ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

OpenVPN Client: Autorun and autoconnect

At ProPrivacy we always recommend using OpenVPN protocol, as by far it is always the most secure tunneling method. While a number of providers create their own VPN software, these are usually based on the standard OpenVPN Client. Though we usually prefer open source software, we also like to see proprietary software with plenty of added features built in. In the latter case you have to trust the provider that they do not put anything malicious into their software, but since you never know what happens server side, you'll need to trust your service provider anyway.

With OpenVPN there are plenty of configurations that can be achieved and this means that the .ovpn files can vary to some extent between providers. There are two big differences, compared to proprietary software, that are directly noticeable to the user - both of which we will provide solutions to within this article, as well as an issue that affects a smaller number of users:

  1. The OpenVPN client does not automatically launch when you start your computer / log in
  2. Some companies rely on the slightly weaker username and password authentication method (unlike secure companies such as VikingVPN and Buffered) and you're required to input this every time you connect/ change server
  3. How to run OpenVPN without needing an administrator account/password (after the initial setup) so that if you have others people using the same computer they can use the VPN without being able to modify anything else [or if like me you use a standard account for your daily activities to increase security].

To be able to override all of these issues, you will need to have Administrator privileges.  We are using a Windows 7 for our demonstrations but the steps will be very similar for Windows Vista and 8.

How to Autorun OpenVPN

When most programmes launch at start up, this is usually done through the registry which can be changed using the regedit tool. However, we have found that using the Task Scheduler is not only more customisable, but also easier to work with. So with the preamble out of the way, let's start:

  1. Click the Windows button, type 'Task Scheduler' and start it. (Make sure you're doing this as an administrator)
  2. Click 'Create Task' in the right hand column
    OpenVPN_AutoRun_SchTasks1
  3. In the General tab, do the following:
    1. Enter a suitable name and description
    2. Select the user you wish for it to work on
    3. Enable 'Run with highest privileges'
    4. Configure for your system.
      OpenVPN_AutoRun_SchTasks2
  4. In the Triggers tab
    1. Click New to define when to launch OpenVPN
    2. The simplest method is to launch it when the selected user logs in
      OpenVPN_AutoRun_SchTasks3
  5. In the Actions tab
    1. Click New
    2. Select Start a program as the action
    3. Browse for the OpenVPN GUI client and set it as the program
    4. If you want it to automatically connect to a server enter –connect xxxxxxx.ovpn into Add arguments (where xxx is the name of the .ovpn file)
      OpenVPN_AutoRun_SchTasks4
  6. In the Conditions tab you can set some extra settings. We always like to have VPN running so we have disabled all of it, the Network option is the one that could be very useful for some people
    OpenVPN_AutoRun_SchTasks5
  7. In the Settings tab you can specify additional behaviors.
    OpenVPN_AutoRun_SchTasks6
  8. In the History tab you can view any errors/ problems (as long as you have History tracking enabled)
    OpenVPN_AutoRun_SchTasks7
  9. Once you have done everything, click OK and your Task will be created
  10. To check that it is running you need to do the following.
    1. Make sure OpenVPN GUI is closed
    2. In Task Scheduler right click on the Task you just created and click Run
    3. OpenVPN should now launch and if automatically connect if you have set it up.OpenVPN_AutoRun_SchTasks8

Connect without requiring VPN login details

The default folder for .ovpn files is  "C:\Program Files\OpenVPN\config". You will need to carry out step 1 for every OpenVPN file that you use. We do not recommend this method very much as you will be storing your login name and password in a plain text file, but some people might find it useful. HMA does provide a log-in tool to help with this to some extent, but as mentioned it is a lot more secure if key authentication is used instead of user/pass.

  1. Open the .ovpn file using a text editor. In the line that says auth-user-pass, add password.txt to the end of it.
    OpenVPN_AutoLogin_1
  2. In the same folder create a text file called password.txt. In the first line enter your username and on the second line your password
    OpenVPN_AutoLogin_2

Allow normal users to access OpenVPN

While there is a minimal security compromise with the method we will present, it does mean that normal users can use the VPN connection [thereby allowing a constant secure internet connection] without having to give them admin rights. The backbone on the method relies on the fact that the OpenVPN client requires administrator rights to be able to change the network connection. Therefore, by giving administrator rights to the network connection, and nothing else, the need for this will be removed.

