Create connection profiles and Connect Client installers

Introduction

Connection profiles (.ovpn text files) contain the directives, parameters, and certificates required to establish the server-client connection. This commonly includes addresses and ports to contact the server, information verifying the server identity, securing the TLS control channel, and other settings. An OpenVPN client will need such information to establish a connection to an OpenVPN server.

With our OpenVPN Access Server product we prefer to use connection profiles that bundle all necessary information into one file. This works well with almost all OpenVPN clients and in particular with our OpenVPN Connect client software. For some open-source-based OpenVPN clients it may be necessary to split out the certificates and keys from the connection profile, and we provide the necessary tools and information to do that.

For detailed information about the different types of connection profiles, refer to Understanding Connection Profiles for OpenVPN Access Server.

This document describes how to create connection profiles as well as OpenVPN Connect app installers for Windows and macOS that come bundled with a connection profile right out-of-the-box after installation. These tasks can be done using the command-line interface and the OpenVPN Access Server's web interfaces.

Connection Profile creation

You can create connection profiles and the separated certificate and configuration files using the command-line interface. They can be generated as single files that contain all necessary information or as a set of separate files that must be used together.

Create connection profiles using the command-line interface

Use the following commands to create connection profiles. All commands require root access and must run from the /usr/local/openvpn_as/scripts/ directory.

Save a server-locked profile to client.ovpn:

./sacli --prefer-tls-crypt-v2 GetGeneric >client.ovpn

Save a user-locked profile to client.ovpn:

./sacli --prefer-tls-crypt-v2 --user <USER_NAME> GetUserlogin >client.ovpn

Save an auto-login type profile to client.ovpn:

./sacli --prefer-tls-crypt-v2 --user <USER_NAME> GetAutologin >client.ovpn

Save a separate files version of a user-locked profile:

./sacli --prefer-tls-crypt-v2 -o ./ --user <USER_NAME> GetUserlogin5

Save separate files version of an auto-login profile:

./sacli --prefer-tls-crypt-v2 -o ./ --user <USER_NAME> GetAutologin5

Notes regarding the use of these commands:

  • Access Server 2.9 or newer supports TLS Crypt v2. If you use an older Access Server or do not wish to use TLS Crypt v2, please omit the --prefer-tls-crypt-v2 flag.
  • Autologin profiles require that the user has the autologin permission, whether granted directly or inherited. By default autologin permission is denied.
  • It is recommended to enclose usernames in double quotes ("), particularly when they contain spaces.
  • For GetUserLogin5 and GetAutologin5 the output directory can be specified with the -o parameter (./ is current directory).

More information on separate files

The commands GetGeneric, GetUserlogin, and GetAutologin, generate a single client.ovpn file that contains all necessary connection information, certificates, and keys. For certain applications it may be necessary to generate separate files. The GetUserlogin5 and GetAutlogin5 functions output a number of separate files. Depending on your TLS control channel configuration the last 2 files in the overview below may not be needed or even present.

  • client.ovpn - OpenVPN connection profile
  • ca.crt - Server CA certificate
  • client.crt - Client certificate
  • client.key - Client private key
  • ta.key - TLS control channel key (tls-auth or tls-crypt-v1)
  • tls_crypt_v2.key - TLS control channel key (tls-crypt-v2)

OpenVPN Connect Client installer creation

It is possible to create OpenVPN Connect v2 or v3 setup files for macOS and Windows from the command line of the Access Server that come preconfigured with a connection profile. You can deploy such an installer on a computer and after installation completes it will have the necessary connection profile already loaded. OpenVPN Access Server already creates such preconfigured installers of OpenVPN Connect for your users. These are available for users to download from the Client Web UI.

You can also create OpenVPN Connect v2 or v3 setup files for macOS and Windows from the command line of your Access Server. Access Server creates these preconfigured with connection profiles — server-locked, user-locked, or auto-login. If you don’t use the Client Web UI to allow users to download and install OpenVPN Connect on their own, you can create these setup files and distribute them to your users.

