Skip to main content

CloudConnexa MCP Server Guide

Abstract

Provides instructions to use the MCP server with AI clients.

Introduction

The MCP Server for CloudConnexa is a bridge between CloudConnexa (a cloud-delivered networking and security platform) and the Model Context Protocol (MCP) ecosystem. Here’s what that means and how it works:

What the CloudConnexa MCP Server Is

  • MCP Server Role: In the MCP architecture, a “server” is a provider of capabilities (data, tools, or environment context). The CloudConnexa MCP Server exposes CloudConnexa functionality in a standardized MCP-compatible way.

  • CloudConnexa Integration: It connects directly with the CloudConnexa environment (where you manage virtual networks, access policies, users, and devices). It acts as a gateway, translating CloudConnexa APIs and resources into a form that any MCP client can understand.

Using it with MCP Clients

Here’s how this plays out with real tools:

  • 5ire, Claude Desktop, Cursor, VS Code with Cline (all MCP clients): 

    • These clients can discover the CloudConnexa MCP Server automatically.

    • They can query or invoke CloudConnexa resources through standardized MCP APIs.

    • Example: You could open VS Code with Cline, type a natural-language command like “Show me all devices connected to CloudConnexa”, and Cline (via MCP) would call the CloudConnexa MCP Server to fetch that info.

  • Consistency Across Tools: Whether you’re in a coding IDE (Cursor, VS Code with Cline) or an AI assistant app (Claude Desktop, 5ire), the interaction model is the same — you don’t have to learn separate APIs or write glue code.

Why This Matters

  • Unified Access: You can manage and interact with CloudConnexa securely from any MCP-aware environment.

  • Developer Productivity: Devs no longer need to switch to CloudConnexa’s admin portal or juggle REST APIs — everything is available inside their preferred MCP client.

  • Extensibility: Other tools in your workflow can combine CloudConnexa data with different MCP servers (e.g., Jira, GitHub, databases) for cross-context automation.

Prerequisites

  • Required: 

    • CloudConnexa account and API keys

    • Docker

      • Visit: Docker

      • Install Docker Desktop for your OS.

      • Open Docker and ensure it is running.

    • A supported MCP client

      • 5ire

      • Claude Desktop (v1.9+)

      • Claude Code

      • Cursor

      • VS Code with Cline plugin

  • Optional but recommended: 

    • Github or GitHub CLI (gh) — a convenient alternative for cloning the repository

  • Confirmation steps: 

    • Verify Docker is running.

    • Verify Git or GitHub CLI is installed (if using).

Download the repository

  • From GitHub 

  • Using Git: 

    git clone https://github.com/OpenVPN/cloudconnexa-mcp-server.git
cd cloudconnexa-mcp-server

  • Using Github CLI (alternative): 

    gh repo clone OpenVPN/cloudconnexa-mcp-server
cd cloudconnexa-mcp-server

  • Alternative: Download the ZIP archive from GitHub, extract it, and then open the extracted folder in your terminal.

Set up the MCP Server

  1. Generate your API Token. Refer to Creating API credentials.

  2. Build the Docker container (from repo root):

    docker build -t mcp-server-public . 

  3. Start the MCP server:

    bash start.sh 

Integrate with 5ire App

Add GPT-5 model to 5ire App

GPT-5 performed best during tests; it’s not available by default in 5ire. Add it manually:

  1. Go to Workspace → Providers → OpenAI, click + Model.

  2. Set Name and Display Name to gpt-5.

  3. Set Context Window to 400000 and Max Tokens to 16384.

  4. Set Input Price to $1.25 and Output Price to $0 (example values).

    Note

    These values are examples; advise users to adjust based on their enterprise cost and usage policies.

  5. Toggle Tools to ON.

  6. Click Save.

  7. In New Chat, set temperature to 1.0 (note: GPT-5 requires >1) and adjust Max Tokens as needed.

Add the MCP Server to 5ire App

  1. Open 5ire App and go to Tools.

  2. Click +Local to open the Add New Tool modal and fill the following:

    1. Tool Key: openvpnmcp

    2. Name: OpenVPN MCP

    3. URL: http://0.0.0.0:9999/sse

  3. Click Save.

  4. Switch the toggle to ON to enable the MCP server.

  5. Go to Workspace → Providers and add your LLM Provider API key.

  6. Click New Chat.

  7. Select your desired LLM model and run the prompt:

    Discover graphql_schema and tell me what tools are available? 

    Note

    This initial discovery prompt is required once, so the MCP client can discover the available tools.

Example Prompts

Once all the available tools are discovered (refer to Step 7), CloudConnexa prompts can be used. For example:

Note

Only read-only tools are available at this time.

  • Which users are online right now?

  • What is my device posture policy?

