Creating a customized OpenVPN installer

Note:  See "Creating a customized OpenVPN installer – Round 2" for another approach to a custom OpenVPN installer.

OpenVPN is an excellent product with seemingly infinite configuration options. After setting everything up to your tastes, though, you may find that your end users are a bit too "simple" to install OpenVPN and your custom config files successfully. I find that many users (well, where I work at least) are uncomfortable browsing to and placing files in C:\\Program Files\\OpenVPN. You can easily get around this by creating a self-extracting executable with a default output path of C:\\Program Files\\OpenVPN (use IZArc to make nice free SXEs). Although that gets the job done, the end user would still need to install OpenVPN, the run the SXE. Why not cut down the number of steps in half (or by one :p ), while at the same time adding your company’s touch to the OpenVPN installer?

Recent documentation on this is not very widespread, but luckily still of good use. The main source of documentation on this can be found here, and is supplied by the creator of OpenVPN GUI. The documentation can be followed, but unfortunately the packages provided are a bit outdated. To get up-to-date (and to become Vista-compatible), we first download a copy of the current release candidate (2.1 RC4 at the time of writing). I actually had to get the Windows installer since I didn’t want to bother compiling from source. Next, I downloaded the 2.1 beta 7 package from the OpenVPN GUI site. I installed the Windows installer by accepting all defaults, then extracted the install source (anywhere should work). Next, to get things up-to-date I replaced openvpn.exe and openvpn-gui.exe in the openvpn\\bin folder of the extracted archive with that from my Windows installation (C:\\Program Files\\OpenVPN\\bin).

To get our installer to work with Vista, we need to replace the blacklisted 0801 TAP driver with the newer 0901 TAP driver. This is not documented anywhere I could find, but doing this turned out to be easy and effective. Simply make replacements as we did above, but instead copy the contents of C:\\Program Files\\OpenVPN\\driver to the openvpn\\tap-win32\\i386 folder of the extracted archive. You can safely remove the older 0801 files. To make this work, we now have to edit the openvpn-gui.nsi script in the extracted archive. In any text editor (Notepad++ worked great for me and offered syntax highlighting), open up openvpn-gui.nsi, look for !define TAP "tap0801", and replace that with !define TAP "tap0901". Your archive is now Vista-compatible.

There are many other changes that can be made in the Nullsoft installer script such as including your company name, custom icons, and most importantly your OpenVPN client config. You can look through the script to understand how it works and modify it accordingly. To include your custom config/cert files, browse in your text editor to Section "OpenVPN GUI" SecGUI. You will see a comment indicating where your custom config files go. To include multiple files in the install, simply add more File entries, like so:


# Include your custom config file(s) here.
SetOutPath "$INSTDIR\\config"
File "${HOME}\\config\\client.ovpn"
File "${HOME}\\config\\ca.crt"
File "${HOME}\\config\\dh2048.pem"
File "${HOME}\\config\\client.crt"
File "${HOME}\\config\\client.key"

This will include client.ovpn, ca.crt, dh2048.pem, etc. to your custom installer, and will place them in the config folder upon installation.

To compile your masterpiece into an executable, you need to download and install The Nullsoft Scriptable Install System. Although a newer edition may work, I went with the original documentation’s recommendation and installed the older v2.05. You can get this here. Once installed, you can simply right-click on the openvpn-gui.nsi script you modified and click on "Compile NSIS Script". A log of the compilation will show and an opportunity to test the installer will show if everything went well. You will also have an installable .exe waiting for you in the current directory waiting to be distributed to your clients.

If you ran into errors, look through the logs to try to identify what’s going on. Otherwise, you can simply just make some changes to the archive I already hacked up:

If you’re just interested in creating a custom OpenVPN installer for Windows and don’t particularly care to dabble in Nullsoft install scripts or are just lazy, download the archive above and make whatever changes you may need. The hacks described above are implemented in this package.


In Vista, if you’re using routing (tun mode), the end user must run OpenVPN by running as an administrator. This is because the routing table must be modified to tell your computer how to get to your company network. Otherwise, the client may appear to be connected (he/she actually is), but attempts to access the company network will fail, as packets are instead trying to go through the default route (usually your ISP). Using tap mode eliminates this requirement as clients are given IPs in the company’s subnet range, therefore eliminating the need to do routing.

