Understanding Connection Profiles for Access Server | OpenVPN
Learn about Access Server's connection profiles, the .ovpn text files necessary for a VPN client to connect with the server.
Understanding Connection Profiles
Connection profiles (.ovpn text files) contain the directives, parameters, and certificates required to establish the client-server VPN connection. These commonly include addresses and ports to contact the server, information for verifying peer identity, securing the TLS control channel, and other settings.
Different types of connection profiles are available for different use cases. Understanding your choices in connection profiles should help you select the best profile for your clients and users.
Connection profile types
Access Server uses the following connection types, each designed to meet specific security and operational needs:
User-locked: can only be used with credentials for that specific user.
Auto-login: doesn't require credentials to establish the VPN tunnel.
Server-locked: requires credentials for any valid user on the server.
Generic ePKI: can only be used with ePKI mode and requires credentials.
Auto-login ePKI: can only be used with ePKI mode and doesn't require credentials.
User-locked profiles
We recommend user-locked profiles for most use cases, especially mobile and desktop devices one user exclusively uses.
These connection profiles contain a unique client private key and unique client certificate, with all the necessary certificates, keys, and instructions for the VPN connection. The authentication process requires the private key, client certificate, and the correct user credentials to establish a VPN tunnel successfully. You can enable multi-factor authentication (MFA) as well. This connection profile type is locked to the specific user account. If you use credentials for another account with this type of profile, you won’t pass the authentication phase.
Auto-login profiles
We recommend auto-login profiles when you don’t manually enter user credentials, such as headless servers or unattended systems.
These connection profiles contain a unique client private key and certificate and all the necessary certificates, keys, and instructions to successfully establish the VPN tunnel. The authentication process requires the private key and client certificate—no additional credentials are needed. However, if you enable MFA, it may be required.
Server-locked profiles
We recommend server-locked profiles for shared devices such as computers in a university or library. In these cases, you establish an OpenVPN connection with your credentials and don’t wish to import a connection profile specific to your user account.
Server-locked profiles have specific properties for compatibility with OpenVPN Connect:
Profiles can be used with any VPN client that supports the OpenVPN protocol.
Not locked to a specific user — no specific client certificate is included.
Authentication is with username and password, and MFA if configured.
This behavior is compatible with almost all OpenVPN clients.
Generic ePKI profile
In external public key infrastructure (ePKI) mode, Generic ePKI profiles combine certificate-based authentication and password-based security. This profile requires the user to authenticate with a password and the client certificate.
Ideal use case: When a password layer is needed in addition to certificate-based security. Common in environments that require multi-layer security for sensitive information.
To generate the generic ePKI profile, refer to our tutorials:
Auto-login ePKI profile
The auto-login ePKI profile is designed for environments where devices or systems must authenticate automatically without a password. This profile relies solely on the client certificate for authentication.
Ideal use case: Unattended devices or systems that require automatic, certificate-based login without the need for user interaction.
To generate the generic ePKI profile, refer to our tutorials:
Working with connection profiles
Refer to the following tutorials for ways to manage and use connection profiles:
Multiple connection profiles per user
Connection profiles contain unique private keys and client certificates. Access Server supports multiple connection profiles for your users, managed from their Single User page in the Admin Web UI.
On Access Server, your users can obtain three different types of connection profiles: server-locked, user-locked, or auto-login. Depending on how you configure Access Server, they may or may not see these options.
A standard user can get a server-locked connection profile, the same for all users on the server. A user may also get a user-locked connection profile containing certificates valid for that particular user. Or, a user may obtain an auto-login connection profile that contains separate certificates for that specific user.
Users can have multiple connection profiles. For example, a user can have three different user-locked profiles downloaded to three different devices. Each of these profiles contains unique certificates. That means each device has its own set of certificates instead of sharing one set of certificates for that user across all devices. This gives you more fine-grained control over revoking certificates if a particular device is lost or compromised.
Device ID and compat certificates 3.0
OpenVPN Connect 3.3 and newer sends a device ID to Access Server. If the client app provides the device ID during the import process, this allows Access Server to identify this device uniquely in the overview of connection profiles.
Whenever a connection profile is needed, Access Server generates an entirely new profile with the current settings. When upgrading an older version of Access Server, older server-locked connection profiles remain in the database until a new profile is needed. An example of needing a new profile is when you change the TLS control channel security setting or the TLS minimum version setting. The next time you download a connection profile, it’s updated with the new settings. All connection profiles contain unique certificates generated by either the command-line interface or the Admin Web UI.