  • Show DNS logs for yesterday.

  • Show me a summary of my configuration.

Available tools

Note

Only read-only tools are available at this time.

Hosts and related: 

  • hosts: List all hosts.

  • hostById(id): Get a host by ID.

  • hostApplications(hostId): List applications attached to a host.

  • hostApplicationById(id): Get a specific host application.

  • hostServices(hostId): List IP-based services on a host.

  • hostServiceById(id): Get a host IP service by ID.

  • hostConnectors(hostId): List connectors associated with a host.

  • hostConnectorsById(id): Get a specific host connector.

Networks and related 

  • networks: List all networks.

  • networkById(id): Get a network by ID.

  • networkApplications(networkId): List applications associated with a network.

  • networkApplicationById(id): Get a specific network application.

  • networkServices(networkId): List IP-based services on a network.

  • networkServiceById(id): Get a network IP service by ID.

  • networkRoutes(networkId): List network routes (IPv4/IPv6).

  • networkRouteById(id): Get a network route by ID.

  • networkConnectors(networkId): List connectors for a network.

  • networkConnectorsById(id): Get a specific network connector.

Traffic & sessions 

  • visitedDomains(startHour, hoursBack=1): Domain resolution stats for a time window.

  • sessions(startDate, endDate, ...): Retrieve session records (active/historical).

Users, groups, devices 

  • users: List users.

  • userById(id): Get a user by ID.

  • userGroups: List user groups.

  • userGroupById(id): Get a user group by ID.

  • devices(userId): List devices, optionally filtered by user.

  • deviceById(id, userId): Get a device by ID for a user.

  • vpnRegions: List available VPN regions.

Access control 

  • accessGroups: List access groups/policies.

  • accessGroupById(id): Get an access group by ID.

  • accessVisibilityEnabled: Whether access visibility is enabled.

Device posture 

  • devicePostures: List device posture policies.

  • devicePostureById(id): Get a device posture policy by ID.

DNS and logging 

  • dnsLogUserResolutionsEnabled: Whether per-user DNS resolution logging is enabled.

  • dnsRecords: List custom DNS records.

  • dnsRecordById(id): Get a DNS record by ID.

  • dnsServerAddresses: Get DNS server addresses configured.

  • dnsProxyEnabled: Whether DNS proxying is enabled.

  • defaultDnsSuffix: Default DNS suffix.

  • dnsZones: List DNS zones.

Location contexts 

  • locationContexts: List location context policies.

  • locationContextById(id): Get a location context by ID.

SCIM 

  • scimCurrentUser: Get SCIM token/config info for the current user.

  • scimUsers(startIndex, count, filter): SCIM-compliant user listing.

  • scimUserById(id): Get a SCIM user by ID.

Organization settings 

  • topology: Current topology setting.

  • defaultRegion: Default VPN region.

  • snat: Whether SNAT is enabled.

  • subnet: Organization subnets (IPv4/IPv6).

  • domainRoutingSubnet: Subnet used for domain routing.

  • clientOptions: Client option flags.

  • connectionTimeout: Connection timeout (seconds).

  • defaultConnectAuth: Default connect authentication policy.

  • deviceAllowancePerUser: Max devices per user.

  • forceUpdateDeviceAllowance: Force device allowance update flag.

  • deviceEnforcementLevel: Device compliance enforcement level.

  • profileDistribution: Client/profile distribution method.

  • twoFactorAuthEnabled: Whether 2FA is enabled.

  • trustedDevicesAllowed: Whether trusted devices are allowed.

  • ldapGroupMappings: LDAP group-to-app mappings.

  • samlGroupMappings: SAML group-to-app mappings.

Troubleshooting

Note

GPT-4 and o4-mini models struggle to build correct MCP tool requests in some instances. In comparison, GPT-5 shows significantly more accurate performance.

GPT-5 model is not available
The LLM model does not support this temperature

  • GPT-5 model supports only temperature values of 1.0 or higher

Context window size reached

  • Just above the prompt in 5ire App you can change how many tokens should the context length be. If you often run into this error you can adjust this setting.

LLM replies that it can not reach MCP tools

  • Ensure that under Tools, the MCP server shows a green "Online" status, if not then turn the toggle ON. If it's still not working check in the terminal that the server is running.

LLM replies that it can not find any MCP tools

  • Try running this prompt: "Discover graphql_schema" then try again.

API credentials not working?

  • Try generating a new pair of credentials from CloudConnexa -> API & Logs -> API

Contributing

We welcome your contributions. Enhancements, bug reports, and documentation improvements are valued.

  1. Fork the repository

  2. Create a feature branch (e.g., git checkout -b feature/new-tool)

  3. Submit a pull request for review

License

This project is licensed under the Apache 2.0 license.

In this section: