 - Install OpenVPN. If you see the warning "this program is not Microsoft certified", continue.
     Remember open source applications cannot pay the certification process at Microsoft, because are free software.

06 - (optional) If you want the Italian GUI, point at address:
07 - (optional) click on menù: "Download, Stable" on the left, that point to:

08 - (optional) click on: "Localized Versions" section,
     choose your language GUI application.
     I chose:   Italian   openvpn-gui-1.0.3-it.exe

     that point to:
09 - (optional) Copy "openvpn-gui-1.0.3-it.exe" files in the "\Program Files\OpenVPN\bin" folder.
10 - (optional) Create a link to the executable "openvpn-gui-1.0.3-it.exe" and put it on the desktop.

Do not forgot to disable your Firewall on the newly created network card "TAP-Win32 Adapter V9":
Start menù, Settings, Control Panel, Firewall, Advanced tab, in the list box select the newly created virtual interface card, remove the V selection, press OK.
This is only used inside the public key authenticated VPN, so do not need other method of protection.

How to for OpenVPN on the server

Original source for general documentation:

A - Server configuration, to do only once

11 - create a directory: \Program Files\OpenVPN\easy-rsa\keys
12 - open a CMD prompt and go the directory: \Program Files\OpenVPN\easy-rsa\
13 - run: init-config
14 - edit the file vars.bat and set these variables (set your data):
       set KEY_COUNTRY=IT
       set KEY_PROVINCE=RM
       set KEY_CITY=Roma
       set KEY_ORG=PVI
15 - run: vars.bat
16 - run: clean-all
17 - run: build-ca
     answer to all questions with default (simply press return), but:
     Common Name (eg, your name or your server's hostname) []:
     type "PVI-CA" (without quotation)
18 - run: build-key-server server
     answer to all questions with default (simply press return), but:
     Common Name (eg, your name or your server's hostname) []:
     type "PVIserver" (without quotation)
     At the last two questions (sign and commit) answer with "y".

B - Create the client certificates, to do only once

19 - check in the directory \Program Files\OpenVPN\easy-rsa\keys should be the files:
       01.pem (encrypt types and server configuration)
       ca.crt (Certification Authority CA certificate)
              ca.key (Certification Authority CA secret key)
              index.txt (text file with a single line, the server only)
       serial    (with only 01)
20 - run: \Program Files\OpenVPN\easy-rsa\vars.bat
21 - run: build-key XXclient   (for XX count in hexadecimal with two digit, starting from 02)
22 - answer to all questions with default (simply press return), but:

     Common Name (eg, your name or your server's hostname) []:
     type "XXclient" (without quotation)
     At the last two questions (sign and commit) answer with "y".
23 - repeat step 21-22 for every client you need, incrementing XX.
     Remember that in hexadecimal after 09 there is 0A. So the sequence is:
24 - run: build-dh (it take several seconds to create: dh1024.pem)

C - Create configuration files, to do only once

25 - go to directory \Program Files\OpenVPN\sample-config
26 - copy "server.ovpn" and "client.ovpn" to:
       \Program Files\OpenVPN\easy-rsa\keys
     back to directory
\Program Files\OpenVPN\easy-rsa\keys
26 - edit server.ovpn file and change these lines:
     + uncomment:
         ";local a.b.c.d"
       line removing the ";"
     + change: "a.b.c.d" with the private local IP address of the server.
       To see it open a CMD prompt and type "ipconfig"
       Example: "local"
       If your server use pubblic IP without NAT, use this directly here.
     + uncomment: ";dev tap" and comment: "dev tun"
     + uncomment: ";client-to-client"
27 - rename "client.ovpn" file to "02client.ovpn" and change:
     + uncomment: ";dev tap" and comment: "dev tun"

     + change line: "remote my-server-1 1194"
       with real public IP address of the OpenVPN server.
       Example: "remote 1194"
     + change line: "cert client.crt"
       to: "cert 02client.crt"
     + change line: "key client.key"
       to: "key 02client.key"
28 - copy file "02client.ovpn" to "XXclient.ovpn" and change:
     + change line: "cert 02client.crt"
       to: "cert XXclient.crt"
     + change line: "key 02client.key"
       to: "key XXclient.key"
29 - repeat step 28 for each client you need.

