Connect Before You Sign In: Pre-Login Connect Arrives in OpenVPN Connect for Windows

Every Windows admin who supports remote staff knows the chicken-and-egg problem. To sign in to a domain-joined laptop, Windows needs to reach a domain controller. But the VPN that reaches the domain controller usually doesn't connect until after the user has already signed in. So the user logs in against locally cached credentials, and a cascade of small failures follows: Group Policy doesn't refresh, logon scripts don't run, mapped drives go missing, and the brand-new hire whose laptop has never touched the network simply can't log in at all.

For years, solving this meant reaching for heavyweight enterprise tooling... until now.

OpenVPN Connect for Windows now includes Pre-Login Connect (PLC) — a feature that establishes the VPN tunnel right at the Windows sign-in screen, before a user signs in to the operating system. It does this using the Pre-Login Access Provider (PLAP) built natively into Windows 10 and Windows 11, so there's no third-party credential provider to license or maintain. The user sees a simple Network Sign-in icon in the corner of the lock screen, connects, and then signs in to Windows with full network access already in place.

It's available now in OpenVPN Connect 3.9 and later.

What Pre-Login Connect actually solves

When the tunnel is up before the user authenticates, the rest of the login behaves the way it's supposed to:

• Domain credentials validate live against a domain controller, not against a stale local cache.
• Group Policy applies and logon scripts run at sign-in, because the network resources they depend on are reachable.
• Password changes work remotely. When a password is reset on the domain, the user signs in with the new one on the first try — no lockout, no "you'll have to come into the office" ticket.
• New devices can complete their first remote login. A freshly imaged laptop with no cached credentials can reach the domain controller and log in from a home office.

These are exactly the use cases OpenVPN designed the feature around: environments that need Active Directory access before a user account can finish logging in, domain-joined clients that must validate credentials against a domain controller, and shops that run logon scripts requiring network access.

Why Pre-Login Connect matters for Windows-only SMBs

Small and mid-sized businesses running a Windows domain have always felt this pain the most. They have the same Active Directory dependencies as a large enterprise, but rarely the budget — or the staff — for enterprise NAC and ZTNA platforms built to paper over the pre-login gap. PLC closes that gap with tooling these shops can realistically adopt:

It's already in the app you're running. PLC ships inside OpenVPN Connect 3.9+. There's no separate product to procure and no per-seat credential-provider license. If your team is already standardizing on OpenVPN Connect, the capability is right there.

Setup is a handful of commands, not a project. An administrator installs the system service, points it at a folder of .ovpn system profiles, and starts the service. That's the core of it. Profiles meant for the sign-in screen are managed separately from the ones users import in the app, which keeps the two cleanly scoped.

End users barely notice it. There's nothing for them to install or configure. They click Network Sign-in, pick a profile, authenticate, and sign in to Windows. For a lean IT team, that means almost no training and far fewer "I can't log in from home" tickets.

Modern authentication isn't sacrificed for simplicity. PLC supports user-locked and server-locked profiles, auto-login profiles, MFA, and web-based and SAML sign-in. For SAML, a QR code appears at the lock screen — scan it with a phone to complete authentication. A ten-person shop can run the same MFA-backed login flow a much larger organization would.

One honest note worth setting expectations on: PLC is built to establish connectivity for sign-in, not to enforce a persistent, always-on tunnel. For shops that need always-on behavior, OpenVPN's service daemon mode is the right tool. Knowing which problem you're solving keeps the deployment clean.

Why Pre-Login Connect matters for OpenVPN resellers and partners

For partners who sell and support OpenVPN in Windows-centric accounts, PLC is more than a feature note — it's a conversation starter that maps directly to a pain every domain shop already feels.

It's a concrete differentiator in SMB deals. "Your remote users can log in to the domain, get their Group Policy and scripts, and survive a password reset — without an enterprise NAC stack" is a tangible promise. The before-and-after story practically tells itself in a discovery call.

It expands where OpenVPN fits. PLC pulls OpenVPN deployments squarely into domain-joined Windows environments — onboarding remote laptops, supporting hybrid workers, replacing brittle cached-credential workflows. That's a wider set of opportunities across self-hosted OpenVPN, Access Server, and CloudConnexa engagements.

It's low-friction to deliver and support. Because the heavy lifting is handled by native Windows PLAP and a small system service, the deployment is quick to stand up and predictable to troubleshoot — logs land in a configurable file and critical events surface in the Windows Event Viewer under the OVPNSystemService source. Less services overhead per engagement means healthier margins.

It creates recurring, managed-service value. Standing up PLC, curating the system-profile set, and managing it as the environment changes is a natural ongoing offering — not a one-and-done install. That's a repeatable motion partners can package.

How Pre-Login Connect works, at a glance

1. An administrator installs the PLC system service from the OpenVPN Connect installation directory and points it at a directory of system .ovpn profiles.
2. The service starts and runs at the system level.
3. At the Windows sign-in screen, the user clicks Network Sign-in, selects a profile, and authenticates — with MFA or SAML if configured.
4. With the tunnel established and the domain controller reachable, the user signs in to Windows normally. Policies apply, scripts run, drives map.

A few requirements to keep in mind: OpenVPN Connect 3.9 or higher, Windows 10 or 11, and administrator access to set it up. PLC isn't supported on ARM64 Windows devices, and profiles requiring ePKI authentication aren't supported.

Get started

The full setup steps, configuration options, and supported authentication methods are in the official documentation:

• Windows Pre-Login Connect (PLC)
• Tutorial: Connect Before Windows Sign-in (Pre-Login Connect)

If you run a Windows domain and you've been living with cached-credential logins, password-reset lockouts, and laptops that can't onboard from home, Pre-Login Connect is the fix you've been improvising around. Update to OpenVPN Connect 3.9 or later and try it.

And if you're a partner: bring it to your next Windows-shop conversation. The problem is universal, the demo is short, and the value lands fast.