Create connection profiles and Connect Client installers

Connection Profile creation

We call the .ovpn file that contains the required configuration settings and certificates a connection profile and also simply a configuration file sometimes. It is a text file that contains as mentioned all the directives and parameters as well as the certificates that are required for a compatible OpenVPN client to establish a connection to the Access Server. Put simply you can install any compatible OpenVPN client program and provide it with a connection profile and the program should then be able to make a connection, assuming everything else is set up correctly. This is different from the older type of configuration files originally used in the open source OpenVPN program, which has a separate client.conf file and a set of separate certificate files which are referenced from the client.conf. However, Access Server does support creating both types.

Via the CWS (Client Web Service) 'LOGIN' function it is possible to obtain a copy a Connect Client as well as other files such as a connection profile. From the CLI it is also possible to create a connection profile for any valid user on the Access Server, even without having to know their password. You have to decide which type you want to generate. There are different types of connection profiles:

  1. Server-locked connection profile
  2. User-locked connection profile
  3. Auto-login connection profile
  4. Separate files version of user-locked profile
  5. Separate files version of auto-login profile

You'll note that there is no server-locked profile separated files option. That is because the server-locked profile only works with the OpenVPN Connect Client for Windows and Macintosh, and not with open source based OpenVPN clients. For those client programs you will need one of the other 4 options. A server-locked profile is designed to work with Connect Client only and only contains information on how to contact the web services of the Access Server. When a user starts a connection with a server-locked profile, the client talks to the XML-RPC web interface of the Access Server over a secure channel (SSL/TLS) to negotiate for a user-locked profile to start an OpenVPN connection, and deletes this user-locked profile from the client computer after disconnecting. A user-locked profile contains the required settings and certificates to make a connection to the Access Server's OpenVPN daemon, and requires that the user supplies credentials. An auto-login type profile contains the same as a user-locked profile except it doesn't require the user to enter any credentials. The certificates embedded in the connection profile are proof of identity enough for the server to allow a connection to establish. The auto-login type connection profile is best suited for unattended VPN connections like for routers and servers.

Save a server-locked profile to client.ovpn:

./sacli GetGeneric >client.ovpn

Save a user-locked profile to client.ovpn:

./sacli --user <USER_NAME> GetUserlogin >client.ovpn

Save an auto-login type profile to client.ovpn:

./sacli --user <USER_NAME> GetAutologin >client.ovpn

Save a separate files version of a user-locked profile:

./sacli -o ./ --cn <USER_NAME> Get5

Save separate files version of an auto-login profile:

./sacli -o ./ --cn <USER_NAME>_AUTOLOGIN Get5

As you may notice the Get5 function of sacli uses _AUTOLOGIN after the user name to specify that we want an auto-login type profile. This is a pseudo name to indicate that for the specific user we want his auto-login connection profile. To clarify its use, if your user name is for example "johan" and you want the auto-login connection profile for this user as separate files, then as user name enter simply "johan_AUTOLOGIN" in the above command. Note that double quotes around user and group names and other parameters are generally recommended especially if there are spaces in the given parameters.

Using a sacli function that generates auto-login type connection profiles requires that the user does actually have the privilege to use an auto-login connection profile. This privilege must either be granted to the user directly, or inherited from the group this user belongs to (if any), or it has to be inherited from the __DEFAULT__ special keyword user account. The default for a standard Access Server is that this privilege is denied.

When you use the Get5 function it needs a folder to output the separate files. With the parameter -o ./ we indicate that the output directory must be the directory we're in now. You can also specify another directory but it must be an existing directory. The function Get5 is called this way because it generates 5 separate files. But if you disable TLS authentication then you will have only 4 files.

There is a more extensive guide available that explains how to get separate certificate files using the Get5 function from the Access Server and onto your computer.

