There is an OpenVPN plugin for Headwind MDM, which is remotely managed and can be setup as always-on.
Headwind's OpenVPN mobile agent is a fork of the open source OpenVPN application https://github.com/schwabe/ics-openvpn. We integrated this app with Headwind MDM mobile API so Headwind MDM can change the app settings.
To download the OpenVPN mobile agent, use this link: https://h-mdm.com/files/openvpn-hmdm-1.7.50.apk
The source code is available here: https://github.com/h-mdm/hmdm-openvpn (notice: you need to sign the OpenVPN agent by the same key as Headwind MDM launcher, so it will get access to Android VPN settings).
To start using OpenVPN plugin, add the OpenVPN mobile agent to your configuration. After that, specify the application settings.
Settings can be specified in the "Application settings" tab of the configuration details (package ID is de.blinkt.openvpn). The following settings are available:
vpn_name - VPN connection name
vpn_config - path to the OpenVPN (.ovpn) configuration file relative to the SD card path, for example, /config.ovpn
remove - VPN connections which should be removed from the device (comma-separated)
remove_all - set to 1 to remove all other VPN connections from the device
connect - set to 1 to connect VPN automatically after creation
always_on - set to 1 to mark VPN as always-on
To apply settings, the application must be restarted (or the device rebooted).
OpenVPN plugin Web UI
In Headwind MDM Enterprise, there's a web UI for this plugin. It is disabled by default and needs to be enabled in Settings - Plugins.
To open the web UI, use Settings - OpenVPN.
The plugin setups VPN settings for a specific configuration(s). To assign same VPN settings to multiple configurations, save settings as default.
To apply the OpenVPN settings, the mobile agent can be remotely restarted. Use "Run OpenVPN" button at the bottom of the screen to start the mobile agent and turn on VPN on all related devices.