D - Packaging, to do only once

30 - copy the following files (are in \Program Files\OpenVPN\easy-rsa\keys):
       01.pem (optional)
       ca.key (keep secret on server only)
       server.key (keep secret on server only)
     in the directory \Program Files\OpenVPN\config
     on the server.
     Make a "server.7zip" archive with all this necessary configuration files.
     Keep it saved if you need to reinstall the system or for restore.
31 - copy the following files:

     in the directory \Program Files\OpenVPN\config
     of all clients computers.
     Make a "common.7zip" archive with this two files.
32 - copy the following files:

       XXclient.key (do not exchange with other clients)
     in directory \Program Files\OpenVPN\config of each client.
     Make a "XXclient.7zip" archive, one for each client.

E - Activate OpenVPN server, to do every time

33 - run GUI application "openvpn-gui-1.0.3-it.exe".
     A new icon near clock appear, with two red monitor
34 - right click on the icon
35 - select "server" > connect
     The two monitor become yellow during negotiation, and green when established the VPN.
36 -
run Falcon4AF, choose Multiplayer, and create a server.

How to for OpenVPN on the clients

A - Program Install, to do only once

01-10 Follow install instructions above

B - Program configuration, to do only once

11 - copy the "" file in directory \Program Files\OpenVPN\config
12 - unzip there \Program Files\OpenVPN\config
13 - copy "" file in directory \Program Files\OpenVPN\config
14 - unzip there \Program Files\OpenVPN\config

C - Connection, to do every time

15 - run GUI application "openvpn-gui-1.0.3-it.exe".
     A new icon near clock appear, with two red monitor
16 - right click on the icon
17 - select "XXclient" > connect
     The two monitor become yellow during negotiation, and green when established the VPN.
18 - run Falcon4AF, choose Multiplayer, and type as the server to connect to.
     Forgot public IP addresses, inside the VPN use always private addresses.


To disable the cifrature and keep the public key authentication only

Use "cipher none".
This should be done both on server and clients.
It disables the encryption and leaves you with a plain, unencrypted ip tunnel, but keep active public key authentication on connect. This can speed up and unload some old fashioned PC, at the price that all traffic isn't encrypted, so a man in the middle theoretically can intercept the traffic. Take note that he must be a provider or carrier router administrator, or the police. With Pentium4 class computer you do not feel difference with encryption on or off, so keep on if possible.

To share files

On the server create a new user with username: "user" and password: "pass" (choose what you want).
Create two new folders under the C:\ unit named "FalconUpload" and "FalconDownload".
To the "FalconUpload" directory give write permission to all.

On the client side:
- connect to a OpenVPN server (necessary also for provider different from Fastweb)

- open Windows Explorer: Menu Start, Program, Accessories, Windows Explorer
- Menu Tools, Connect network unit...
- in the dialog box, near "Folder:" type:
- click on "different user name"
- near "User Name:" type: "\user"
- near "Password:" type: "pass"
- OK, End.
In your explorer a new unit letter appear. You can copy there all files to share with the others.
Keep in mind: in that folder everyone can write files, add files, and also delete files.
Is in force of the administrator to copy important files from "FalconUpload" to "FalconDownload" that is read only to the others.

From there all can download using:
as folder name. This is the permanent archive of useful and big files of the squadron.
I suggest to create different sub folder of \FalconDownload:
missions, scenery, acmi, shot, ... and so on.


OpenVPN homepage:

OpenVPN Documentation HowTo:

OpenVPN download page:

OpenVPN download file:

OpenVPN Win32 GUI homepage:

OpenVPN Win32 GUI download page:

OpenVPN Italian Win32 GUI download file:

Go to EFA programming page
Back to main page:  EFA home page

Web site showed  times since 01/04/2000. 
From 20/10/1999 - 31/03/2000 the counter showed 770 visits, but it was reset from the provider (so add 770 ...)

Copyright (C) 2006,2007,2008,2009,2010,2011  Valerio Messina
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License,
Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts
and no Back-Cover Texts.  A copy of the license is included in the section entitled "GNU Free Documentation License" or
can be downloaded at: