OpenVPN connect on boot aka SBL start-before-logon

openvpn-connect-on-boot-sbl.md

OpenVPN connect on boot aka SBL start-before-logon

Official solutions from OpenVPN

1. https://openvpn.net/community-resources/configuring-openvpn-to-run-automatically-on-system-startup/
2. https://openvpn.net/community-resources/running-openvpn-as-a-windows-service/

Using nssm.exe

OpenVPN/openvpn-gui#77 (comment)

1. Make sure you can connect using an elevated command line:

   cd "C:\Program Files\OpenVPN\config"
   "C:\Program Files\OpenVPN\bin\openvpn.exe" --config Contoso.ovpn

   Then disconnect.

2. If you are using --cryptoapicert, install the client certificate to the Local Computer's "Personal" store.

   • Optional: I am using --client-cert-not-required and username/passwords instead of client certificates, because PKI is a royal pain-in-the-... = you will notice your client certificate expired when you're out on the road.

3. Download and save nssm.exe utility. No setup required. For this walkthru, I will assume you copied it to C:\Program Files\OpenVPN\bin.

4. Execute using an elevated command line:

"C:\Program Files\OpenVPN\nssm.exe" install OpenVPN-Contoso "C:\Program Files\OpenVPN\bin\openvpn.exe"
"C:\Program Files\OpenVPN\nssm.exe" set OpenVPN-Contoso AppDirectory "C:\Program Files\OpenVPN\config"
"C:\Program Files\OpenVPN\nssm.exe" set OpenVPN-Contoso AppParameters "--config Contoso.ovpn"
"C:\Program Files\OpenVPN\nssm.exe" set OpenVPN-Contoso AppStdout "C:\Program Files\OpenVPN\log\Contoso.log"
"C:\Program Files\OpenVPN\nssm.exe" set OpenVPN-Contoso AppStderr "C:\Program Files\OpenVPN\log\Contoso.log"
"C:\Program Files\OpenVPN\nssm.exe" set OpenVPN-Contoso AppStdoutCreationDisposition 2
"C:\Program Files\OpenVPN\nssm.exe" set OpenVPN-Contoso AppStderrCreationDisposition 2
"C:\Program Files\OpenVPN\nssm.exe" set OpenVPN-Contoso DependOnService Dhcp tap0901
"C:\Program Files\OpenVPN\nssm.exe" start OpenVPN-Contoso

Using .ps1 and nssm.exe

https://gist.github.com/NBprojekt/8609ed86c0f55c3269a044b8b422fc68

• create-sbl-service.ps1:

#Requires -RunAsAdministrator

$nssmPath = ".\nssm.exe"
$nssmExists = Test-Path $nssmPath
if (-Not $nssmExists) {
  echo "Make sure nssm.exe is in $nssmPath"
}

Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "install OpenVPN-SBL `"C:\Program Files\OpenVPN\bin\openvpn.exe`""
Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "set OpenVPN-SBL Start SERVICE_AUTO_START"

Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "set OpenVPN-SBL DisplayName VPN SBL"
Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "set OpenVPN-SBL Description Creates VPN Connection before logon"

Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "set OpenVPN-SBL ObjectName LocalSystem"
Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "set OpenVPN-SBL Type SERVICE_WIN32_OWN_PROCESS"

Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "set OpenVPN-SBL DependOnService Dhcp tap0901"

Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "set OpenVPN-SBL AppDirectory `"C:\Program Files\OpenVPN\config`""
Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "set OpenVPN-SBL AppParameters --config SBL.ovpn"


Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "set OpenVPN-SBL AppStdout `"C:\Program Files\OpenVPN\log\SBL.log`""
Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "set OpenVPN-SBL AppStderr `"C:\Program Files\OpenVPN\log\SBL.log`""

Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "set OpenVPN-SBL AppStdoutCreationDisposition 2"
Start-Process -NoNewWindow -FilePath nssmPath -ArgumentList "set OpenVPN-SBL AppStderrCreationDisposition 2"