Posted  by  admin

Openvpn Profile File Download

Your users can make an SSL VPN connection to the Firebox with an OpenVPN client. For example, users can install OpenVPN Connect for Android or iOS, which is available from, the Google Play app store, or the Apple app store.

To configure the OpenVPN app, users can download a Mobile VPN with SSL client profile from the Firebox. Users can then import the profile into the OpenVPN app.

How to find various configuration files. Share this answer. To set up OpenVPN manually, you will need certain configuration files, which you can find and download here. If you have any questions, feel free to contact our customer support team via chat or email. Below, under the OpenVPN Configuration section you can see the configuration file name (.ovpn) and two buttons: tap on Download configuration file button to download the configuration file onto your device, or send it to your e-mail address by tapping on Send to email. Download configuration files to set up OpenVPN manually on your preferred operating system. Download UDP Download TCP. If you wish to use a third-party OpenVPN client, rather than the VyprVPN app - you can download the OpenVPN files at the link below. Once downloaded, simply import the desired.ovpn file into the OpenVPN client software of your choice and connect. The download contains both 160-bit and 256-bit configurations.

In Fireware v12.3 or higher, Mobile VPN with SSL supports two-factor, challenge-response authentication for native OpenVPN clients.


Re: How to export client config file. With Access Server you just go to the web interface and log on as a user. Then you download server-locked, user-locked, or auto-login profile. Those are the 3 typos of files you can import into the OpenVPN client. But do note that the server-locked profile only works with OpenVPN Connect for.

Before you download the Mobile VPN with SSL client profile, make sure your Firebox configuration meets these requirements:

  • The Firebox must use Fireware v11.7.4 or higher.
  • The Firebox must be configured to route VPN traffic. Make sure that Routed VPN traffic is selected in the Mobile VPN with SSL configuration. For more information, see Manually Configure the Firebox for Mobile VPN with SSL.
  • The certificates for Mobile VPN with SSL must be created with Fireware v11.7.3 or higher. If you upgraded from an earlier version, your certificates might not be compatible with the OpenVPN client.

To generate new SSLVPN certificates, you must delete the SSLVPN certificates from the Firebox and reboot the Firebox. When the Firebox restarts, it creates new SSLVPN certificates.

To generate new SSLVPN certificates for a Firebox, from Firebox System Manager:

  1. Select View > Certificates.
    The Certificates dialog box appears.
  2. In the list of certificates, find and delete the three SSLVPN certificates. The three SSLVPN certificates have these common name (cn) attributes:
  • cn=Fireware SSLVPN Server
  • cn=Fireware SSLVPN Client
  • cn=Fireware SSLVPN (SN...) CA
  1. Reboot the Firebox to automatically generate new certificates.
    You must use Firebox System Manager (FSM) to delete certificates. You cannot delete the certificate from Fireware Web UI.

After the Firebox generates new SSLVPN certificates, existing WatchGuard Mobile VPN with SSL clients automatically download the new certificates the next time your users connect. The WatchGuard Mobile VPN with SSL client prompts the user to accept the new certificate if the user does not have the CA certificate for the Firebox.

To generate new SSLVPN certificates for Fireboxes that are FireCluster members, you must turn off the backup master and then reboot the master. The master creates the new certificates. After the master is back online, turn on the backup master. The backup master uses the new certificates that the master generated.

Download the Mobile VPN with SSL Client Profile

After you configure Mobile VPN with SSL on the Firebox, you users can download the client.ovpn file from the Firebox and send it to the device where the OpenVPN client is installed.

Because web browsers on some mobile devices do not support file downloads, this procedure describes how to download the file to another device and email it to the mobile device as a file attachment.

To download the .ovpn profile from the Firebox:

  1. Connect to the Firebox with a web browser over port 443, unless you configured a custom port number:

https://<IP address of a Firebox interface or host name>/sslvpn.html


https://<IP address of a Firebox interface or host name>:<custom port number>/sslvpn.html

  1. Type your user name and password to authenticate to the Firebox.
    The Mobile VPN with SSL download page appears.
  1. Click the Download button for the Mobile VPN with SSL client profile. The file you download is called client.ovpn.
  2. Save the file to a location on your computer.
  3. Send the file as an email file attachment to the mobile user.

