The documentation for OpenVPN is pretty good, but I found a detail that may cause some confusion in a Windows environment, so I thought I’d address it here:
What do you do if you need to run OpenVPN but still want the Windows Firewall to work on your Windows server?
The background for this issue is how Windows decides what profile to use for a specific network: It reads the gateway address. The TAP interface for OpenVPN doesn’t automatically receive a gateway, so the network profile for it will be “Unknown network”, and so it won’t allow the necessary traffic for the OpenVPN connection to be properly established.
So what do you do?
First, open up a port in your firewall to allow for the initial handshake to be made between the client and the server. By default, this is UDP port 1194. Then we need to take a step back. We don’t want to open an uncontrolled pipe from the VPN client to the server, which is exactly what happens if you turn off the firewall for the VPN TAP device.
Instead, we’ll do two things:
1) Give the OpenVPN TAP device a gateway. In the server configuration for OpenVPN, you assign a subnet to be used by OpenVPN. The server will be [subnet].1. The gateway will be [subnet].2.
2) Some people claim that the above doesn’t always work unless you set the status of the TAP device to “always connected”, so let’s do that.
The result?
You now have control over data in the VPN tunnel too, using Windows firewall, meaning that you can stop unwanted traffic within the tunnel easily.