How is OpenVPN set up: check VPN encryption and diagnose issues

OpenVPN Connect is a free OpenVPN app
(Image credit: OpenVPN)

Most VPN apps make it easy to use the OpenVPN protocol. Choose it from a Protocols list on the Settings page and that's it, the app sets up OpenVPN automatically, every time you connect, and you don't have to care about any of the low-level technical details.

Except, well, sometimes you might care. Ever wondered if a VPN really is giving you the 256-bit encryption it's advertised, for instance? The app may not clearly tell you, but if you can figure out where to look, especially on desktops, there are other ways to find out.

Maybe you're looking for more details on the connection. What's the name or IP address of the server your app is trying to reach? If the app doesn't give you a choice of UDP or TCP connections, what's it using by default? Is the provider really using its own DNS server, or just redirecting you to a public service? It might take a few minutes of detective work with Task Manager and other tools, but there may be ways you can find out.

And if an OpenVPN connection fails, understanding why is often a real challenge as app error messages can be misleading. But peeking under the OpenVPN hood can often give you the answer, and in this article we'll explain exactly what you need to do.

NordVPN uses an OpenVPN file to make and manage OpenVPN connections

(Image credit: NordVPN)

How does OpenVPN connect?

When you hit your VPN's Connect button, it's easy to assume the app then creates, manages and eventually closes the OpenVPN connection for you. But the reality is a little different.

What actually happens is the VPN app looks at the location you've chosen, your app settings, and anything else which defines how the connection should work. Then it usually saves those settings to a file, and passes them to a command line app from the official OpenVPN project. It's this app that sets up the connection and handles all the tricky low-level stuff.

You might be able to find this OpenVPN file in your VPN app folders. It's often called openvpn.exe, and, for example, by default the ExpressVPN Windows app has a copy in its C:\Program Files (x86)\ExpressVPN\expressvpnd\windows folder. 

Some providers build a special version of the file or just rename it. NordVPN has 32 and 64-bit openvpn-nordvpn.exe files in its C:\Program Files\NordVPN\[version]\Resources\Binaries folders, for instance, and Turbo VPN includes vpncore.exe in its C:\Program Files (x86)\TurboVPN\Driver32 folder. If you're unsure, right-click the file, select Properties, Details, and you should see it's copyrighted 'OpenVPN Project' and originally called OpenVPN.exe.

Why does this matter? The VPN app passes the settings to OpenVPN using standard commands, and if you can find them, they'll give you every detail about the connection and how it's set up.

Entering a command at the Windows command line

(Image credit: Microsoft)

OpenVPN: under the hood

To find out more about OpenVPN connections on a PC, first make an OpenVPN connection to any location with your VPN app. Then launch Task Manager (press Ctrl+Left Shift+Esc), click the Details tab and look for your VPN's OpenVPN process. (Click More Details if Task Manager displays its Compact view.)

Now scan across the process's columns until you find its Command Line. If you don't see it, right-click a column header, choose Select Columns, and check the 'Command Line' box.

This is how our ExpressVPN app's command line pointed OpenVPN to its .ovpn setup file, with the settings we needed: 

"C:\Program Files (x86)\ExpressVPN\expressvpnd\windows\openvpn.exe" --config C:\ProgramData\ExpressVPN\v4\config\ovpn921089\config.ovpn

Here's how NordVPN told OpenVPN about its openvpn-config file:

"C:\Program Files\NordVPN\\Resources\Binaries\64bit\openvpn-nordvpn.exe" --config "C:\ProgramData\NordVPN\configs\openvpn-config" 

If you can't see the command line in Task Manager, click Search on the taskbar, type CMD, choose Windows Command Processor and select Run As Administrator. Then paste the command: wmic process where "name like '%openvpn.exe%'" get processid,commandline into the command line (replacing openvpn.exe with the name of your provider's OpenVPN app) and press Enter. 

If the command line includes a path to a settings file, as we've seen above with ExpressVPN and NordVPN, then you can open that in Notepad to see how your connection is set up. We'll look at that next.