Import the Client Profile

To import a client profile to an Android or iOS device:

  1. Install the OpenVPN Connect app.
  2. Open the email message that contains the .ovpn email attachment.
  3. Tap the attachment to open the file in the OpenVPN Connect app.
  4. Import the .ovpn file to the VPN client to create a new connection profile.
  5. In the profile, type the Username and Password you use to authenticate to the Firebox.
  6. To start the VPN tunnel, select or turn on the VPN profile in OpenVPN Connect.

For more information about the OpenVPN client, see the documentation provided by OpenVPN:

See Also

The easiest way to configure an OpenVPN client on most platforms is to use theOpenVPN Client Export Package on the pfSense® firewall.

Install the OpenVPN Client Export Utility package as follows:

  • Navigate to System > Packages

  • Locate the OpenVPN Client Export package in the list

  • Click Install next to that package listing to install

Once installed, it can be found at VPN > OpenVPN, on the Client Exporttab.

The options for the package include:

Remote Access Server

Pick the OpenVPN server instance for which a client willbe exported. If there is only one OpenVPN remote access server there willonly be one choice in the list. The list will be empty if there are no RemoteAccess mode OpenVPN servers.

Host Name Resolution

Controls how the “remote” entry the client is formatted.

Interface IP Address

When chosen, the interface IP address is useddirectly. This is typically the best choice for installations with astatic IP address on WAN.

Automagic Multi-WAN IPs

This option is useful when redirecting multipleports using port forwards for deployments that utilize multi-WAN ormultiple ports on the same WAN. It will seek out and make entries for allport forwards that target the server and use the destination IP addressused on the port forward in the client configuration.

Automagic Multi-WAN DDNS Hostnames

Similar to the previous option, but ituses the first Dynamic DNS entry it finds that matches the chosendestination.

Installation Hostname

Places the firewall’s hostname, defined underSystem > General Setup, into the client configuration. The hostnamemust exist in public DNS so it can be resolved by clients.

Dynamic DNS Hostname Entries

Each Dynamic DNS hostname configured on thefirewall is listed here. These are typically the best choice for running aserver on a single WAN with a dynamic IP address.


Presents a text box in which a hostname or IP address can be enteredfor the client to use.

Verify Server CN

Specifies how the client will verify the identity of theserver certificate. The CN of the server certificate is placed in the clientconfiguration, so that if another valid certificate pretends to be the serverwith a different CN, it will not match and the client will refuse toconnect.

Automatic - Use verify-x509-name where possible

This is the best forcurrent clients. Older methods have been deprecated since this method ismore accurate and flexible.

Use tls-remote

This can work on older clients (OpenVPN 2.2.x orearlier) but it will break newer clients as the option has beendeprecated.

Use tls-remote and quote the server CN

Works the same as tls-remote butadds quotes around the CN to help some clients cope with spaces in the CN.

Do not verify the server CN

Disables client verification of the servercertificate common name.

Use Random Local Port

For current clients, the default (checked) is best,otherwise two OpenVPN connections cannot be run simultaneously on the clientdevice. Some older clients do not support this, however.

Use Microsoft Certificate Storage

Under Certificate Export Options, forexported installer clients this will place the CA and user certificate inMicrosoft’s certificate storage rather than using the files directly.

Use a password to protect the pkcs12 file contents

When checked, enter aPassword and confirm it, then the certificates and keys supplied to theclient will be protected with a password. If the OpenVPN server is configuredfor user authentication this will cause users to see two different passwordprompts when loading the client: One to decrypt the keys and certificates,and another for the server’s user authentication upon connecting.

Use Proxy

If the client will be located behind a proxy, check Use proxy tocommunicate with the server and then supply a Proxy Type, IPAddress, Port, and Proxy Authentication with credentials if needed.


When checked, this option will bundle the Windows installerwith OpenVPNManager GUI in addition to the normal Windows client. Thisalternate GUI manages the OpenVPN service in such a way that it does notrequire administrator-level privileges once installed.

Additional configuration options

Any extra configuration options needed forthe client may be placed in this entry box. This is roughly equivalent to theAdvanced options box on the OpenVPN configuration screens, but from theperspective of the client.


There is no mechanism to save these settings, so they must be checkedand set each time the page is visited.

Client Install Packages List¶

Under Client Install Packages is a list of potential clients to export. Thecontents of the list depend on how the server is configured and which users andcertificates are present on the firewall.

Openvpn Profile File Download Pc

The following list describes how the server configuration style affects the listin the package:

Remote Access (SSL/TLS)

User certificates are listed which are made from thesame CA as the OpenVPN server

Remote Access (SSL/TLS + User Auth – Local Users)

User entries are listed forlocal users which also have an associated certificate made from the same CAas the OpenVPN server.

