Skip to main content

Tutorial: Create Connection Profiles

Abstract

How to create connection profiles, .ovpn files, for a VPN client to connect with Access Server.

Overview

Connection profiles (.ovpn text files) contain the directives, parameters, and certificates required to establish the client-server VPN connection. These commonly include addresses and ports to contact the server, information for verifying peer identity, securing the TLS control channel, and other settings.

With our Access Server product, we prefer to use connection profiles that bundle all necessary information into one file. This works well with almost all OpenVPN clients, particularly our client software, OpenVPN Connect. For some open-source-based OpenVPN clients, splitting out the certificates and keys from the connection profile may be necessary, and we provide the necessary tools and information to do that.

Refer to our Connection Profiles topic for detailed information about connection profile types.

This tutorial describes creating connection profiles using the command-line interface (CLI) or from the Admin Web UI.

Refer to Tutorial: Create OpenVPN Connect Bundled Installers to create OpenVPN Connect installers for Windows and macOS that come bundled with a connection profile right out of the box after installation.

Users can download connection profiles, and OpenVPN Connect bundled installers themselves. Refer to Tutorial: Download OpenVPN Connect and Connection Profiles from the Client Web UI.

  • An installed Access Server.

  • Admin Web UI access or console access with root privileges.

  • Configured users.

You can create connection profiles and the separated certificate and configuration files via the CLI. These files can be generated as single files containing all necessary information or as a set of separate files that must be used together.

  1. Connect to the console and get root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/
  3. Use these commands to create connection profiles:

    • Save a server-locked profile to client.ovpn:

      ./sacli --prefer-tls-crypt-v2 GetGeneric >client.ovpn
    • Save a user-locked profile to client.ovpn:

      ./sacli --prefer-tls-crypt-v2 --user <USER_NAME> GetUserlogin >client.ovpn
    • Save an auto-login type profile to client.ovpn:

      ./sacli --prefer-tls-crypt-v2 --user <USER_NAME> GetAutologin >client.ovpn
    • Save a separate file versions of a user-locked profile:

      ./sacli --prefer-tls-crypt-v2 -o ./ --user <USER_NAME> GetUserlogin5
    • Save separate file versions of an auto-login profile:

      ./sacli --prefer-tls-crypt-v2 -o ./ --user <USER_NAME> GetAutologin5

    Note

    • Access Server 2.9 or newer supports TLS Crypt v2. If you use an older Access Server or do not wish to use TLS Crypt v2, please omit the --prefer-tls-crypt-v2 flag.

    • Autologin profiles require that the user has autologin permission, whether granted directly or inherited. By default, autologin permission is denied.

    • Enclosing usernames in double quotes (") is recommended, particularly when they contain spaces.

    • For GetUserLogin5 and GetAutologin5 the output directory can be specified with the -o parameter (./ is current directory).

More information on separate files

The commands GetGenericGetUserlogin, and GetAutologingenerate a single client.ovpn file that contains all necessary connection information, certificates, and keys. For certain applications, separate files may be necessary. The GetUserlogin5 and GetAutlogin5 functions output several separate files. Depending on your TLS control channel configuration, the last two files in the overview below may not be needed or even present.

  • client.ovpn — OpenVPN connection profile

  • ca.crt — server CA certificate

  • client .crt — client certificate

  • client.key — client private key

  • ta.key — TLS control channel key (tls-auth or tls-crypt-v1)

  • tls_crypt_v2.key — TLS control channel key (tls-crypt-v2)

  1. Sign in to the Admin Web UI.

  2. Click User Management > User Profiles.

  3. Click New Profile for the specific user.

  4. Select User-Locked or Autologin (if available).

    Tip

    To create an auto-login connection profile, you must enable Allow Auto-login for the user in User Permissions.

  5. Add an optional comment and click Create Profile.

    • The file downloads to your machine.