OpenVPN Connect Client installer creation

It is possible to create OpenVPN Connect Client setup files for Macintosh and Windows from the command line of the Access Server that come preconfigured with one of the three types of connection profiles (server-locked, user-locked, or autologin). These installers can then be distributed to the users directly and then they need only install it. This is a suitable alternative if for example you decide not to use the CWS (Client Web Service) to allow users to download these files by themselves. A downside to this is that you as administrator have to generate the files and distribute. Also, if the CWS is not reachable from a VPN client computer system, the server-locked type profiles will not function, as these depend on the web services being reachable. Only user-locked profiles and auto-login profiles will then work.

Create a Windows MSI-based client setup file with server-locked profile:

./sacli --itype msi -o ./ GetGenericInstaller

Create a Macintosh DMG-based client setup file with server-locked profile:

./sacli --itype dmg -o ./ GetGenericInstaller

Create a Windows MSI-based client setup file with user-locked profile:

./sacli -o ./ --user <USER_NAME> --itype msi GetInstallerEx

Create a Macintosh DMG-based client setup file with user-locked profile:

./sacli -o ./ --user <USER_NAME> --itype dmg GetInstallerEx

Create a Windows MSI-based client setup file with auto-login profile:

./sacli -o ./ --user <USER_NAME> --itype msi --autologin GetInstallerEx

Create a Macintosh DMG-based client setup file with auto-login profile:

./sacli -o ./ --user <USER_NAME> --itype dmg --autologin GetInstallerEx

Using a sacli function that generates auto-login type connection profiles requires that the user does actually have the privilege to use an auto-login connection profile. This privilege must either be granted to the user directly, or inherited from the group this user belongs to (if any), or it has to be inherited from the __DEFAULT__ special keyword user account. The default for a standard Access Server is that this privilege is denied.

When you use the GetGenericInstaller or GetInstallerEx functions it needs a folder to output the generated setup file. With the parameter -o ./ we indicate that the output directory must be the directory we're in now. You can also specify another directory but it must be an existing directory.

Revoke a user's certificate / connection profile

When the security of a client device or connection profile is compromised, for example if a computer is stolen or the connection profile is accidentally lost or otherwise no longer secure, you can revoke this user's certificate from the Access Server. This makes the existing connection profile completely unusable. At such a point, the user must obtain a fresh new copy of the connection profile from the Access Server. The Access Server will automatically generate a completely unique and new connection profile once this user logs in after you've revoked the user's certificate. In the Admin UI revoking a user certificate can be done via "Revoke Certificates".

Revoke all of a user's certificates:

./sacli --user <USER_NAME> RevokeUser

Revoke only the user-locked certificate for a user:

./sacli --cn <USER_NAME> RevokeCert

Revoke only the auto-login certificate for a user:

./sacli --cn <USER_NAME>_AUTOLOGIN RevokeCert

The RevokeCert function of sacli uses _AUTOLOGIN after the user name to specify that we want an auto-login type profile. This is a pseudo name to indicate that for the specific user we want to revoke the auto-login certificate. To clarify its use, if your user name is for example "johan" and you want to revoke the auto-login certificate for this user, then as user name enter simply "johan_AUTOLOGIN" in the above command. Note that double quotes around user and group names and other parameters are generally recommended especially if there are spaces in the given parameters.

It is important to note here that revoking a certificate alone does not disconnect any currently active OpenVPN tunnels for that user. So while a user is connected to the OpenVPN Access Server with an active VPN tunnel, and you revoke that user's certificates, the connection will still remain up and functional. This is because the processes in memory are handling the encryption/decryption process. There is a separate command to kick a user off the VPN server, with or without a message, and with or without an invitation to reconnect by itself. The function DisconnectUser can be used for that.

When the user next logs on to the web interface to obtain a new copy of the connection profile or an OpenVPN Connect Client installer, or when you use the CLI to do the same, then the Access Server will automatically generate new and unique certificates for this user. If you don't want automatic (re)generation of certificates you can disable the prop_autogenerate property.