23.07.2025
I managed to do this one time on my job. That time I catched the moment and documented everything I did to achieve the final result. Now I want to archive it here and maybe share it with those in need.
I don't know why you might need this information and I don't want to know. Maybe you have an enterprise server and one of the users still uses Windows XP in 2025 (dangerously based), or maybe you're just testing some stuff.
Source articles that helped me:
This article will be in the style of "1, 2, 3", because at the moment, I don't feel like thoroughly organizing it.
1. First things first, we need to get an actual OpenVPN client installer.
Last time I used the following link:
https://build.openvpn.net/downloads/releases/latest.bak/
and with the filename it looked like this:
https://build.openvpn.net/downloads/releases/latest.bak/openvpn-install-latest-winxp-i686.exe
but it seems they both don't work anymore.
Luckily, I also saved the original download file while it was still accessible, and you can download it directly from my website by clicking here.
2. Now, let's take a look inside your Windows OpenVPN configuration file. Your .conf file may use the parameter
cryptoapicert "certname" - if so, you'll probably need to comment it - you will probably just not be able to import the certificate into the system.
Instead, you can use the pkcs12 "C:\\Program Files\\OpenVPN\\config\\cert.p12" parameter to specify your certificate's (such as .p12) direct location.
3. Let's move on to the Linux OpenVPN server side. In your OpenVPN server configuration file
(it is probably located somewhere at /etc/openvpn/servername.conf), you may want to add the
data-ciphers aes-256-cbc parameter to enable aes-256-cbc encryption, which in my case was still supported
(honestly idk if natively by Windows XP or by the OpenVPN client itself).
It is still a pretty secure algorithm though, but c'mon, we are not talking about security while rocking Windows XP.
4. Enabling NLA (Network Level Authentication) on Windows XP.
When connecting to the server with mstsc, you'll probably encounter the following error:
It happens because Windows XP technically supports NLA, but works kinda strange in practice.
Of course, you can just disable NLA on your server and call it a day, but we'll aim for "maximum security" in this article.
We'll need to tweak the Registry a little bit for it to work.
4.1. Open regedit. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry branch.
4.2. Edit the "Security Packages" key: append tspkg to the end.
4.3 Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders registry branch.
4.4. Edit the "SecurityProviders" key: append credssp.dll to the end.
4.5. Close regedit. Reboot your machine.
That is all. I hope this helps you in your endeavors.