Frequently Asked Questions
If you have questions about OpenVPN Connect on Android, refer to this FAQ for answers. If the answer isn't here, create a support ticket.
On some Android devices, a connection notification sound plays whenever a VPN tunnel is established and can’t be silenced by a non-root app.
Yes, you can control the VPN using shortcuts. Refer to this guide for how: Adding Shortcuts on Android.
To maximize battery life, enable Battery Saver in OpenVPN Connect. This pauses the VPN whenever the phone screen goes blank:
Launch OpenVPN Connect.
Tap the menu icon.
Tap Settings.
Tap to turn on Battery Saver.
Warning
If you turn on Battery Saver settings and Seamless Tunnel options, you may block any app from reaching the internet while the VPN is active, but the device screen isn’t on. Turning both on can be useful for additional energy savings, as long as you don’t have any background apps that need constant internet access.
The Android operating system requires two notification icons. They show that the VPN session is a high priority and shouldn’t be arbitrarily terminated by the system.
When you generate a PKCS#12 file, you’re prompted for an "export password" to encrypt the file. You must enter this password when you import the PKCS#12 file into the Android Keychain. This prevents interception and recovery of the private key during transport.
When you import a PKCS#12, you must always specify a password. If you set an empty password, tap OK without entering text.
PKCS#12 files on Android are used somewhat differently than on OpenVPN Connect desktop versions. In desktop versions, PKCS#12 files can be bundled or referenced in the connection profile. However, PKCS#12 management is built into the Android Keychain on Android. This approach is much better from a security perspective because the Keychain can leverage hardware features such as hardware-backed keystores. However, you must load the PKCS#12 file into the Android Keychain as a separate step from importing the connection profile. It also moves the responsibility for managing PKCS#12 files to the Android Keychain, so it can potentially introduce compatibility issues.
For guides on using external certificates, refer to Certificates & Tokens.
Refer to this troubleshooting page: Help Transferring a Profile to Android.
Yes. OpenVPN Connect supports IPv6 transport and IPv6 tunnels as long as the server supports them.
If you experience issues after a recent OpenVPN Connect update:
Delete your connection profile(s).
Reimport your connection profile(s).
Fill in the appropriate credentials to connect.
The Android VPN API currently supports only TUN-style or routed tunnels on Layer 3. TAP-style or bridged tunnels on Layer 2 are not possible on Android. This is a limitation of the Android platform. If you try to connect a profile that uses a TAP-based tunnel, you get an error that says only Layer 3 tunnels are currently supported.
If you want to see TAP-style tunnels supported in OpenVPN Connect, contact the Google Android team and ask them to extend the VpnService API to allow this. Without such changes to the VpnService API, non-root apps such as OpenVPN Connect can’t support TAP-style tunnels.
Some cellular networks can't maintain a data connection during a voice call. If the mobile device detects this as a loss of network connectivity, the VPN pauses during the call and automatically resumes when the call ends.
See the tips for handling the following error messages.
Certificate verification failed: x509 — certificate verification failed, e.g. crl, ca or signature check failed
This error occurs when a certificate can’t be adequately verified.
One example where certificate verification failure can occur is if you use an MD5-signed certificate. With an MD5-signed certificate, the security level is so low that the certificate's authenticity can’t be assured by any reasonable means. In other words, it could very well be a fake certificate. The solution is to use a certificate that is not signed with MD5 but with SHA256 or better. Refer to the MD5 signature algorithm support section for more information.
Digest_error: NONE: not usable
This error occurs if you specify both auth none and tls-auth in your client profile. This happens because tls-auth needs an auth digest, but it isn’t specified.
To resolve the error, remove the tls-auth directive. You can't enable it with auth none enabled.
Error parsing certificate: X509 — The date tag or value is invalid
This error occurs with a faulty certificate. Refer to this detailed forum post for more info.
SSL — Processing of the ServerKeyExchange handshake message failed
This error likely occurs when using older versions of OpenVPN/OpenSSL on the server side. Some users have solved this issue by updating their OpenVPN and OpenSSL software on the server side.
mbedTLS: error parsing cert certificate : X509 - The date tag or value is invalid
This error occurs with incorrectly formatted certificates. OpenVPN Connect 1.1.1 and newer has a more relaxed format check to accept certificates previously rejected with this error. For more, refer to this detailed forum post.
TLS Error: incoming packet authentication failed from [....]
When you encounter an error message similar to this on the server, this is from a directive change. With OpenVPN 1.0.1 and newer, we changed the default value for the key-direction directive to "bidirectional" for compatibility with the OpenVPN 2.x branch (previously, the default value was "1"). In general, profiles imported before upgrading should still work because the previous default is retained for such profiles. For help, refer to Help Transferring the .ovpn File to iOS or Help Transferring a Profile to Android.
For VPN-on-Demand profiles, refer to Can I Use iOS 6+ VPN-on-Demand With OpenVPN?.
Yes, you can connect from Settings if you have an autologin connection profile.
Yes, OpenVPN Connect on iOS 1.0.5 and newer supports CRLs.
To use a CRL, you must add it to the .ovpn profile, such as:
<crl-verify> -----BEGIN X509 CRL----- MIHxMFwwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKT3BlblZQTiBDQRcNMTQw NDIyMDQzOTI3WhcNMjQwNDE5MDQzOTI3WjAWMBQCAQEYDzIwMTQwNDIyMDQzOTI3 WjANBgkqhkiG9w0BAQQFAAOBgQBQXzbNjXkx8+/TeG8qbFQD5wd6wOTe8HnypQTt eELsI7eyNtiRRhJD3qKfawPVUabSijnwhAPHfhoIOLKe67RLfzOwAsFKPNJAVdmq rYw1t2eucHvGjH8PnTh0aJPJaI67jmNbSI4CnHNcRgZ+1ow1GS+RAK7kotS+dZz9 0tc7Qw== -----END X509 CRL----- </crl-verify>
You can concatenate multiple CRLs together within the crl-verify block.
If you are importing a .ovpn file that references an external CRL file such as crl-verify crl.pem, ensure you drop the file crl.pem into the same place as the .ovpn file during import so the profile parser can access it.