Frequently Asked Questions
If you have questions about OpenVPN Connect on iOS, refer to this FAQ for answers. If it's not here, feel free to create a support ticket.
- 1. Can I turn off the connection notification sound?
- 2. Can I control the VPN from outside the app?
- 3. How can I maximize battery life?
- 4. Why does OpenVPN Connect show two notification icons when connected?
- 5. When I try importing a PKCS#12 file, why am I prompted for a password?
- 6. Why doesn't the PKCS#12 file on Android work the same as on desktop systems?
- 7. How do I use a client certificate and private key from the Android Keychain?
- 8. I'm having trouble importing my profile; what can I do?
- 9. Is IPv6 supported?
- 10. How can I fix issues after an OpenVPN Connect update?
- 11. Why doesn't the app support TAP-style tunnels?
- 12. Why does the VPN disconnect when I make or receive a voice call?
- 13. How can I fix error messages?
- 14. Can OpenVPN profiles connect from the Settings app?
- 15. Are certificate revocation lists (CRLs) supported?
1. | Can I turn off the connection notification sound? |
On some Android devices, a connection notification sound plays whenever a VPN tunnel is established and can’t be silenced by a non-root app. | |
2. | Can I control the VPN from outside the app? |
Yes, you can control the VPN using shortcuts. Refer to this guide for how: Adding Shortcuts on Android. | |
3. | How can I maximize battery life? |
To maximize battery life, enable Battery Saver in OpenVPN Connect. This pauses the VPN whenever the phone screen goes blank:
WarningIf you enable Battery Saver settings and Seamless Tunnel options, you may block any app from reaching the internet while the VPN is active, but the device screen isn’t on. Enabling both can be useful for additional energy savings, as long as you don’t have any background apps that need constant internet access. | |
4. | Why does OpenVPN Connect show two notification icons when connected? |
The Android operating system requires two notification icons. They show that the VPN session is a high priority and shouldn’t be arbitrarily terminated by the system. | |
5. | When I try importing a PKCS#12 file, why am I prompted for a password? |
When you generate a PKCS#12 file, you’re prompted for an "export password" to encrypt the file. You must enter this password when you import the PKCS#12 file into the iOS Keychain. This prevents interception and recovery of the private key during transport. When you import a PKCS#12, a password must always be specified. If you have set an empty password, just tap OK without entering text. | |
6. | Why doesn't the PKCS#12 file on Android work the same as on desktop systems? |
PKCS#12 files on Android are used somewhat differently than on OpenVPN Connect desktop versions. In desktop versions, PKCS#12 files can be bundled or referenced in the connection profile. On Android, however, PKCS#12 management is built into the Android Keychain. This approach is much better from a security perspective, because the Keychain can then leverage hardware features such as hardware-backed keystores. However, it does require that you load the PKCS#12 file into the Android Keychain as a separate step from importing the connection profile. It also moves the responsibility for managing PKCS#12 files to the Android Keychain, so it can potentially introduce compatibility issues. | |
7. | How do I use a client certificate and private key from the Android Keychain? |
For guides on using external certificates, refer to Certificates & Tokens. | |
8. | I'm having trouble importing my profile; what can I do? |
Refer to this troubleshooting page: Help Transferring a Profile to Android. | |
9. | Is IPv6 supported? |
Yes. OpenVPN Connect supports IPv6 transport and IPv6 tunnels as long as the server supports them. | |
10. | How can I fix issues after an OpenVPN Connect update? |
If you experience issues after a recent OpenVPN Connect update:
| |
11. | Why doesn't the app support TAP-style tunnels? |
The Android VPN API currently supports only TUN-style or routed tunnels on Layer 3. TAP-style or bridged tunnels on Layer 2 are not possible on Android. This is a limitation of the Android platform. If you try to connect a profile that uses a TAP-based tunnel, you get an error that says only Layer 3 tunnels are currently supported. If you want to see TAP-style tunnels supported in OpenVPN Connect, contact the Google Android team and ask them to extend the VpnService API to allow this. Without such changes to the VpnService API, non-root apps such as OpenVPN Connect can’t support TAP-style tunnels. | |
12. | Why does the VPN disconnect when I make or receive a voice call? |
Some cellular networks can't maintain a data connection during a voice call. If Android detects this as a loss of network connectivity, the VPN pauses during the call and automatically resumes when the call ends. | |
13. | How can I fix error messages? |
See the tips for handling the following error messages. BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher This error message relates to cipher suites. You can usually remedy this by going to the app settings in OpenVPN Connect and checking the box for AES-CBC Cipher Algorithm. Certificate verification failed: x509 — certificate verification failed, e.g. crl, ca or signature check failed This error message occurs when a certificate can’t be verified properly. Certificate verification failure can occur, for example, if you are using an MD5-signed certificate. With an MD5-signed certificate, the security level is so low that the authenticity of the certificate can’t by any reasonable means be assured. In other words, it could very well be a fake certificate. The solution is to use a certificate not signed with MD5 but with SHA256 or better. Refer to the MD5 signature algorithm support section for more information. Digest_error: NONE: not usable This error message occurs if you specify auth none and also tls-auth in your client profile. This happens because tls-auth needs an auth digest, but it isn’t specified. To resolve the error, remove the tls-auth directive. It’s not possible to enable it with auth none enabled. Error parsing certificate: X509 — The date tag or value is invalid This error message occurs with a faulty certificate. Refer to this detailed forum post for more info. SSL — Processing of the ServerKeyExchange handshake message failed This error message likely occurs when using older versions of OpenVPN/OpenSSL on the server-side. Some users have solved this issue by updating their OpenVPN and OpenSSL software on the server-side. | |
14. | Can OpenVPN profiles connect from the Settings app? |
Yes, you can connect from Settings if you have an autologin connection profile. | |
15. | Are certificate revocation lists (CRLs) supported? |
Yes, OpenVPN Connect on Android 1.1.14 and newer supports CRLs. To use a CRL, you must add it to the .ovpn profile, such as: <crl-verify> -----BEGIN X509 CRL----- MIHxMFwwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKT3BlblZQTiBDQRcNMTQw NDIyMDQzOTI3WhcNMjQwNDE5MDQzOTI3WjAWMBQCAQEYDzIwMTQwNDIyMDQzOTI3 WjANBgkqhkiG9w0BAQQFAAOBgQBQXzbNjXkx8+/TeG8qbFQD5wd6wOTe8HnypQTt eELsI7eyNtiRRhJD3qKfawPVUabSijnwhAPHfhoIOLKe67RLfzOwAsFKPNJAVdmq rYw1t2eucHvGjH8PnTh0aJPJaI67jmNbSI4CnHNcRgZ+1ow1GS+RAK7kotS+dZz9 0tc7Qw== -----END X509 CRL----- </crl-verify> You can concatenate multiple CRLs together within the crl-verify block. If you are importing a .ovpn file that references an external CRL file such as |