User Management: User Profiles

About the Page

The User Management: User Profiles page is where you manage your VPN client user profiles. This section of the Admin Web UI applies to version 2.9 and higher.

User Profile

user profiles screenshot

A user profile or connection profile is a collection of configuration instructions and certificates that are necessary to establish a VPN connection to your Access Server. Each of your users can have none, one, or many profiles. For instance, your admin user may not have a profile if it only manages Access Server through the Admin Web UI. Other users may have more than one profile: downloaded through the Client UI, downloaded with an OpenVPN Connect app, or downloaded manually from the Access Server web interface.

For each profile, this information displays:

SN#Serial Number, automatically assigned.
AutologinWhether the profile is autologin (managed in user settings).
tls-crypt-v2Whether or not the profile uses an additional layer of per-client static encryption on the TLS control channel—a new feature as of AS 2.9.
CreatedThe date of profile creation.
ExpiresThe expiration date of the profile.
Signing CAThe certificate authority associated with your Access Server that signed this profile’s certificate.
CommentAn optional comment that you can enter when creating a new profile. Access Server may populate this with informational text.
Last UsedThe date the profile last connected.
DeleteTo delete a profile, check this box and then click Delete. The VPN client using this profile will then need to obtain a new profile in order to connect again.

New Token URL

token URL screenshot

You can create a Token URL for your users, which is an authentication token valid for a specific amount of time. With this URL, you automatically trigger OpenVPN Connect, the VPN client, to create a profile.

  1. Click New Token URL for the user.
  2. Select User-Locked or Autologin and the length of time, in hours, the token is valid.
  3. Click Create Token Download URL.
  4. Copy the automatically generated URL and provide it to your user.

New Profile

new user profile screenshot

You can manually create and download new user profiles from the User Profiles page:

  1. Click New Profile for the user.
  2. Choose whether it’s a user-locked or autologin profile, add an optional comment, select or deselect tls-crypt v2, then click Create Profile.

This creates a new profile for the user with the current CA for your Access Server and downloads the ovpn file.

Server-locked and compatibility profile

A server-locked profile is a pseudo-profile instructing OpenVPN Connect to authenticate and retrieve VPN connection profiles through the Access Server web interface API. When a user logs in, the client retrieves their profile; after the user disconnects, the client forgets the profile. This allows you to distribute a single universal profile to your users, which allows any valid user on the Access Server to authenticate and establish a VPN connection.

OpenVPN Connect v3.2 and older versions don’t send their intention (either connecting or importing a profile) to the Access Server and would generate a new profile for each connection with the server-locked profile. To solve this problem, Access Server recognizes these clients and creates a single compatibility profile per user when needed. This compatibility profile is served to Connect clients v3.2 and older. On more modern clients, each device gets a unique profile.

Note: Access Server 2.9 and newer uses a newer server-locked profile type that works quite differently than the older version. It can be used on community OpenVPN clients (not only OpenVPN Connect) and doesn’t require web service interaction.


User Management: User Profiles allows you to view all profiles for your users, create and download new ones, or delete existing profiles. In older versions of Access Server, the profile management was more basic because each user account only had one profile, and you only had the option to revoke that specific profile certificate for that specific user.