Create Windows OpenVPN Connect v3 .msi setup file with server-locked profile:

./sacli --itype win_v3 -o ./ GetGenericInstaller

Create macOS OpenVPN Connect v3 .dmg setup file with server-locked profile:

./sacli --itype mac_v3 -o ./ GetGenericInstaller

Create Windows OpenVPN Connect v3 .msi setup file with user-locked profile:

./sacli -o ./ --user <USER_NAME> --itype win_v3 GetInstallerEx

Create macOS OpenVPN Connect v3 .dmg setup file with user-locked profile:

./sacli -o ./ --user <USER_NAME> --itype mac_v3 GetInstallerEx

Create Windows OpenVPN Connect v3 .msi setup file with auto-login profile:

./sacli -o ./ --user <USER_NAME> --itype win_v3 --autologin GetInstallerEx

Create macOS OpenVPN Connect v3 .dmg setup file with auto-login profile:

./sacli -o ./ --user <USER_NAME> --itype mac_v3 --autologin GetInstallerEx

Notes regarding the use of these commands:

  • mac_v3 or dmg_v3 — generates an OpenVPN Connect v3 client .dmg setup file.
  • win_v3 or msi_v3 — generates an OpenVPN Connect v3 client .msi setup file.
  • mac or dmg — generates an OpenVPN Connect v2 client .dmg setup file.
  • win or msi — generates an OpenVPN Connect v2 client .msi setup file.
  • Autologin profiles require that the user has the autologin permission, whether granted directly or inherited. By default autologin permission is denied.
  • It is recommended to enclose usernames in double quotes ("), particularly when they contain spaces.
  • For GetGenericInstaller and GetInstallerEx the output directory can be specified with the -o parameter (./ is current directory).

Manage the Client Web UI with the Admin Web UI

OpenVPN Access Server hosts web services to provide you with graphical interfaces for management as well as end user needs: the Admin Web UI and the client web UI. Refer to the user manual for more information about the Admin Web UI. The client web UI provides your users an easy place to sign in through a web browser and download OpenVPN Connect and connection profiles.

You can configure which options your users see when they sign in to the client web UI:

  1. Sign in to the Admin Web UI.
  2. Click Configuration > CWS Settings.
  3. Under Customize Client Web Server UI, select which options display for your users: desktop clients, mobile clients, and connection profiles.

Download OpenVPN Connect and Connection Profiles from the Client Web UI

You can download connection profiles and OpenVPN Connect apps from the client web UI of your Access Server.

Download OpenVPN Connect installer apps

Your users can sign in to the client web UI for your Access Server to download pre-configured OpenVPN Connect apps. They include the connection profile for the user to connect to the server when they install and launch the app.

  1. Sign in to the client web UI (the IP address or hostname for your server) with valid user credentials.
  2. Choose the OpenVPN Connect installer from the available OS installations on the download page.
  3. Install the software, open it, and connect with valid user credentials.

Download Connection Profiles from Client Web UI

Your users can sign in to the client web UI for your Access Server to download connection profiles. You can use these profiles to connect with other VPN clients or an already installed OpenVPN Connect app:

  1. Sign in to the client web UI (the IP address or hostname for your server) with valid user credentials.
  2. Connection profile downloads display under Available Connection Profiles.

To allow server-locked profiles:

  1. Sign in to the Admin Web UI.
  2. Click Configuration > CWS Settings.
  3. Click Show for server-locked profile.
  4. Click Save Settings and Update Running Server.

To allow auto login for a user:

  1. Sign in to the Admin Web UI.
  2. Click User Management > User Permissions.
  3. Check Allow Auto-login for the user you want to grant permission to auto login.
  4. Click Save Settings and Update Running Server.

To allow auto login for a group:

  1. Sign in to the Admin Web UI.
  2. Click User Management > Group Permissions.
  3. Check Allow Auto-login for the group you want to grant permission to auto login.
  4. Click Save Settings and Update Running Server.

Revoke a user's certificate / connection profile

Refer to Revoking or deleting a user certificate or profile for instructions.

We recommend revoking a user’s certificate if the security of a client device or connection profile is compromised. The user must obtain a new connection profile from Access Server to successfully make a new connection.