Remote Access (SSL/TLS + User Auth – Remote Authentication)

Because the usersare remote, user certificates are listed which are made from the same CA asthe OpenVPN server. It is assumed that the username is the same as the commonname of the certificate.

Remote Access (User Auth – Local Users or Remote Authentication)

A singleconfiguration entry is shown for all users since there are no per-usercertificates.

The example setup from the wizard made previously in this chapter was forSSL/TLS + User Auth with Local Users, so one entry is shown per user on thesystem which has a certificate created from the same CA as the OpenVPN server.


If no users are shown, or if a specific user is missing from the list,the user does not exist or the user does not have an appropriate certificate.See Local Users for the correct procedure to create auser and certificate.

Client Install Package Types¶

Numerous options are listed for each client that export the configuration andassociated files in different ways. Each one accommodates a different potentialclient type.

Standard Configurations¶


Downloads a ZIP archive containing the configuration file, theserver’s TLS key if defined, and a PKCS#12 file which contains the CAcertificate, client key, and client certificate. This option is usablewith Linux clients or Tunnelblick, among others.

File Only

Downloads only the basic configuration file, no certificates orkeys. This would mainly be used to see the configuration file itself withoutdownloading the other information.

Inline Configurations¶

This choice downloads a single configuration file with the certificates and keysinline. This format is ideal for use on all platforms, especially Android andiOS clients or for manually copying a configuration to a system that already hasa client installed. This option will work for any client type based on OpenVPNversion 2.1 or newer.


Used with the Android OpenVPN client mentioned inInstalling the OpenVPN Client on Android.

OpenVPN Connect (iOS/Android)

Used with the OpenVPN Connect client on iOS orAndroid described in Installing the OpenVPN Client on iOS.


Usable by any standard OpenVPN client on platforms such as Windows, OSX, or BSD/Linux. It also works well with Tunnelblick on OS X, simply downloadthe inline config and drag it into the configurations folder forTunnelblick.

SIP Phone archives¶

If the OpenVPN server is configured as SSL/TLS only without authentication thenoptions will appear to export client configurations for several models of SIPhandsets that support OpenVPN. Notable examples are the Yealink T28 and T38G,and SNOM phones. Installing the client to the phone varies by model, check themanufacturer’s documentation for more information.


Ensure the phone has a proper clock setup and/or NTP server, otherwisethe certificates will fail to validate and the VPN will not connect.


Typically these handsets only support the use of SHA1 as acertificate hash. Ensure the CA, server certificate, and client certificatesare all generated using SHA1 or they may fail. They may also only support alimited set of encryption algorithms such as AES-128-CBC. Consult the phonedocumentation for details.

Windows Installers¶

The Windows Installer options create a simple-to-use executable installer filewhich contains the OpenVPN client with the configuration data embedded. Theinstaller runs like the normal Windows OpenVPN client installer, but it alsocopies all of the settings and certificates needed. SeeInstalling the OpenVPN Client on Windows below for some notes on how to install andrun the Windows client.

File Download Movie

Currently, there are four options available:


32-bit installer usable on Windows XP and later


64-bit installer usable on Windows XP and later


32-bit installer usable on Windows Vista and later and includes anewer tap driver


64-bit installer usable on Windows Vista and later and includes anewer tap driver


Be sure to click next/finish all the way through the installationprocess. Do not click cancel or X out the install at any step, or the clientsystem may be left with the client installed but no imported configuration.

Openvpn File Download


On Windows Vista, 7, 8, 10 and later with UAC (User AccountControl) enabled, the client must be run as Administrator. Right clickthe OpenVPN GUI icon and click Run as Administrator for it to work. Itcan connect without administrative rights, but it cannot add the route neededto direct traffic over the OpenVPN connection, leaving it unusable. Theproperties of the shortcut may be set to always launch the program asAdministrator. This option is found on the Compatibility tab of theshortcut properties. One way around that requirement is to checkOpenVPNManager before exporting to use an alternate OpenVPN managementGUI on Windows.

The Viscosity client is also available for Windows and it does not requireadministrative privileges to run properly.

Viscosity Bundle¶

This works like the configuration archive above, but is for the ViscosityOpenVPN client used in OS X and Windows. If the Viscosity client is alreadyinstalled, download this bundle and click it to import it into the client.