In order to do this follow these steps:

  1. Click the Windows button, type 'mmc' and start it. (Make sure you're doing this as an administrator)
    OpenVPN_NoAdmin_1
  2. Go to File -> Add/Remove Plugins
    1. Under Snap-ins locate Local Users and Groups and add it
    2. Click OK
      OpenVPN_NoAdmin_2
  3. Next you will give the network access
    1. In the left hand column expand Local User and Groups
    2. Click Groups
    3. Right click Network Configuration Operators
      OpenVPN_NoAdmin_3
  4. Click the Add button and add the users that you'd like to be able to run OpenVPN without requiring an administrator password
    OpenVPN_NoAdmin_4

For more information about staying secure online, take a look at our best vpn software for windows guide.

Written by: Peter Selmeczy

Peter is a full-time tech enthusiast and gadget geek. When not working, you'll find him playing with Lego or tinkering away on an RPi.

11 Comments

Burt Bacharach
on December 4, 2017
Very good article, you guys are lifesavers! 1 tip: I needed to use '--connect' instead of '-connect' to get it working. (on Win10)
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Burt Bacharach
on December 4, 2017
Hi Burt, Thanks for the tip. I have corrected the article - it is, unfortunately, something our backend sometimes changes "helpfully" automatically.
John the humble IT Guy
on August 18, 2017
I Agree with peter there is no personal information stored in a certificate, as long as the certificates are unique they can easily be revoked to making it much harder for some one to break into you're VPN connection, as they need to be signed by the CA Root. the Certification process does ask for information ie location but this can be made up, as long as the cert and its digest are unique and certified. the only potential time your VPN is vulnerable is if a valid Cert is stolen and the user has not reported it. the information stored within isn't a concern. there should not be any specific information directly relating to the customer other than potential the name or account number, and the Key Contents which can be revoked and recreated by the CA even with the same details. usernames and passwords well if i could id get rid of them, i would the users are the security risk, doesn't matter how secure a password they pick they will use a theme and keep rotating passwords, or store them somewhere. (the whole reason behind smart-card authenticated logins, to add some physical security via you guessed it a certificate)
Costis
on November 30, 2016
Very nice article. Works perfectly. I saw there is the option to trigger the task, when a specific network connection is established. Can also the oposite be done? e.g.I am at home and my notebook is directly connected to my home network. In this case OpenVPN doesn´t need to establish a connection to it. So in this case a rule out trigger would be needed, which would not let the task run, when a connection to the home network is detected.
Ryan
on January 3, 2015
Peter, When you create a client cert and key there is information in that key that identifies the client. Take a look at this generic one I found on the net. http://pastebin.com/N7mXRKgG Now this one wont show you any sensitive data because this was distributed by a VPN that had no idea on how PKI works. They gave this cert and key out to everyone. But it still serves as a good example of how certs and keys are structured. Look at the stuff below when a service creates unique certificates for each user they are going to use real user data in case they need to revoke those certificates in the future. Where is that data stored you ask? In the certificate. Look into it. I know for a fact cryptostorm forums has pointed this out in the past but I am not sure of the link.
https://cdn.proprivacy.com/storage/images/proprivacy/2019/05/peterselmeczy-3jpg-avatar_image-small_webp.webp
Peter Selmeczy replied to Ryan
on January 5, 2015
Hi Ryan Take a look at this one I got from an actual commercial VPN http://pastebin.com/e8gDRMeB as you can see there is no personally identifiable information in it. It's possible to put extra information in to the OpenVPN file irrelevant of the type of authentication they use and yes you're right that business VPNs do do this for easier management but this isn't the case for public/commercial VPNs. Peter
DannyBoy replied to Peter Selmeczy
on January 8, 2015
Peter, I think you are miss informed. When a certificate is made some services may strip out the certificate info and just keep the signature but that certificate info has still been created. I work at a service that uses unique client keys unlike the one you posted. Our VPN service uses the certificate data to identify who the owner is when they authenticate. If we didn't we would never know who to revoke when the user cancels. We went back and forth about this point in depth at the office and the truth is right now neither user/pass or certificate/key are ideally for consumer based services. Anyone saying otherwise is flat out wrong. ...
https://cdn.proprivacy.com/storage/images/proprivacy/2019/05/peterselmeczy-3jpg-avatar_image-small_webp.webp
Peter Selmeczy replied to DannyBoy
on January 8, 2015
Hi Danny Clearly you're very knowledgeable in the topic and made me realise a few things that I haven't been informed about/ aware of before, do you mind me using your email address to contact you so we can continue this in private? I've removed the mass of the information for safety purposes but the reason that you can find 'bestvpn' in there is because it's our username for them. Peter

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service