Skip to main content

Tutorial: Create OpenVPN Connect Bundled Client Installers Using the Web API

Abstract

Create OpenVPN Connect bundled installers using the Access Server Web API. Generate Windows and macOS installers with embedded user, auto-login, server-locked, or ePKI connection profiles.

Overview

This tutorial shows how to create OpenVPN Connect bundled installers using the Access Server Web API.

A bundled installer combines the OpenVPN Connect application with a preconfigured connection profile, allowing users to install the client and import the profile in a single step.

You can generate bundled installers for:

  • Windows (.msi)

  • macOS (.dmg)

Tip

This tutorial uses the sacli apicall command, but you can also use cURL or the Swagger UI. Refer to Tutorial: Test the New Web API (OpenAPI) in Access Server 3.0.

Note

In our documentation, we use example IPv4 addresses and subnets reserved for documentation, such as 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24.

Ensure you replace them with valid IPv4 addresses and subnets for your network(s).

Prerequisites

  • Access Server 3.1.0 or newer.

  • Root privileges on your Access Server's console.

  • (Optional) A remote machine for running API calls.

Important

The API specification can change between Access Server versions. Verify the API specification for your version before using these commands.

Refer to: View the API specification.

Step 1: Generate a bundled installer

  1. Connect to the console and get root privileges.

  2. Run one of the following commands, depending on the installer and profile types you want to generate.

User-locked profile

  • Windows installer (.msi)

    sacli --method POST --auth_token_user="<USER_NAME>" --url 'api/installer-url' --value '{"installer_type": "win_v3", "profile_type": "userlogin", "tls_crypt_v2": true}' apicall

  • macOS installer (.dmg)

    sacli --method POST --auth_token_user="<USER_NAME>" --url 'api/installer-url' --value '{"installer_type": "mac_v3", "profile_type": "userlogin", "tls_crypt_v2": true}' apicall

Auto-login profile

Important

Auto-login profiles require the user to have auto-login permission, either assigned directly or inherited through a group. By default, auto-login permission is disabled.

  • Windows installer (.msi)

    sacli --method POST --auth_token_user="<USER_NAME>" --url 'api/installer-url' --value '{"installer_type": "win_v3", "profile_type": "autologin", "tls_crypt_v2": true}' apicall

  • macOS installer (.dmg)

    sacli --method POST --auth_token_user="<USER_NAME>" --url 'api/installer-url' --value '{"installer_type": "mac_v3", "profile_type": "autologin", "tls_crypt_v2": true}' apicall

Server-locked profile

  • Windows installer (.msi)

    sacli --method POST --auth_token_user="<USER_NAME>" --url 'api/installer-url' --value '{"installer_type": "win_v3", "profile_type": "generic", "tls_crypt_v2": true}' apicall

  • macOS installer (.dmg)

    sacli --method POST --auth_token_user="<USER_NAME>" --url 'api/installer-url' --value '{"installer_type": "mac_v3", "profile_type": "generic", "tls_crypt_v2": true}' apicall

Generic ePKI profile

Note

ePKI profile types can only be used when Access Server is configured for ePKI mode.

  • Windows installer (.msi)

    sacli --method POST --auth_token_user="<USER_NAME>" --url 'api/installer-url' --value '{"installer_type": "win_v3", "profile_type": "epki-generic", "tls_crypt_v2": true}' apicall

  • macOS installer (.dmg)

    sacli --method POST --auth_token_user="<USER_NAME>" --url 'api/installer-url' --value '{"installer_type": "mac_v3", "profile_type": "epki-generic", "tls_crypt_v2": true}' apicall

Auto-login ePKI profile

Note

ePKI profile types can only be used when Access Server is configured for ePKI mode.

  • Windows installer (.msi)

    sacli --method POST --auth_token_user="<USER_NAME>" --url 'api/installer-url' --value '{"installer_type": "win_v3", "profile_type": "epki-autologin", "tls_crypt_v2": true}' apicall

  • macOS installer (.dmg)

    sacli --method POST --auth_token_user="<USER_NAME>" --url 'api/installer-url' --value '{"installer_type": "mac_v3", "profile_type": "epki-autologin", "tls_crypt_v2": true}' apicall

Result

The API returns a temporary download URL for the bundled installer.

Example output:

"https://192.0.2.2/rest/GetInstallerViaToken?installer_type=win_v3&token=kF2FULkaNrMCJxQRdbzLGOjemMQZhSRq&tls-cryptv2=True"

Open the generated URL in a web browser, or use a download tool such as curl or wget to retrieve the installer.

In this section:
See also:

The VPN client app to connect to Access Server.

A file with the information for a VPN client to securely connect to Access Server.

A device running OpenVPN client software used to connect to Access Server.