If using certificate authentication, then each of your users will need unique files in their config directory. I don’t know of a way to automate this, unless you generate the client certificates on the fly and have a program initiate a compile of openvpn-gui.nsi with the new certificates included. In my install of OpenVPN, users are authenticated via Active Directory, so we don’t have to distribute any user-specific files.  You may very well just have to use self-extracting archives or train your users how to work with zip files!

12 comments on “Creating a customized OpenVPN installer
  1. bofh says:

    damn efficient. thanks a lot, really useful.

  2. Sven Söhnel says:

    Thanks very much!

    Beginning with OpenVPN it’s a great Start here
    when roll out to clients.

    Greetings from Germany


  3. Thanks! Glad it helped! I’ll be updating this posting soon with a new method, so check back in a few days if you want to check it out.

  4. Pere says:

    Mmm, I am missing something.

    After correctly compiling the NSI file, I get my customized openvpn exe.

    After installing I get an error related to libeay32.dll, “The procedure entry point BIO_test_flags could not be located in libeay32.dll”. I assumed it to be because the dll in the 2.1 beta 7 package is not useful with the 2.1_rc19 that I am using.

    I substituted all files in bin folder from 2.1 beta 7 package with new version from 2.1_rc19 install (libeay32.dll, libssl32.dll …) but after recompiling, now it complains of missing libpkcs11-helper-1.dll …

    My question: For the rest of the people it did work just changing openvpn.exe and openvpn-gui.exe in the openvpn\\bin folder without any further change ?

    And Ameir, happy to hear your new method ! :)

    Thx anyway for the tips !


  5. Ameir Abdeldayem says:

    When trying to work with the newer versions, I ran into some problems myself. Also, I couldn’t get the 64-bit TAP driver included into my package.

    I just finished writing the article on the new method; check it out here:

  6. Rahul says:

    It works really well. But for the latest version it does not work well but for the earlier one it supports good. Nice blog…

  7. Sonia says:

    Good day!I have Windows 7 64-bit. OpenVPN 2.1.19 is work, but I use gateway rerodectiin, and it’s is not work.OpenVPN 2.0.9 is not install Drivet for Tap.When I use OpenVPN 2.0.9 in Windows7 32-bit, all work right.2.1.19 not work with Gateway rerodectiin.There can be somebody had such problem?May be problem with driver for Tap in Windows7 64-bit.Can be at somebody there is such driver?

  8. Ahsan says:

    I found out that if your are using 64bit os the routing talebs won’t work. So you need to do them manualy by route command in CMD. I try to search the reason why that command won’t work. Log says success for route command but if you look the routing talebs there is no routes. I hope this information helps some other user 🙂

  9. Ditka says:

    It does not worked for me, I’m able to intalsl it, but in device manager all tap adapters are marked as not working, in details I see this message.Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have intalsled a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)

  10. Sean says:

    Update to my last comment. The tabkasr icon does not actually get loaded. What I saw was a previous (failed) attempt to launch the OpenVPN GUI that I did not close. When running, this method does not have a tabkasr icon.=, only a cmd window. To exit openvpn when running in this fashion, press F4 in the cmd window.

  11. Wariner Anderson says:

    Hello there.
    Any updates on the current 2.3 version?
    And, is it possible to change the GUI or MI like some call it? Thanks in advance

  12. Hi, I haven’t done work on this in quite a while, and haven’t kept up with updates. Have you confirmed that the process breaks in OpenVPN 2.3? I’m not aware of alternative GUIs for Windows; I’ve since switched to Mac and have been using Tunnelblick when needed.

1 Pings/Trackbacks for "Creating a customized OpenVPN installer"
  1. In a previous article, I outlined the steps I took to “roll” my own customized OpenVPN installer, and it worked like a charm back then. OpenVPN has gone through several revisions since, and getting things running (especially on different a

Leave a Reply

Your email address will not be published. Required fields are marked *