Create connection profiles and Connect Client installers

Introduction

Connection profiles (.ovpn text files) contain the directives, parameters, and certificates required to establish the server-client connection. This commonly includes addresses and ports to contact the server, information verifying the server identity and securing the TLS control channel, and other settings.

For detailed information about the different types of connection profiles, refer to Understanding Connection Profiles for OpenVPN Access Server.

This document describes how to create profiles as well as OpenVPN Connect app installers using the command-line interface and the client web UI for OpenVPN Access Server.

Connection Profile creation

OpenVPN Access Server combines the certificates and instructions for the VPN client into the connection profile. For some situations, you may need separate certificate files and a separate config file to connect.

You can create connection profiles and the separated certificate and configuration files using the command-line interface.

Create connection profiles using the command-line interface

Use the following commands to create connection profiles. All commands require root access and must run from the /usr/local/openvpn_as/scripts/ directory.

Save a server-locked profile to client.ovpn:

./sacli GetGeneric >client.ovpn

Save a user-locked profile to client.ovpn:

./sacli --user <USER_NAME> AutoGenerateOnBehalfOf
./sacli --user <USER_NAME> GetUserlogin >client.ovpn

Save an auto-login type profile to client.ovpn:

./sacli --user <USER_NAME> AutoGenerateOnBehalfOf
./sacli --user <USER_NAME> GetAutologin >client.ovpn

Save a separate files version of a user-locked profile:

./sacli --user <USER_NAME> AutoGenerateOnBehalfOf
./sacli -o ./ --cn <USER_NAME> Get5

Save separate files version of an auto-login profile:

./sacli --user <USER_NAME> AutoGenerateOnBehalfOf
./sacli -o ./ --cn <USER_NAME>_AUTOLOGIN Get5

Using the Get5 function of sacli

The Get5 function used above outputs five separate files in most cases: CA, CERT, KEY, TA, and a config file. If you disable TLS authentication, it outputs only four. A few helpful notes for using it correctly:

  • <USERNAME>_AUTOLOGIN specifies that you want an auto-login connection profile for that username. For example, “johan_AUTOLOGIN” gets separate files for the auto-login connection profile for the username, johan. Note: We recommend using double quotes around user and group names (and other parameters), especially if there are spaces.
  • The user must have the privilege to use an auto-login connection profile, whether granted directly to the user or inherited from the user’s group.
  • You need a folder to output the separate files. With the parameter -o ./, you indicate that the output directory is the directory you’re currently in. You can specify another directory, but it must already exist.
  • Refer to Extracting separate certificate files for a user for a more extensive guide.

Note: The Access Server default for groups and users is to deny the auto-login privilege.

OpenVPN Connect Client installer creation

It is possible to create OpenVPN Connect v2 or v3 setup files for Macintosh and Windows from the command line of the Access Server that come preconfigured

OpenVPN Access Server creates installers for OpenVPN Connect, preconfigured with connection profiles. These are available for users to download from the client UI.

You can also create OpenVPN Connect v2 or v3 setup files for macOS and Windows from the command line of your Access Server. Access Server creates these preconfigured with connection profiles — server-locked, user-locked, or auto-login. If you don’t use the client UI to allow users to download and install OpenVPN Connect on their own, you can create these setup files and distribute them to your users.

Create Windows OpenVPN Connect v3 .msi setup file with server-locked profile:

./sacli --itype win_v3 -o ./ GetGenericInstaller

Create macOS OpenVPN Connect v3 .dmg setup file with server-locked profile:

./sacli --itype mac_v3 -o ./ GetGenericInstaller

Create Windows OpenVPN Connect v3 .msi setup file with user-locked profile:

./sacli -o ./ --user <USER_NAME> --itype win_v3 GetInstallerEx

Create macOS OpenVPN Connect v3 .dmg setup file with user-locked profile:

./sacli -o ./ --user <USER_NAME> --itype mac_v3 GetInstallerEx

Create Windows OpenVPN Connect v3 .msi setup file with auto-login profile:

./sacli -o ./ --user <USER_NAME> --itype win_v3 --autologin GetInstallerEx

Create macOS OpenVPN Connect v3 .dmg setup file with auto-login profile:

./sacli -o ./ --user <USER_NAME> --itype mac_v3 --autologin GetInstallerEx

You can use the following possible flags for itype:

  • mac_v3 or dmg_v3 — generates an OpenVPN Connect v3 client .dmg setup file.
  • win_v3 or msi_v3 — generates an OpenVPN Connect v3 client .msi setup file.
  • mac or dmg — generates an OpenVPN Connect v2 client .dmg setup file.
  • win or msi — generates an OpenVPN Connect v2 client .msi setup file.

Note: The user must have the privilege to use an auto-login connection profile, whether granted directly to the user or inherited from the user’s group.

The GetGenericInstaller or GetInstallerEx need output folders for the generated files. With the parameter -o ./, you indicate that the output directory is the directory you’re currently in. You can specify another directory, but it must already exist.

Note: If users can’t access the client web services, they can’t use server-locked profiles, which require access to these services.

Manage the Client Web UI with the Admin Web UI

OpenVPN Access Server hosts web services to provide you with graphical interfaces for management as well as end user needs: the Admin Web UI and the client web UI. Refer to the user manual for more information about the Admin Web UI. The client web UI provides your users an easy place to sign in through a web browser and download OpenVPN Connect and connection profiles.

You can configure which options your users see when they sign in to the client web UI:

  1. Sign in to the Admin Web UI.
  2. Click Configuration > CWS Settings.
  3. Under Customize Client Web Server UI, select which options display for your users: desktop clients, mobile clients, and connection profiles.

Download OpenVPN Connect and Connection Profiles from the Client Web UI

You can download connection profiles and OpenVPN Connect apps from the client web UI of your Access Server.

Download OpenVPN Connect installer apps

Your users can sign in to the client web UI for your Access Server to download pre-configured OpenVPN Connect apps. They include the connection profile for the user to connect to the server when they install and launch the app.

  1. Sign in to the client web UI (the IP address or hostname for your server) with valid user credentials.
  2. Choose the OpenVPN Connect installer from the available OS installations on the download page.
  3. Install the software, open it, and connect with valid user credentials.

Download Connection Profiles from Client Web UI

Your users can sign in to the client web UI for your Access Server to download connection profiles. You can use these profiles to connect with other VPN clients or an already installed OpenVPN Connect app:

  1. Sign in to the client web UI (the IP address or hostname for your server) with valid user credentials.
  2. Connection profile downloads display under Available Connection Profiles.

To allow server-locked profiles:

  1. Sign in to the Admin Web UI.
  2. Click Configuration > CWS Settings.
  3. Click Show for server-locked profile.
  4. Click Save Settings and Update Running Server.

To allow auto login for a user:

  1. Sign in to the Admin Web UI.
  2. Click User Management > User Permissions.
  3. Check Allow Auto-login for the user you want to grant permission to auto login.
  4. Click Save Settings and Update Running Server.

To allow auto login for a group:

  1. Sign in to the Admin Web UI.
  2. Click User Management > Group Permissions.
  3. Check Allow Auto-login for the group you want to grant permission to auto login.
  4. Click Save Settings and Update Running Server.

Revoke a user's certificate / connection profile

Refer to Revoking or deleting a user certificate or profile for instructions.

We recommend revoking a user’s certificate if the security of a client device or connection profile is compromised. The user must obtain a new connection profile from Access Server to successfully make a new connection.