Skip to main content

Understanding Connection Profiles for Access Server | OpenVPN

Abstract

Learn about Access Server's connection profiles, the .ovpn text files necessary for a VPN client to connect with the server.

Understanding Connection Profiles

Connection profiles (.ovpn text files) contain the directives, parameters, and certificates required to establish the client-server VPN connection. These commonly include addresses and ports to contact the server, information for verifying peer identity, securing the TLS control channel, and other settings.

Different types of connection profiles are available for different use cases. Understanding your choices in connection profiles should help you select the best profile for your clients and users.

Connection profile types

Access Server uses the following connection types:

  1. User-locked: can only be used with credentials for that specific user.

  2. Auto-login: does not require credentials to establish the VPN tunnel.

  3. Server-locked: requires credentials for any valid user on the server.

User-locked profiles

We recommend user-locked profiles for most use cases, especially mobile and desktop devices one user exclusively uses.

These connection profiles contain a unique client private key and unique client certificate, with all the necessary certificates, keys, and instructions for the VPN connection. The authentication process requires the private key, client certificate, and the correct user credentials to establish a VPN tunnel successfully. You can enable multi-factor authentication (MFA) as well. This connection profile type is locked to the specific user account. If you use credentials for another account with this type of profile, you won’t pass the authentication phase.

Auto-login profiles

We recommend auto-login profiles when you don’t manually enter user credentials, such as headless servers or unattended systems.

These connection profiles contain a unique client private key and certificate and all the necessary certificates, keys, and instructions to successfully establish the VPN tunnel. The authentication process requires the private key and client certificate—no additional credentials are needed. However, if you enable MFA, it may be required.

Server-locked profiles

We recommend server-locked profiles for shared devices such as computers in a university or library. In these cases, you establish an OpenVPN connection with your credentials and don’t wish to import a connection profile specific to your user account.

Server-locked profiles have different compatibility with OpenVPN Connect, depending on which version of Access Server generates them.

Server-locked profiles v2 (2.9 and newer)

  • Profiles can be used with any VPN client that supports the OpenVPN protocol.

  • Not locked to a specific user - no specific client certificate is included.

  • Authentication is with username and password, and MFA if configured.

  • This behavior is compatible with almost all OpenVPN clients.

Server-locked profiles v1 (2.8 and older)

  • Profiles can only be used with OpenVPN Connect.

  • Require access to Access Server web interface API for authentication.

  • When you start a VPN connection with the profile, you must enter credentials in OpenVPN Connect. OpenVPN Connect then sends these credentials to the API for validation; if successful, the app obtains a user-locked profile and a VPN session token for the session and establishes the VPN connection.

  • After disconnecting, the user-locked profile is removed from OpenVPN Connect, and the server-locked connection profile is ready for the next session.

Working with connection profiles

Refer to the following tutorials for ways to manage and use connection profiles:

Multiple connection profiles per user

Connection profiles contain unique private keys and client certificates. Access Server 2.9 and newer supports multiple connection profiles for your users, managed from the User Profiles page in the Admin Web UI.

On Access Server, your users can obtain three different types of connection profiles: server-locked, user-locked, or auto-login. Depending on how you configure Access Server, they may or may not see these options.

A standard user can get a server-locked connection profile, the same for all users on the server. A user may also get a user-locked connection profile containing certificates valid for that particular user. Or, a user may obtain an auto-login connection profile that contains separate certificates for that specific user.

Users can have multiple connection profiles. For example, a user can have three different user-locked profiles downloaded to three different devices. Each of these profiles contains unique certificates. That means each device has its own set of certificates instead of sharing one set of certificates for that user across all devices. This gives you more fine-grained control over revoking certificates if a particular device is lost or compromised.

The behavior change of certificates based on the Access Server version

In Access Server 2.8 and older, each user had just two possible pairs of private keys and client certificates: one pair for a user-locked connection profile and another pair for an optional auto-login connection profile. The server-locked profile was a type of pseudo-profile that would work only in OpenVPN Connect and used the Access Server’s web API to temporarily obtain and use a particular user’s user-locked connection profile and establish the VPN tunnel.

In Access Server 2.9 and newer, users can have multiple connection profiles, each with a unique private key and client certificate pair. The server-locked profile has been updated to work directly with any OpenVPN client and doesn’t require the Access Server API and OpenVPN Connect specifically to work.

New functionality for OpenVPN connection profiles: device ID and compat certificates

OpenVPN Connect 3.3 and newer sends a device ID to Access Server. If the client app provides the device ID during the import process, this allows Access Server to identify this device uniquely in the overview of connection profiles.

Device ID for latest OpenVPN Connect and older server-locked profiles

OpenVPN Connect 3.3 and newer sends a device ID to Access Server. The device ID that OpenVPN Connect sends is the same for every VPN session it starts. If you’re using a server-locked profile generated by Access Server 2.8 and older, we use the device ID to ensure the same connection profile is used for this device on every connection. This avoids the problem of generating excessive connection profiles on the server and allows each unique device to have its own key and certificate pair.

Compat as device ID for older OpenVPN Connect and older server-locked profiles

We use the compat connection profile if you’re using a server-locked profile generated by Access Server 2.8 and older on OpenVPN Connect 3.2 and older, where no device ID is provided. This ensures the same behavior as before, using only one pair of private keys and client certificates for this type of connection. This avoids the problem of generating excessive amounts of connection profiles on the server.

Upgrading Access Server and its impact on server-locked profiles

Whenever a connection profile is needed, Access Server generates an entirely new profile with the current settings. When upgrading an older version of Access Server to version 2.9 and newer, older server-locked connection profiles remain in the database until a new profile is needed. An example of needing a new profile would be when you change the TLS control channel security setting or the TLS minimum version setting — the next time you download a connection profile, it’s updated with the new settings. All connection profiles contain unique certificates generated by the command line interface or the Admin Web UI.

No compat or device ID necessary for new server-locked profiles

When the old server-locked connection profiles are used, the compat and device ID certificates are used. The new server-locked connection profile type doesn’t use client certificates.