Skip to main content

Tutorial: Create Connection Profiles Using the Web API (OpenAPI)

Abstract

Create connection profiles in OpenVPN Access Server using the Web API. Learn how to generate user-locked, autologin, and server-locked profiles with CLI or API calls.

Overview

This tutorial shows how to create connection profiles in Access Server using the Web API.

You can use the API to generate different types of connection profiles for users, including user-locked, autologin, and server-locked profiles.

Tip

This tutorial uses the sacli apicall command, but you can also use cURL or the Swagger UI. Refer to Tutorial: Test the New Web API (OpenAPI) in Access Server 3.0.

Prerequisites

  • Access Server 3.1.0 or newer.

  • Root privileges on your Access Server's console.

  • (Optional) A remote machine for running API calls.

Important

The API specification can change between Access Server versions. Verify the API specification for your version before using these commands.

Refer to: View the API specification.

Step 1: Create connection profiles

Important

Autologin profiles require that the user has autologin permission, whether granted directly or inherited. By default, this permission is disabled.

  1. Connect to the server and get root privileges.

  2. Run one of the following commands, based on the profile type you need:

    • User-locked profile (requires user credentials)

      sacli --method POST --url 'api/profiles/create' --value '{"profile_type":"userlogin", "username": "<USER_NAME>"}' apicall

    • Auto-login profile (no credentials required)

      sacli --method POST --url 'api/profiles/create' --value '{"profile_type":"autologin", "username": "<USER_NAME>"}' apicall

    • Server-locked profile (generic profile)

      sacli --method POST --url 'api/profiles/create' --value '{"profile_type":"generic", "username": "<USER_NAME>"}' apicall

    • Generic ePKI profile (ePKI mode only)

      sacli --method POST --url 'api/profiles/create' --value '{"profile_type":"epki-generic", "username": "<USER_NAME>"}' apicall

    • Auto-login ePKI profile (ePKI mode only)

      sacli --method POST --url 'api/profiles/create' --value '{"profile_type":"epki-autologin", "username": "<USER_NAME>"}' apicall

Step 2: (Optional) Save the profile to a file

  1. You can save the connection profile's output to a file. Run a command like this:

    sacli --method POST --url 'api/profiles/create' --value '{"profile_type":"userlogin", "username": "<USER_NAME>"}' apicall > client.ovpn

  2. Use the generated .ovpn file to connect with OpenVPN Connect or another client.

Additional notes

  • Replace <USER_NAME> with the actual username.

  • Ensure the user exists before creating a profile.

  • Use the correct profile type for your use case:

    • userlogin → requires credentials

    • autologin → no credentials required

    • generic → reusable profile

  • ePKI profiles require ePKI mode to be enabled.

In this section: