Skip to main content

Troubleshooting FAQs

Tip

You can visit our Support Center to find helpful articles and submit a support ticket.

1.

How do I import my .ovpn file?

If you're having trouble importing your profile, try some of the tips below. Or refer to specific help for importing your profile on Android or iOS.

  • When you import a .ovpn file, ensure that all files referenced by the .ovpn file, such as ca, crt, and key, are in the same directory on the device as the .ovpn file.

  • Profiles must be UTF-8 (or ASCII) and under 256 KB in size.

  • Consider using the unified format for OpenVPN profiles, which allows embedding all certs and keys into the .ovpn file. This simplifies management of the OpenVPN configuration by integrating all configuration elements into a single file. For example, a traditional OpenVPN profile might specify certs and keys as follows:

    ca ca.crt
    cert client.crt
    key client.key
    tls-auth ta.key 1

    You can convert the usage to unified form by pasting the content of the certificate and key files directly into the OpenVPN profile as follows, using an XML-like syntax:

    <ca>
    -----BEGIN CERTIFICATE-----
    MIIBszCCARygAwIBAgIE...
    . . .
    /NygscQs1bxBSZ0X3KRk...
    Lq9iNBNgWg==
    -----END CERTIFICATE-----
    </ca>
    
    <cert>
    -----BEGIN CERTIFICATE-----
    . . .
    </cert>
    
    <key>
    -----BEGIN RSA PRIVATE KEY-----
    . . .
    </key>
    
    key-direction 1
    <tls-auth>
    -----BEGIN OpenVPN Static key V1-----
    . . .
    </tls-auth>

    Another approach to eliminate certificates and keys from the OpenVPN profile is to use the OS keychain.

    Note

    When converting tls-auth to unified format, check if there is a second parameter after the filemane (usually a 0 or 1). This parameter is the key-direction parameter and must be specified as a standalone directive when tls-auth is converted to unified format.

    As an example, if the parameter is 1, add this line to the profile:

    key-direction 1

    If there isn't a second parameter to tls-auth, add this line to the profile:

    key-direction bidirectional

2.

How do I set up my profile for server failover?

You can provide OpenVPN Connect with a list of servers to connect to. On connection failure, OpenVPN Connect rotates through the list until it finds a responsive server.

For example, based on the following entries in the connection profile, OpenVPN Connect tries to connect to server A via UDP port 1194, then TCP port 443, then repeats the process with server B. OpenVPN Connect continues to retry until it successfully connects or hits the connection timeout, which you can configure in the settings.

remote server-a.example.tld 1194 udp
remote server-a.example.tld 443 tcp
remote server-b.example.tld 1194 udp
remote server-b.example.tld 443 tcpwget 
https://swupdate.openvpn.net/as/hotfix/openvpn-as-hotfix-2018-1.tar 
&& tar xvf openvpn-as-hotfix-2018-1.tar && cd 
openvpn-as-hotfix-2018-1 && ./install

3.

How do I use Tasker with OpenVPN Connect?

Refer to How Do I Use Tasker with OpenVPN Connect for Android?.

4.

How do I edit or delete a proxy?

Refer to Edit a Proxy Configuration or Delete a Proxy Configuration.

5.

Can I have multiple profiles?

Yes, you can import any number of profiles from the Import menu:

  1. Launch OpenVPN Connect.

  2. Tap the Add icon.

  3. Enter the URL and username credentials or import from file.

  4. To connect to the profile, tap the profile’s radio button.

  5. Enter your password.

OpenVPN Connect assigns a name to the profile based on the server hostname, username, and filename. If you import a profile with the same name as one that already exists, OpenVPN Connect adds (1), (2), etc to the profile name.

6.

How can I use the app with profiles that lack a client certificate/key?

If you have a profile that connects to a server without a client certificate/key, you must include the following directive in your profile:

setenv CLIENT_CERT 0

Including this directive is necessary to resolve an ambiguity when the profile doesn’t contain a client certificate or key. When there isn’t a client certificate or key in the profile, OpenVPN Connect doesn’t know whether to obtain an external certificate/key pair from the mobile OS Keychain or whether the server requires a client certificate/key. For example, a server that doesn’t require a client certificate/key is configured with the client-cert-not-required directive. The option is given as a “setenv” to avoid breaking other OpenVPN clients that might not recognize it.

7.

If my OpenVPN profile uses redirect-gateway, does that guarantee that all of my network traffic will be routed through the VPN tunnel?

Yes, all traffic routes through the VPN tunnel with a profile that uses redirect-gateway, but with some important exceptions:

  • Apple services such as Push Notifications and FaceTime never route through a VPN tunnel, per Apple policy.

  • During pauseresume, and reconnect states—such as when transitioning between Wi-Fi and Cellular data—the VPN tunnel may temporarily disengage, allowing network traffic to bypass the tunnel and route directly to the internet. If you are running iOS 8 or higher, you can enable the Seamless Tunnel Setting in the OpenVPN section of the Settings App. It will make a best effort to keep the tunnel active during pauseresume, and reconnect states to prevent packet leakage to the internet.

8.

How do I set up my profile for server failover?

To set up your profile for server failover, provide OpenVPN Connect with a connection list of servers.

On connection failure, OpenVPN Connect rotates through the list until it finds a responsive server.

For example, the following entries in the profile will first try to connect to server A via UDP port 1194, then TCP port 443, then repeat the process with server B. OpenVPN Connect continues to retry until it successfully connects or hits the Connection Timeout; which you can configure in the settings within OpenVPN Connect

remote server-a.example.tld 1194 udp
remote server-a.example.tld 443 tcp
remote server-b.example.tld 1194 udp
remote server-b.example.tld 443 tcp

9.

Can I push IPv6 DNS servers to my clients?

Yes, you can push an IPv6 DNS by using the same format used for IPv4 ones:

push "dhcp-option DNS 2001:abde::1"

10.

How do I set up my local domain for automatic resolution?

Suppose you want to set up your local domain for automatic resolution. In that case, you can do this with either redirect-gateway or by configuring a VPN-specific DNS, then use the following command (with your domain instead of the example domain):

push "dhcp-option ADAPTER_DOMAIN_PREFIX foo.tld"

When the iOS DNS subsystem first tries to resolve a partly qualified domain name (PQDN), if it can’t succeed, it concatenates the PQDN with the system domain prefix (normally assigned by your uplink gateway, for example: ".lan"). The above command specifies a different domain to append by having the server push a special directive, including the new name.

11.

How do I resolve these common error messages?

Below are some common error messages with solutions.

error parsing certificate : X509 — the date tag or value is invalid

This is caused by a faulty certificate. Refer to this detailed forum post for more.

certificate verification failed : x509 — certificate verification failed, e.g. crl, ca or signature check failed

This error occurs when a certificate can't be verified properly. If you're using an MD5-signed certificate, refer to MD5 Signature Algorithm Support. The security level for this type of certificate is so low, that the authenticity of the certificate can't be assured. Resolution involves signing with SHA256 or better.

digest_error: NONE: not usable

This error occurs when you specify auth none and tls-auth in your client profile. This is because tls-auth requires an auth digest, but none was specified. To resolve, remove the tls-auth directive, since it can't be enabled anyway unless you set the auth directive to any value other than none.

SSL — Processing of the ServerKeyExchange handshake message failed

This error likely occurs when using older versions of OpenVPN/OpenSSL on the server side. You may be able to resolve this by updating your OpenVPN and/or OpenSSL software on the server.

mbedTLS: error parsing cert certificate : X509 - The date tag or value is invalid

This error occurs with incorrectly formatted certificates. OpenVPN Connect 1.1.1 and newer has a more relaxed format check to accept certificates previously rejected with this error. For more, refer to this detailed forum post.

TLS Error: incoming packet authentication failed from [....]

When you encounter an error message similar to this on the server, this is from a directive change. With OpenVPN 1.0.1 and newer, we changed the default value for the key-direction directive to "bidirectional" for compatibility with the OpenVPN 2.x branch (previously, the default value was "1"). In general, profiles imported before upgrading should still work because the previous default is retained for such profiles. For help, refer to Help Transferring the .ovpn File to iOS or Help Transferring a Profile to Android.

For VPN-on-Demand profiles, refer to Can I Use iOS 6+ VPN-on-Demand With OpenVPN?.

12.

How can I make the app work for a profile without a client certificate/key?

If you want to use an OpenVPN connection profile that doesn't include a certificate/key, ensure you add the following directive to your profile:

setenv CLIENT_CERT 0

This directive is necessary because the OpenVPN3 client library OpenVPN Connect uses assumes that a client and server certificate are used for verifying the identity of the client and the server in both directions. The client needs to be told not to expect a client key/certificate, because otherwise the client app can't know whether an external certificate/key pair should be obtained from the system certificate store, or whether the server actually doesn't require a client certificate/key. An example would be a server configured with the client-cert-not-required directive. The option is given as a setenv to avoid breaking other OpenVPN clients that might not recognize it.

13.

How can I ensure the VPN stays continuously connected?

Set the following settings for OpenVPN Connect:

  • Launch Options: restore connection.

    Tip

    This is an option on Windows or macOS.

  • Connection Timeout: continuously retry.

Additionally, if you want to prevent apps from access the internet except through the VPN, enable Seamless Tunnel.

14.

(I'm a developer.) How can I detect if OpenVPN Connect is installed?

OpenVPN Connect 1.0.6 and newer installs the openvpn:// and openvpn-connect:// URL schemes, which you can detect with the following code (using the openvpn:// example):

BOOL installed = [application canOpenURL:[NSURL URLWithString:@"openvpn://"]];