OpenVPN 2.5 Windows MSI Parameters for Unattended Installations

by | 19 Nov 2020

Since the release of OpenVPN 2.5 the OpenVPN Project has moved it’s installer from an EXE (executable file) to the more modern MSI (windows installation file) method. MSI files have some clear advantages so no surprise that they have gone this route.

Previously the OpenVPN EXE had well documented installation parameters for their Windows installer:

/S – silent installation

/D=path – specify a custom installation path

Note – the /D parameter has to appear last on the command line, and the path may not be enclosed in quotes. The installer simply takes all of the command line left, and uses it as path (thus supporting spaces in the path).

To select individual OpenVPN components (1 = install, 0 = do not install; the values below indicate defaults):

/SELECT_SHORTCUTS=1 – create the start menu shortcuts

/SELECT_OPENVPN=1 – OpenVPN itself

/SELECT_SERVICE=1 – install the OpenVPN service

/SELECT_TAP=1 – install the TAP device driver

/SELECT_OPENVPNGUI=1 – install the default OpenVPN GUI

/SELECT_ASSOCIATIONS=1 – associate with .ovpn files

/SELECT_OPENSSL_UTILITIES=0 – install the utilities for generating public-private key pairs

/SELECT_EASYRSA=0 – install the RSA X509 certificate management scripts

/SELECT_PATH=1 – add openvpn.exe in PATH

/SELECT_OPENSSLDLLS=1 – dependencies – OpenSSL DLL’s

/SELECT_LZODLLS=1 – dependencies – LZO compressor DLL’s

/SELECT_PKCS11DLLS=1 – dependencies – PCKS#11 DLL’s

These parameters are useful and necessary when performing an unattended or programatic installation. Unfortunately with the release of 2.5 and the moving to an MSI installer these parameters no longer work and at the time of this writing the OpenVPN Project has not documented new parameters. Luckilyfor us MSI files have some basic characteristics and behaviors.

You can run any MSI file with logging like this:

msiexec /i installer.msi /l*v log.txt

It will pop up your installation GUI and you can then pick the customize option and choose the combination of features that you need. Once complete you can open your log file that you signified and search for ADDLOCAL. In our case where we desire to install only the OpenVPN Service and the new Wintun Drivers we find this:


We can now run the installer on subsequent windows servers with the following command:

msiexec /i OpenVPN-2.5.0-I601-amd64.msi ADDLOCAL=OpenVPN.Service,OpenVPN,Drivers,Drivers.Wintun /passive

If we wanted to change the installation directory we could do so like this:

msiexec /i OpenVPN-2.5.0-I601-amd64.msi PRODUCTDIR=”C:\Program Files\OpenVPN25\” ADDLOCAL=OpenVPN.Service,OpenVPN,Drivers,Drivers.Wintun /passive

If you are looking to install the GUI and the older Windows TAP adapter you would do so like this:

msiexec /i OpenVPN-2.5.0-I601-amd64.msi ADDLOCAL=OpenVPN.GUI,OpenVPN,OpenVPN.GUI.OnLogon,Drivers.TAPWindows6,Drivers /passive

So there you have it. An easy work around to perform silent windows installations. Hopefully this will save some time and effort for people looking to utilize the new OpenVPN 2.5 client in their DevOps environments.