Skip to main content

Windows Pre-Login Connect (PLC)

Abstract

Pre-Login Connect (PLC) allows OpenVPN Connect to establish a VPN connection before a user signs in to Windows, using the Windows Pre-Login Access Provider (PLAP).

Pre-Login Connect (PLC) is a feature in OpenVPN Connect for Windows that establishes a VPN connection at the Windows sign-in screen, before a user signs in to the operating system. It uses the Windows Pre-Login Access Provider (PLAP), which is built into Windows 10 and Windows 11.

This feature is intended for system administrators managing business VPN environments. Common use cases include:

  • Environments that require access to Active Directory or network resources before a user account can complete login.

  • Windows clients joined to a domain that need to have VPN connectivity established before credentials are validated against a domain controller.

  • Environments that run logon scripts requiring network access.

We also have a tutorial you can follow for setting up Pre-Login Connect:

Important

PLC isn't an always-on VPN solution and isn't designed to enforce persistent VPN connectivity. If you need always-on VPN behavior, use service daemon mode instead.

Tip

If you're an end user and your organization has set up Pre-Login Connect, you don't need to install or configure anything. You'll see a Network Sign-in icon on the Windows sign-in screen. Contact your IT administrator if you have questions about your VPN access.

Before you begin

Ensure the following requirements are met before proceeding:

  • OpenVPN Connect version 3.9 or higher is installed.

  • Windows 10 or 11.

  • An administrator shell (Command Prompt or PowerShell, run as administrator).

  • System profiles prepared as .ovpn files and stored in an accessible directory.

Note

PLC isn't supported on Windows devices with ARM64 architecture. Profiles that require ePKI authentication are also not supported.

Install and configure Pre-Login Connect

Location

Run all commands from the OpenVPN Connect installation directory:

C:\Program Files\OpenVPN Connect

Steps

  1. Open the Command Prompt as an administrator.

  2. Navigate to the OpenVPN Connect installation directory:

    cd "%ProgramFiles%\OpenVPN Connect"

  3. Install the PLC system service:

    ovpn_system_service.exe install

  4. Configure the directory containing system profiles:

    ovpn_system_service.exe set-config system-profiles <path-to-profiles>

  5. (Optional) Configure a custom log file location:

    ovpn_system_service.exe set-config log <path-to-log>

  6. Start the PLC service:

    ovpn_system_service.exe start

Important notes

  • OpenVPN Connect can't have an active VPN session in a signed-in Windows account when using PLC.

  • Settings configured in the OpenVPN Connect UI apply only to user profiles, not system profiles.

Connect before Windows sign-in

After the service is installed and running:

  1. Sign out of Windows or restart your device.

  2. On the Windows sign-in screen, click the Network Sign-in icon in the bottom-left corner.

  3. Select a VPN profile from the list.

  4. Authenticate as required.

    • Once connected, proceed with Windows sign-in.

Authentication methods

PLC supports the following authentication types:

  • User-locked and server-locked profiles

  • Auto-login profiles

  • Multi-factor authentication (MFA)

  • Web-based authentication and SAML

For web-based authentication and SAML, a QR code is displayed. Scan the code with a mobile device to open the sign-in page and complete authentication.

Usage details

Profiles configured via ovpn_system_service.exe are treated as system profiles and are available at the Windows sign-in screen. Profiles imported through the OpenVPN Connect UI are user profiles and aren't available at the sign-on screen.

When you start a VPN connection using a system profile:

  • The connection can persist after signing out of Windows.

  • The connection may remain active even when the OpenVPN Connect app isn't running.

To disconnect:

  • Use the Disconnect button on the Windows sign-in screen, or

  • Disconnect from within the OpenVPN Connect app after signing in to Windows.

Configuration options

Use the following command to configure additional settings:

ovpn_system_service.exe set-config <option> <value>

To reset an option to its default:

ovpn_system_service.exe unset-config <option>

Option

Values

Description

Default

system-profiles

<path-to-profiles>

Directory containing system profiles.

system_profiles

log

<path-to-log>

Log file location.

ovpnsystemservice.log

vpn-protocol

adaptive, tcp, udp

VPN protocol section.

adaptive

dco

true, false

Enable data channel offload

false

security-level

preferred, legacy, insecure

Set security level.

legacy

seamless-tunnel

true, false

Enable seamless tunnel

false

enforece-tls-1-3

true, false

Enforce TLS 1.3.

false

allow-local-dns

true, false

Allow local DNS resolvers.

false

google-dns-fallback

true, false

Enable Google DNS fallback

false

Example: Enable DCO

ovpn_system_service.exe set-config dco true

Logs and service management

Logs

  • Standard logs are written to the configured log file.

  • Critical logs are written to:

    Event Viewer → Windows Logs → Application

    Event source: OVPNSystemService

Service management

You can manage the PLC service using Windows services (services.msc) or the command line:

ovpn_system_service.exe start
ovpn_system_service.exe stop

Stop or remove the PLC service

Stop the service

ovpn_system_service.exe stop

  • Stops the service.

  • Terminates the active VPN connection.

  • The service will start again after a reboot.

Remove the service

ovpn_system_service.exe remove

  • Stops the service.

  • Terminates the active VPN connection.

  • Removes the service from the system.

In this section: