Use OpenVPN Connect v3 on Windows in service daemon mode

Starting from OpenVPN Connect v3.2 the application includes a method to set up an OpenVPN connection as a system service. This allows to have the connection up and running right after system boot even when nobody is logged on. A few possible use cases:

  • A Windows Server with Remote Desktop Services, where the users need access to some VPN resources, and it is not practical or possible to have them each individually establish their own connections because of technical and organisational reasons.
  • A Windows client system that is joined to a domain that needs access to a VPN network domain that is required for logon purposes, so the connection needs to be up and running before the user logs in.
  • Connecting your Windows system as an unattended host system offering certain services and resources to your OpenVPN server or to the OpenVPN Cloud.

This system service mode is designed to be managed only by system administrators. Once the connection is up, resources available through this VPN connection can be reached by administrators and unprivileged users on the system.

Prerequisites

  • OpenVPN Connect v3 of version v3.2 or higher.
  • Administrator shell (PowerShell or cmd).
  • An autologin type connection profile (the service daemon has no interactive capabilities).
  • Close OpenVPN Connect v3 window before setting up the system service.
  • Run all commands from the program location (as specified below).

Location

  • x64: %ProgramFiles%\OpenVPN Connect\ovpnconnector.exe
  • x86: %ProgramFiles(x86)%>\OpenVPN Connect\ovpnconnector.exe

Instructions

Step 1. Go to the correct location for x64 systems:

cd "%ProgramFiles%\OpenVPN Connect\"

Note: if you have the 32 bits program installed on a 64 bits OS, replace %ProgramFiles% with %ProgramFiles(x86)%.

Step 2. Install the system service:

ovpnconnector.exe install

Step 3. Specify connection profile to use (optional):

ovpnconnector.exe set-config profile <FULL_PATH_AND_FILENAME_TO_PROFILE.OVPN>

Note: if your OpenVPN Connect installation file was downloaded from Access Server or OpenVPN Cloud and came with a bundled autologin connection profile, then you can skip step 3. It will then simply default to the bundled connection profile. It can be found in the program location with the name "ovpnconnector.ovpn" - that is the bundled connection profile.

Step 4. Specify the path to a log file (optional):

ovpnconnector.exe set-config log <FULL_PATH_AND_FILENAME_TO_LOGFILE.LOG>

Note: if you skip step 4, the service will write to the default log file in the program location with the name “ovpnconnector.log”.

Step 5. Start the service:

ovpnconnector.exe start

The service will now start the VPN connection and log output to the log file.

Note: you will not receive feedback after starting the service if the connection succeeded or not. You can check the log file or use the ping command to verify that the connection is now up and running.

Important: OpenVPN Connect client should not be running, otherwise service startup will abort.

Usage details

If the service was properly installed and configured it will establish a VPN connection automatically on system startup, regardless of whether it was explicitly started or not. In other words, the system service is configured to start up automatically at every next boot.

Apart from writing regular OpenVPN logs to the configured log file service will also report any critical errors to the system Event Viewer → Windows Logs → Applications. (Event source: OVPNConnectorService).

You can check service status in Windows Services (services.msc) utility. You can stop, start, and restart the service there.

On the command line this is also possible with ovpnconnector.exe:

ovpnconnector.exe stop/start/restart

Or using the 'net' command line tool in Windows:

net stop/start/restart ovpnconnector

You can’t use the OpenVPN Connect v3 graphical interface while the service is running. The service must be managed by an administrator using the tools provided above, and the graphical interface will be blocked from use to prevent users from interfering with the VPN connection. When the service is stopped, the OpenVPN Connect v3 graphical interface will become available for use again.

Default OpenVPN settings for connection

Connection Timeout: “Continuously retry” (try to connect indefinitely)

Seamless Tunnel: Enabled (Block VPN while VPN is paused or reconnecting)

Other possible settings can be configured in the connection profile itself with standard OpenVPN directives.

Unset configuration

If for some reason you need to undo a configuration setting for the OpenVPN connection profile path or the log file path, to revert them back to defaults, you can use these commands:

ovpnconnector.exe unset-config profile
ovpnconnector.exe unset-config log

Stop

Stop the service:

ovpnconnector.exe stop

The service will stop and the active OpenVPN connection will be terminated. However this does not uninstall the service. So if you do this, and reboot your system while the service is still installed, then the connection will start up again.

Removal

If you want to remove the system service then run this command:

ovpnconnector.exe remove

The service will stop and the active OpenVPN connection will be terminated. The service will then be removed.