Use OpenVPN Connect v3 on Windows in Service Daemon Mode
Set up an OpenVPN connection as a system service on Windows with service daemon mode for OpenVPN Connect.
On Windows, OpenVPN Connect 3.2 and newer includes a method to set up an OpenVPN connection as a system service. You can configure the connection to run right after system boot, even when nobody is logged on. A few example use cases:
A Windows Server with Remote Desktop Services where users need VPN access, but you can't have each user establish their own connections.
A Windows client joined to a domain that requires VPN access for logon.
An unattended Windows host providing services or resources to your OpenVPN server or CloudConnexa.
We designed this system service mode for system administrators. Once the connection is running, both admin and unprivileged users on the system can reach VPN resources.
Before you begin
Ensure you have the following set up:
OpenVPN Connect v3.2 or higher installed.
Administrator shell (PowerShell or cmd).
An autologin-type connection profile (the service daemon has no interactive capabilities).
Closed the OpenVPN Connect app before setting up the service.
Run all commands from the program location (as specified below).
x64: %ProgramFiles%\OpenVPN Connect\ovpnconnector.exe
x86: %ProgramFiles(x86)%>\OpenVPN Connect\ovpnconnector.exe
Following these steps to set up OpenVPN Connect to run in service daemon mode:
Go to the correct location for your system (for our example, we use an x64 system):
cd "%ProgramFiles%\OpenVPN Connect\"
Tip
Ensure you use the correct location for your system.
Install the system service:
ovpnconnector.exe install
Specify the connection profile to use (optional):
ovpnconnector.exe set-config profile <FULL_PATH_AND_FILENAME_TO_PROFILE.OVPN>
Note
If you downloaded your OpenVPN Connect installation file from Access Server or CloudConnexa and it came with a bundled autologin connection profile, you can skip step three. It will then simply default to the bundled connection profile. You can find it in the program location with the name "ovpnconnector.ovpn" — that's the bundled connection profile.
Specify the path to a log file (optional):
ovpnconnector.exe set-config log <FULL_PATH_AND_FILENAME_TO_LOGFILE.LOG>
Note
If you skip step four, the service writes to the default log file in the program location with the name, "ovpnconnector.log".
Start the service:
ovpnconnector.exe start
The service starts the VPN connection and logs output to the log file.
Tip
You don't receive any feedback about whether the connection succeeds or not after you start the service. You can check the log file or use the ping command to verify that the connection is up and running.
Important
OpenVPN Connect should not be running; otherwise, service startup aborts.
If you've installed and configured the service correctly, it automatically establishes a VPN connection on system startup. In other words, the system service starts at every boot.
Apart from writing regular OpenVPN logs to the configured log file, the service also reports any critical errors to the system: Event Viewer → Windows Logs → Applications. (Event source: OVPNConnectorService).
You can check the service status in the Windows Services (services.msc) utility. You can stop, start, and restart the service there.
On the command line, this is also possible with ovpnconnector.exe:
ovpnconnector.exe start ovpnconnector.exe stop ovpnconnector.exe restart
Or using the Windows 'net' command-line tool:
net stop ovpnconnector net start ovpnconnector
Important
You can't use the OpenVPN Connect v3 graphical interface while the service is running.
An administrator must manage the service using the tools mentioned above. The service blocks the graphical interface from running to prevent users from interfering with the VPN connection.
When an admin stops the service, the OpenVPN Connect v3 graphical interface will become available again.
By default, the service runs with:
Connection Timeout: "Continuously retry" (try to connect indefinitely).
Seamless Tunnel: Enabled (block VPN while VPN is paused or reconnecting).
You can configure other possible settings in the connection profile with standard OpenVPN directives.
Starting with OpenVPN Connect 3.7.1, the connector service supports additional configurable settings via set-config and unset-config commands:
Option | Values | Description | Default |
|---|---|---|---|
profile |
| Set custom connection profile path. | ovpnconnector.ovpn |
log |
| Set custom log file path. | ovpnconnector.log |
vpn-protocol | adaptive, tcp, udp | Set the VPN protocol. | adaptive |
dco | true, false | Enable data channel offload (DCO) for performance. | false |
security-level | preferred, legacy, insecure | Set connection security level. | legacy |
seamless-tunnel | true, false | Enable seamless tunnel behavior. | true |
enforce-tls-1-3 | true, false | Enforce TLS 1.3 usage. | false |
allow-local-dns | true, false | Allow local DNS resolvers. | false |
google-dns-fallback | true, false | Enable Google DNS fallback if primary fails. | false |
Example: To turn on DCO for faster data handling:
ovpnconnector.exe set-config dco true
To revert any option to its default, use:
ovpnconnector.exe unset-config <option>
If you need to undo a configuration setting for the OpenVPN connection profile path or the log file path to revert them to defaults, you can use these commands:
ovpnconnector.exe unset-config profile ovpnconnector.exe unset-config log
Use the following commands to stop or remove the service.
Stop the service
ovpnconnector.exe stop
The service stops, and the active OpenVPN connection terminates. On the next reboot, the service starts and reconnects.
Remove the service
ovpnconnector.exe remove
The system stops and the active OpenVPN connection terminates. You've removed the service from the system.