OpenVPN Connect Profile Configuration

Example "OpenVPN Connect" Profile for TDA

Written by Fernando

Last published at: October 18th, 2024

When deploying OpenVPN Connect as Software Package using our Management Console, you will need to add the below configuration to ensure that OpenVPN Connect runs normally when AEP (v7.5) or Process Security (v8) are enabled.

Please note that the below configuration does not apply to version 7.4 or below.

AEP Rules for v7.5

Under Application Execution Prevention > Add New Rule

Rule Name: OpenVPN

Rule Enabled: Checked

Action: Allow

Certificate Trusted Is: True

AND Certificate Issued To Is: OpenVPN Inc.

AND Certificate Thumbprint Is: 185AE9E969E8BDF18C346FE5077A173FA1AD7FD9

 

Under Process Execution Security > Create New Rule

Rule Name: OpenVPN

Rule Enabled: Checked

Action:

  • Duplicate Handle
  • Dual Persona Volume Read
  • Dual Persona Volume Write
  • Dual Persona Other Volume Write

Image Name Ends With: \agent_ovpnconnect.exe

OR Image Name Ends With: \ovpnconnector.exe

 

Under Service Execution Prevention > Add New Rule

Rule Name: OpenVPN

Rule Enabled: Checked

Action: Restart

 

Service Name Is: FA_Scheduler

OR Service Name Is: agent_ovpnconnect

OR Service Name Is: ovpnhelper_service

Rule Applies to: Startup SEP Checks

Click OK

Save Profile

 
 

Process Security for v8 OnPrem

Edit your desired TDA Profile

Go to Process Security > Right click on the blank space > Add

Rule Name: SET: OpenVPN Connect

Select New Process Set:

 

Set Name: SET: OpenVPN Connect

Identity Rules > Right Click > Add New

Rule Name: IDENTITY: OpenVPN Connect

Certificate Trusted Is: True

AND Certificate Issued To Is: OpenVPN Inc.

AND Certificate Thumbprint Is: 185AE9E969E8BDF18C346FE5077A173FA1AD7FD9

 

Rule Name: IDENTITY: OpenVPN Connect: cmd

Is Parent Same Session Is: True

AND Certificate Trusted Is: True

AND File Description Is: Windows Command Processor

 

Parent Process Rule:

Certificate Trusted Is: True

AND Certificate Issued To Is: OpenVPN Inc.

AND Certificate Thumbprint Is: 185AE9E969E8BDF18C346FE5077A173FA1AD7FD9

Click on Update

Check that the option for SysTray injection is enabled:

 

On Volume Protection > Enable it

Right Click > Add Existing

  • Select SYSTEM VOL: Dual Persona - Read / Write
  • Click on Select

Click Update

 

Edit SYSTEM: Protected System Service Access

Under Rule Configuration, click on the cog

Right Click > Add New

Rule Name: APP IDENTITY: OpenVPN Connect Services

Is Session 0 Is: True

AND Certificate Trusted Is: True

AND Certificate Issued To Is: OpenVPN Inc.

AND Is Service Is: True

AND Service Name Is: agent_ovpnconnect

OR Service Name Is: ovpnhelper_service

Click OK

Click Update 

 

Under Service Protection

Set Session Start Group to Session Start Actions from the dropdown menu and then click on the cog

Right Click on the blank space and Add New

Rule Name: Restart OpenVPN Connect Service

Rule Enabled: Checked

Action: Restart

Service Name Is: agent_ovpnconnect

OR Service Name Is: ovpnhelper_service

Click OK

Click Update

Save Profile

 
 

Process Security for v8 Cloud

Login to your Device Portal

Navigate to Configuration > Security Profiles and open your desired Security Profile

Go to Process Security and expand

Go to Process Security Tab

 

Click on + Add Item

On the right hand side

Type:

Name: SET: OpenVPN Connect

Enabled: Checked

Click on the “+” button

 

Click on Edit Rules:

Click on + Add Item

Enabled: Checked

Name: IDENTITY: OpenVPN Connect

Certificate Trusted Is: True

AND Certificate Issued To Is: OpenVPN Inc.

AND Certificate Thumbprint Is: 185AE9E969E8BDF18C346FE5077A173FA1AD7FD9

Click Apply

 

Click On + Add Item

Rule Name: IDENTITY: OpenVPN Connect: cmd

Is Parent Same Session Is: True

AND Certificate Trusted Is: True

AND File Description Is: Windows Command Processor

 

Parent Process Rule:

Certificate Trusted Is: True

AND Certificate Issued To Is: OpenVPN Inc.

AND Certificate Thumbprint Is: 185AE9E969E8BDF18C346FE5077A173FA1AD7FD9

Click Apply

Close popup window

Click Apply and Close the popup window

From the Process Sets dropdown Menu select Include and the new set created

Enable: SysTray Injection

Click Apply

Go to the Volume Protection tab

Toggle to Enable

Check: SYSTEM VOL: DualPersona - Read / Write

Click Apply

Edit: SYSTEM: Protected System Service Access

Click on Edit Rules:

Click on + Add Item

Rule Name: APP IDENTITY: OpenVPN Connect Services

Is Session 0 Is: True

AND Certificate Trusted Is: True

AND Certificate Issues To Is: OpenVPN Inc.

AND Is Service Is: True

AND Service Name Is: agent_ovpnconnect

OR Service Name Is: ovpnhelper_service

Click Apply

Close the popup window

Click Apply

Go to Service Protection and expand it

Under Session Start Group, edit Session Start Actions

 

Click on Edit Rules:

 

Click on + Add Item

Rule Enabled: Checked

Rule Name: Restart OpenVPN Connect Service

Action: Restart

Service Name Is: agent_ovpnconnect

OR Service Name Is: ovpnhelper_service

Click Apply

Close popup window

Save the configuration from the top right corner: