Troubleshooting FAQs
Tip
You can visit our Support Center to find helpful articles and submit a support ticket.
- 1. How do I import my .ovpn file?
- 2. How do I set up my profile for server failover?
- 3. How do I use Tasker with OpenVPN Connect?
- 4. How do I edit or delete a proxy?
- 5. Can I have multiple profiles?
- 6. How can I use the app with profiles that lack a client certificate/key?
- 7. If my OpenVPN profile uses redirect-gateway, does that guarantee that all of my network traffic will be routed through the VPN tunnel?
- 8. How do I set up my profile for server failover?
- 9. Can I push IPv6 DNS servers to my clients?
- 10. How do I set up my local domain for automatic resolution?
- 11. How do I resolve these common error messages?
- 12. How can I make the app work for a profile without a client certificate/key?
- 13. How can I ensure the VPN stays continuously connected?
- 14. (I'm a developer.) How can I detect if OpenVPN Connect is installed?
1. | How do I import my .ovpn file? |
If you're having trouble importing your profile, try some of the tips below. Or refer to specific help for importing your profile on Android or iOS.
| |
2. | How do I set up my profile for server failover? |
You can provide OpenVPN Connect with a list of servers to connect to. On connection failure, OpenVPN Connect rotates through the list until it finds a responsive server. For example, based on the following entries in the connection profile, OpenVPN Connect tries to connect to server A via UDP port 1194, then TCP port 443, then repeats the process with server B. OpenVPN Connect continues to retry until it successfully connects or hits the connection timeout, which you can configure in the settings. remote server-a.example.tld 1194 udp remote server-a.example.tld 443 tcp remote server-b.example.tld 1194 udp remote server-b.example.tld 443 tcpwget https://swupdate.openvpn.net/as/hotfix/openvpn-as-hotfix-2018-1.tar && tar xvf openvpn-as-hotfix-2018-1.tar && cd openvpn-as-hotfix-2018-1 && ./install | |
3. | How do I use Tasker with OpenVPN Connect? |
Refer to How Do I Use Tasker with OpenVPN Connect for Android?. | |
4. | How do I edit or delete a proxy? |
Refer to Edit a Proxy Configuration or Delete a Proxy Configuration. | |
5. | Can I have multiple profiles? |
Yes, you can import any number of profiles from the Import menu:
OpenVPN Connect assigns a name to the profile based on the server hostname, username, and filename. If you import a profile with the same name as one that already exists, OpenVPN Connect adds (1), (2), etc to the profile name. | |
6. | How can I use the app with profiles that lack a client certificate/key? |
If you have a profile that connects to a server without a client certificate/key, you must include the following directive in your profile: setenv CLIENT_CERT 0 Including this directive is necessary to resolve an ambiguity when the profile doesn’t contain a client certificate or key. When there isn’t a client certificate or key in the profile, OpenVPN Connect doesn’t know whether to obtain an external certificate/key pair from the mobile OS Keychain or whether the server requires a client certificate/key. For example, a server that doesn’t require a client certificate/key is configured with the client-cert-not-required directive. The option is given as a “setenv” to avoid breaking other OpenVPN clients that might not recognize it. | |
7. | If my OpenVPN profile uses redirect-gateway, does that guarantee that all of my network traffic will be routed through the VPN tunnel? |
Yes, all traffic routes through the VPN tunnel with a profile that uses redirect-gateway, but with some important exceptions:
| |
8. | How do I set up my profile for server failover? |
To set up your profile for server failover, provide OpenVPN Connect with a connection list of servers. On connection failure, OpenVPN Connect rotates through the list until it finds a responsive server. For example, the following entries in the profile will first try to connect to server A via UDP port 1194, then TCP port 443, then repeat the process with server B. OpenVPN Connect continues to retry until it successfully connects or hits the Connection Timeout; which you can configure in the settings within OpenVPN Connect remote server-a.example.tld 1194 udp remote server-a.example.tld 443 tcp remote server-b.example.tld 1194 udp remote server-b.example.tld 443 tcp | |
9. | Can I push IPv6 DNS servers to my clients? |
Yes, you can push an IPv6 DNS by using the same format used for IPv4 ones: push "dhcp-option DNS 2001:abde::1" | |
10. | How do I set up my local domain for automatic resolution? |
Suppose you want to set up your local domain for automatic resolution. In that case, you can do this with either redirect-gateway or by configuring a VPN-specific DNS, then use the following command (with your domain instead of the example domain): push "dhcp-option ADAPTER_DOMAIN_PREFIX foo.tld" When the iOS DNS subsystem first tries to resolve a partly qualified domain name (PQDN), if it can’t succeed, it concatenates the PQDN with the system domain prefix (normally assigned by your uplink gateway, for example: ".lan"). The above command specifies a different domain to append by having the server push a special directive, including the new name. | |
11. | How do I resolve these common error messages? |
Below are some common error messages with solutions. error parsing certificate : X509 — the date tag or value is invalid This is caused by a faulty certificate. Refer to this detailed forum post for more. certificate verification failed : x509 — certificate verification failed, e.g. crl, ca or signature check failed This error occurs when a certificate can't be verified properly. If you're using an MD5-signed certificate, refer to MD5 Signature Algorithm Support. The security level for this type of certificate is so low, that the authenticity of the certificate can't be assured. Resolution involves signing with SHA256 or better. digest_error: NONE: not usable This error occurs when you specify auth none and tls-auth in your client profile. This is because tls-auth requires an auth digest, but none was specified. To resolve, remove the tls-auth directive, since it can't be enabled anyway unless you set the auth directive to any value other than none. SSL — Processing of the ServerKeyExchange handshake message failed This error likely occurs when using older versions of OpenVPN/OpenSSL on the server side. You may be able to resolve this by updating your OpenVPN and/or OpenSSL software on the server. mbedTLS: error parsing cert certificate : X509 - The date tag or value is invalid This error occurs with incorrectly formatted certificates. OpenVPN Connect 1.1.1 and newer has a more relaxed format check to accept certificates previously rejected with this error. For more, refer to this detailed forum post. TLS Error: incoming packet authentication failed from [....] When you encounter an error message similar to this on the server, this is from a directive change. With OpenVPN 1.0.1 and newer, we changed the default value for the key-direction directive to "bidirectional" for compatibility with the OpenVPN 2.x branch (previously, the default value was "1"). In general, profiles imported before upgrading should still work because the previous default is retained for such profiles. For help, refer to Help Transferring the .ovpn File to iOS or Help Transferring a Profile to Android. For VPN-on-Demand profiles, refer to Can I Use iOS 6+ VPN-on-Demand With OpenVPN?. | |
12. | How can I make the app work for a profile without a client certificate/key? |
If you want to use an OpenVPN connection profile that doesn't include a certificate/key, ensure you add the following directive to your profile: setenv CLIENT_CERT 0 This directive is necessary because the OpenVPN3 client library OpenVPN Connect uses assumes that a client and server certificate are used for verifying the identity of the client and the server in both directions. The client needs to be told not to expect a client key/certificate, because otherwise the client app can't know whether an external certificate/key pair should be obtained from the system certificate store, or whether the server actually doesn't require a client certificate/key. An example would be a server configured with the client-cert-not-required directive. The option is given as a setenv to avoid breaking other OpenVPN clients that might not recognize it. | |
13. | How can I ensure the VPN stays continuously connected? |
Set the following settings for OpenVPN Connect:
Additionally, if you want to prevent apps from access the internet except through the VPN, enable Seamless Tunnel. | |
14. | (I'm a developer.) How can I detect if OpenVPN Connect is installed? |
OpenVPN Connect 1.0.6 and newer installs the openvpn:// and openvpn-connect:// URL schemes, which you can detect with the following code (using the openvpn:// example): BOOL installed = [application canOpenURL:[NSURL URLWithString:@"openvpn://"]]; |