Skip to main content

OpenVPN Support Center

Welcome to the new and improved OpenVPN Support Center.

Search the Support Center

Access Server: Script to Download and Import Connection Profiles for MDM Deployments.

  • Updated

Overview

A connection profile (.ovpn file) can be downloaded using any of the following methods:

  1. From the Admin Web UI (administrators only).

  2. From the Client Web UI.

  3. By using the Import URL feature in OpenVPN Connect.

In enterprise environments, this process can be time-consuming when provisioning many users. This script automates downloading and importing connection profiles, making it suitable for MDM deployments.

Prerequisites

  • An Access Server installation.

  • A Windows machine with PowerShell.

  • OpenVPN Connect installed.

  • MDM solution (optional).

Step 1: Save and personalize the script

  1. Copy the script below.
  2. Save it as install_vpn_windows_v1.ps1.
  3. Update the $Server variable in the script with your Access Server IP.

Script

# Usage: .\install_vpn_windows_v1.ps1 -Username user -Password password [-SkipSSLVerification] [-Autologin]
param([string]$Username="",[string]$Password="",[switch]$SkipSSLVerification,[switch]$Autologin)

if (-not $Username -or -not $Password) { Write-Error "Usage: .\install_vpn_windows_v1.ps1 -Username <user> -Password <password> [-SkipSSLVerification] [-Autologin]"; exit 1 }

$Server = "203.0.113.26:943"
$ConnectExe = @("$env:ProgramFiles\OpenVPN Connect\OpenVPNConnect.exe","${env:ProgramFiles(x86)}\OpenVPN Connect\OpenVPNConnect.exe") | ?{Test-Path $_} | Select -First 1
if (-not $ConnectExe) { Write-Error "OpenVPN Connect is not installed. Download it from https://openvpn.net/client/"; exit 1 }

$TempFile = "$env:TEMP\$Username.ovpn"
$Base64 = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("${Username}:${Password}"))
$Endpoint = if ($Autologin) { "GetAutologin" } else { "GetUserlogin" }
$WRArgs = @{ Uri="https://$Server/rest/$Endpoint"; Headers=@{Authorization="Basic $Base64"}; OutFile=$TempFile; ErrorAction='Stop' }

if ($SkipSSLVerification) {
    Write-Host "SSL verification disabled." -ForegroundColor Yellow
    if ($PSVersionTable.PSVersion.Major -ge 6) { $WRArgs.SkipCertificateCheck = $true }
    else {
        Add-Type @"
using System.Net; using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult(ServicePoint s, X509Certificate c, WebRequest r, int e) { return true; } }
"@
        [Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
    }
} else { [Net.ServicePointManager]::CertificatePolicy = $null }

Write-Host "Downloading VPN profile for '$Username'..."
try { Invoke-WebRequest @WRArgs } catch {
    Write-Error "Failed to download profile: $_"
    if (-not $SkipSSLVerification) { Write-Host "If your server uses a self-signed certificate, try -SkipSSLVerification." -ForegroundColor Yellow }
    Remove-Item $TempFile -ErrorAction SilentlyContinue
    exit 1
}

Write-Host "Importing profile into OpenVPN Connect..."
if (-not (Get-Process -Name "OpenVPNConnect" -ErrorAction SilentlyContinue)) {
    Start-Process -FilePath $ConnectExe -ArgumentList @("--minimize","--accept-gdpr","--skip-startup-dialogs") | Out-Null
    Start-Sleep -Seconds 3
}
$Process = Start-Process -FilePath $ConnectExe -ArgumentList @("--import-profile=`"$TempFile`"","--username=`"$Username`"") -PassThru
$Process.WaitForExit(5000) | Out-Null
Remove-Item $TempFile -ErrorAction SilentlyContinue
if ($Process.HasExited -and $Process.ExitCode -ne 0) { Write-Error "OpenVPN Connect returned an error (code $($Process.ExitCode))."; exit 1 }

Write-Host "Done. The VPN profile for '$Username' was successfully installed in OpenVPN Connect."

Step 2: Run the script to download and import a connection profile

  1. Open PowerShell.
  2. Navigate to the directory where the script is saved.
  3. Run one of the following commands to download a profile:

    • User-locked profile:

      .\install_vpn_windowsv1.ps1 -Username <username> -Password <password>

    • Auto-login profile (optional):

      .\install_vpn_windowsv1.ps1 -Username <username> -Password <password> -Autologin

    • Skip SSL verification (optional):

      .\install_vpn_windowsv1.ps1 -Username user -Password password -SkipSSLVerification

      Tip: Use this option when you don't have a valid web SSL certificate for your Access Server.

Step 3: (Optional) Use with MDM

When used with an MDM solution (such as Microsoft Intune), the script supports silent execution when -Username and -Password parameters are provided.

  • Administrators supply credentials through the MDM platform.
  • The script executes on the device without user interaction.

Note: This script isn't compatible with SAML authentication.

Troubleshooting

PowerShell execution policy error

If you see this error:

install_vpn_windows_v1.ps1 cannot be loaded because running scripts is disabled on this system

This means that running scripts via PowerShell is disabled by default. To temporarily turn it on so you can test/run the script, you can run this command:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Then run the script again.

Need help?

If you have additional questions, please submit a ticket.

Comments

0 comments

Please sign in to leave a comment.