Understanding Connection Profiles for Access Server | OpenVPN

We recommend user-locked profiles for most use cases, especially mobile and desktop devices one user exclusively uses.

These connection profiles contain a unique client private key and unique client certificate, with all the necessary certificates, keys, and instructions for the VPN connection. The authentication process requires the private key, client certificate, and the correct user credentials to establish a VPN tunnel successfully. You can enable multi-factor authentication (MFA) as well. This connection profile type is locked to the specific user account. If you use credentials for another account with this type of profile, you won’t pass the authentication phase.

We recommend auto-login profiles when you don’t manually enter user credentials, such as headless servers or unattended systems.

These connection profiles contain a unique client private key and certificate and all the necessary certificates, keys, and instructions to successfully establish the VPN tunnel. The authentication process requires the private key and client certificate—no additional credentials are needed. However, if you enable MFA, it may be required.

We recommend server-locked profiles for shared devices such as computers in a university or library. In these cases, you establish an OpenVPN connection with your credentials and don’t wish to import a connection profile specific to your user account.

Server-locked profiles have different compatibility with OpenVPN Connect, depending on which version of Access Server generates them.

In Access Server 2.8 and older, each user had just two possible pairs of private keys and client certificates: one pair for a user-locked connection profile and another pair for an optional auto-login connection profile. The server-locked profile was a type of pseudo-profile that would work only in OpenVPN Connect and used the Access Server’s web API to temporarily obtain and use a particular user’s user-locked connection profile and establish the VPN tunnel.

In Access Server 2.9 and newer, users can have multiple connection profiles, each with a unique private key and client certificate pair. The server-locked profile has been updated to work directly with any OpenVPN client and doesn’t require the Access Server API and OpenVPN Connect specifically to work.

OpenVPN Connect 3.3 and newer sends a device ID to Access Server. The device ID that OpenVPN Connect sends is the same for every VPN session it starts. If you’re using a server-locked profile generated by Access Server 2.8 and older, we use the device ID to ensure the same connection profile is used for this device on every connection. This avoids the problem of generating excessive connection profiles on the server and allows each unique device to have its own key and certificate pair.

We use the compat connection profile if you’re using a server-locked profile generated by Access Server 2.8 and older on OpenVPN Connect 3.2 and older, where no device ID is provided. This ensures the same behavior as before, using only one pair of private keys and client certificates for this type of connection. This avoids the problem of generating excessive amounts of connection profiles on the server.

Whenever a connection profile is needed, Access Server generates an entirely new profile with the current settings. When upgrading an older version of Access Server to version 2.9 and newer, older server-locked connection profiles remain in the database until a new profile is needed. An example of needing a new profile would be when you change the TLS control channel security setting or the TLS minimum version setting — the next time you download a connection profile, it’s updated with the new settings. All connection profiles contain unique certificates generated by the command line interface or the Admin Web UI.

When the old server-locked connection profiles are used, the compat and device ID certificates are used. The new server-locked connection profile type doesn’t use client certificates.