Sometimes the app passes all your setup details entirely on the command line, without using any file. That's still enough to get some very useful information.

Still can't find your provider's OpenVPN app, or see the command line details? Some VPN apps pass the information to OpenVPN in a way users can't see. Pity, but not the end of the story, and we'll give you another option to try later.

OpenVPN connections are configured with many different settings

(Image credit: OpenVPN)

Useful OpenVPN settings

We're assuming you've found your OpenVPN settings, either in a file or on a command line. They're designed for developers, so don't be surprised if you've no idea what most of them mean. But don't be put off, either. Keep scanning down the list - some of them are genuinely useful.

If you're wondering what encryption your connection is using, for instance, whether you're getting the advertised AES-256, look for a 'cipher' command. Our ExpressVPN file included the line 'cipher AES-256-CBC', for instance, giving us AES-256 encryption using Content Block Chaining- exactly what we'd expect.

Maybe you're curious about the IP or host name of the VPN server, and your app doesn't tell you? Find the 'remote' command. Our ExpressVPN file contained the line 'remote 4283', giving us the IP address of the VPN server and the connection port. 

Some apps specify how the VPN connects at the end of the remote command, by adding 'udp' or 'tcp.'

Is the app using some third-party DNS server without telling you? No problems with ExpressVPN, it only ever uses its own DNS. Check your settings for a command such as 'dhcp-option DNS', though, and run a search for the IP address to see which service the app is trying to use. (This could be its own DNS, but if it really is, that's Cloudflare.)

If you're really interested and want to try to decipher everything, the official OpenVPN manual has more, though beware, you'll need plenty of time and knowledge to figure it all out.

The IPVanish app includes a diagnostics panel with the OpenVPN logs

(Image credit: IPVanish)

OpenVPN logs

Understanding how your OpenVPN connection is set up can be interesting, but the real value comes in any OpenVPN logs. Can't log in, for instance? VPN apps might just give you a general 'connection error' message as they don't know any more (they're leaving OpenVpn.exe to establish the connection), but the OpenVPN logs are often more helpful.

Sometimes the logs are available from the VPN app. IPVanish's Windows offering has a Diagnostics tab, for example, which lists recent OpenVPN commands and any responses. We tried connecting with an old account, and the log displayed:

15:03:00 [Fatal] (VpnSDK::Private::OpenVPN) >PASSWORD:Verification Failed: 'Auth'... Authentication failure....
15:03:00 [Error] (VpnSDK) VPN server rejected credentials.

If app just told you 'can't connect', you might waste an age trying other locations, different connection servers, closing other apps or tweaking firewall settings. But look at the logs and they're clearly warning of an account or login issue.

Even if you can't solve a problem yourself from the log details, you might spot something that will help your VPN's support. Tell the support agent 'I can't connect' and he'll probably direct you to a website FAQ with 10 or 15 generic ideas to try. Tell them 'I can't connect with OpenVPN, and I noticed the log says error xxx', and chances are you'll get the real answer right away.

Computer code

(Image credit: Shutterstock)

Going further

If your VPN logs aren't accessible from the app, they're probably saved on your hard drive somewhere. 

Check the app's program folders, \Program Data\[VPN Name], \Users\[UserName]\AppData\[VPNName] for files with a .log extension, or any file updated since you last connected.

NordVPN's logs are stored in files with an NWL extension in the C:\ProgramData\NordVPN\logs folder, for instance. Explorer normally hides this, but if you can't see the folder, press Win+R, paste C:\ProgramData\NordVPN\logs into the box, and press Enter to view it.

These logs usually contain all the commands used to create a connection, with responses from the server, and error messages or other details about whatever happened in the session.

If you couldn't find your OpenVPN settings file earlier, the same commands should be included in the log. Our NordVPN log included lines such as 'Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key', for instance, using the cipher command we saw earlier to set up our encryption type.

Browse the log, anyway, see what you can find. Even experts won't understand most of it, but if only a few details make sense, you could find some really useful and interesting information.

Read more on VPN:

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.