User Management: User Profiles

About the page

User Management: User Profiles provides you with general information for managing your VPN client user profiles. This section of the Admin Web UI applies to version 2.9 and higher.

User Profiles page:

user profiles screenshot
User Profiles page in Admin Web UI for OpenVPN Access Server

User Profile

A user or connection profile is a collection of configuration instructions and certificates that are necessary to establish a VPN connection to your Access Server. Each of your users can have none, one, or many profiles. For instance, your admin user may not have a profile if it is only used to manage the OpenVPN Access Server through the Admin Web UI. Other users may have more than one profile; downloaded through the Client UI, downloaded with an OpenVPN Connect app, or downloaded manually from the Access Server web interface.

For each profile, this information displays:

  • SN#: Serial Number, automatically assigned.
  • Autologin: Whether the profile is autologin (managed in user settings).
  • tls-crypt-v2: Whether or not the profile uses an additional layer of per-client static encryption on the TLS control channel—a new feature as of AS 2.9.
  • Created: The date the profile was created.
  • Expires: The expiration date of the profile.
  • Signing CA: The certificate authority associated with your Access Server that signed this profile’s certificate.
  • Comment: An optional comment that you can enter when creating a new profile. Access Server may populate with informational text.
  • Last Used: The date the profile was last used to connect.
  • Delete: To delete a profile, check this box and then click Delete. The VPN client using the deleted profile must obtain a new profile in order to connect.

New Profile

new user profile screenshot

To create a new profile, access the Admin Web UI and click on New Profile for the selected user. Choose whether it’s a user-locked or autologin profile, add an optional comment, select or deselect tls-crypt v2, then click Create Profile. This creates a new profile for the user with the current CA for your Access Server.

Server-locked and compatibility profile

A server-locked profile is a pseudo-profile that instructs the OpenVPN Connect program to authenticate and retrieve VPN connection profiles through the Access Server web interface API. When a user logs in, their profile is retrieved by their client, and after the user disconnects the client forgets the profile. This allows for a single universal profile to be distributed to your users, which allows any valid user on the Access Server to authenticate and establish a VPN connection.

OpenVPN Connect v3.2 and older versions do not send their intention (either to connect or import profile) to the Access Server, and generating a new profile for each connection using a server-locked profile would lead to a new profile generation for each connection. To solve this problem, Access Server recognizes these clients and creates a single compatibility profile per user when needed. This compatibility profile is served to Connect clients v3.2 and older. On more modern clients, each device gets its own unique profile.

Access Server 2.9.0 uses a newer server-locked profile type that works differently than the older version. It can be used on community OpenVPN clients as well as OpenVPN Connect and doesn't require web service interaction.

Summary

User Management: User Profiles allows you to view all profiles for your users, create and download new ones, or delete existing profiles. In older versions of Access Server, the profile management was more basic because each user account only had one profile, and you only had the option to revoke that specific profile certificate for that specific user.