Understanding Connection Profiles on OpenVPN Access Server
Connection profiles (.ovpn text files) contain the directives, parameters, and certificates required to establish the client-server VPN connection. These commonly include addresses and ports to contact the server, information for verifying peer identity, securing the TLS control channel, and other settings.
There are different types of connection profiles for different use-cases. Understanding your choices in connection profiles should help you select the best connection profile for your clients and users.
Connection profile types
OpenVPN Access Server uses the following connection types:
- User-locked: can only be used with credentials for that specific user.
- Auto-login: does not require credentials to establish the VPN tunnel.
- Server-locked: requires credentials for any valid user on the server.
We recommend user-locked profiles for most use-cases, especially mobile and desktop devices that one particular user exclusively uses.
These connection profiles contain a unique client private key and unique client certificate, with all the necessary certificates, keys, and instructions for the VPN connection. The authentication process requires the private key, client certificate, and the correct user credentials to successfully establish a VPN tunnel. You can enable multi-factor authentication (MFA) as well. This connection profile type is locked to the specific user account. If you use credentials for another account with this type of profile, you won’t pass the authentication phase.
We recommend auto-login profiles in situations where you don’t enter user credentials manually, such as headless servers or unattended systems.
These connection profiles contain a unique client private key, unique client certificate, and all the necessary certificates, keys, and instructions to successfully establish the VPN tunnel. The authentication process requires the private key and client certificate—no additional credentials are needed. If you enable MFA, it may be required.
We recommend server-locked profiles for shared devices such as computers in a university or library, where you establish an OpenVPN connection with your credentials, and you don’t wish to import a connection profile specific for your user account.
Server-locked profiles have different compatibility with OpenVPN Connect, depending on which version of OpenVPN Access Server generates them.
Server-locked profiles 2.9 (and newer)
- Profiles can be used with any VPN client that supports the OpenVPN protocol.
- Not locked to a specific user - no specific client certificate is included.
- Authentication is with username and password, and MFA if configured.
- This behavior is compatible with almost all OpenVPN clients.
Server-locked profiles 2.8 (and older)
- Profiles can only be used with OpenVPN Connect.
- Require access to Access Server web interface API for authentication.
- When you start a VPN connection with the profile, you must enter credentials in OpenVPN Connect. OpenVPN Connect then sends these credentials to the API for validation; if successful, the app obtains a user-locked profile and a VPN session token for the session and establishes the VPN connection.
- After disconnecting, the user-locked profile is removed from OpenVPN Connect, and the server-locked connection profile is ready for the next session.
Multiple connection profiles per user
Connection profiles contain unique private keys and client certificates. OpenVPN Access Server 2.9 and newer supports multiple connection profiles for your users, managed from the User Profiles page in the Admin Web UI.
On OpenVPN Access Server, your users can obtain three different types of connection profiles: server-locked, user-locked, or auto-login. They may or may not see these options depending on how you configure OpenVPN Access Server.
A standard user can get a server-locked connection profile, which is the same for all users on the server. A user may also get a user-locked connection profile, which contains certificates valid for that particular user. Or, a user may obtain an auto-login connection profile that contains separate certificates for that specific user.
Users can have multiple connection profiles. For example, a user can have three different user-locked profiles downloaded to three different devices. Each of these profiles contains unique certificates. That means that each device has its own set of certificates instead of sharing one set of certificates for that user across all devices. This provides you with more fine-grained control over revoking certificates if a particular device is lost or compromised.
The behavior change of certificates based on the OpenVPN Access Server version
In Access Server 2.8 and older, each user had just two possible pairs of private keys and client certificates: one pair for a user-locked connection profile and another pair for an optional auto-login connection profile. The server-locked profile was a type of pseudo-profile that would work only in OpenVPN Connect and used the Access Server’s web API to temporarily obtain and use a particular user’s user-locked connection profile and establish the VPN tunnel.
In Access Server 2.9 and newer each user can have multiple connection profiles, and each of those will have a unique private key and client certificate pair. The server-locked profile has been updated to work directly with any OpenVPN client and doesn’t require the Access Server API and OpenVPN Connect client specifically to work.
New functionality for OpenVPN connection profiles: device ID and compat certificates
OpenVPN Connect 3.3 and newer sends a device ID to Access Server. This allows Access Server to identify this device uniquely in the overview of connection profiles, if the client app provided the device ID during the import process.
Device ID for latest OpenVPN Connect and older server-locked profiles
OpenVPN Connect 3.3 and newer sends a device ID to Access Server. The device ID that OpenVPN Connect sends is the same for every VPN session it starts. If you’re using a server-locked profile generated by Access Server 2.8 and older, we use the device ID to ensure the same connection profile is used for this device on every connection. This avoids the problem of generating excessive amounts of connection profiles on the server and allows each unique device to have its own key and certificate pair.
Compat as device ID for older OpenVPN Connect and older server-locked profiles
We use the compat connection profile if you’re using a server-locked profile generated by Access Server 2.8 and older on OpenVPN Connect 3.2 and older, where no device ID is provided. This ensures the same behavior as before, using only one pair of private key and client certificate for this type of connection. This avoids the problem of generating excessive amounts of connection profiles on the server.
Upgrading Access Server and its impact on server-locked profiles
Whenever a connection profile is needed, Access Server generates an entirely new profile with the current settings. When you upgrade an older version of Access Server to version 2.9 and newer, older server-locked connection profiles remain in the database temporarily until a new profile is needed. An example of needing a new profile would be when you change the TLS control channel security setting or the TLS minimum version setting—the next time you download a connection profile, it’s updated with the new settings. All connection profiles contain unique certificates, whether generated by the command line interface or the Admin Web UI.
No compat or device ID necessary for new server-locked profiles
The compat and device ID certificates are used when the old server-locked connection profiles are in use. The new server-locked connection profile type doesn’t use client certificates.