How-to: Configure OpenVPN Start Before Logon (SBL) / PLAP using OpenVPN GUI on Windows

Knowledge Base Community
, ,
1

Description

In certain environments, it is required to establish a VPN connection before a user logs in to Windows, for example to enable domain authentication against remote infrastructure.

By default, OpenVPN connections are only available after user logon.

To enable Start Before Logon (SBL) using the Pre-Logon Access Provider (PLAP) with OpenVPN GUI, follow these steps:

1. Install OpenVPN GUI

Install the OpenVPN GUI client on the Windows system.

2. Enable PLAP in OpenVPN GUI

  1. Open the system tray (taskbar hidden icons).
  2. Right-click on the OpenVPN GUI icon.
  3. Open Settings.
  4. Enable Pre-Logon Access Provider.
  5. Confirm with OK.

3. Download and Prepare the Connection Profile

  1. Download the .ovpn connection profile from the OpenVPN Access Server Client Web UI.
  2. Open the file in a text editor.
  3. Add the following lines:
management 127.0.0.1 12345
management-hold
management-query-passwords

Optional parameters

  • For TOTP MFA:
auth-retry interact
  • For SAML authentication:
setenv IV_SSO webauth
  1. Save the file.

4. Deploy the Configuration

  1. Copy the modified .ovpn file to:
C:\Program Files\OpenVPN\config-auto
  1. Open a PowerShell with administrative privileges.
  2. Restart the OpenVPN service:
Restart-Service OpenVPNService
  1. Reopen OpenVPN GUI.

The profile should now appear under Persistent Profiles.

If the profile does not appear, reboot the system.

5. Test Pre-Logon VPN

  1. Lock or reboot the Windows system.
  2. On the Windows login screen, a network/VPN icon will be visible.
  3. Click the icon.
  4. Select the VPN profile.
  5. Enter VPN credentials when prompted.
  6. The system connects to the VPN before Windows logon.

Result

After completing these steps, users can establish a VPN connection directly from the Windows logon screen, enabling authentication against remote services such as Active Directory.

Notes

  • The configuration relies on OpenVPN GUI with PLAP support.
  • The .ovpn file must be placed in the config-auto directory to be available pre-logon.
  • Service restart (or system reboot) is required to apply the configuration. (support.openvpn.com)