Skip to main content

Frequently Asked Questions

If you have questions about OpenVPN Connect on iOS, refer to this FAQ for answers. If it's not here, feel free to create a support ticket.

Yes, OpenVPN Connect on iOS 1.0.5 and newer supports CRLs.

To use a CRL, you must add it to the .ovpn profile, such as:

<crl-verify>
-----BEGIN X509 CRL-----
MIHxMFwwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKT3BlblZQTiBDQRcNMTQw
NDIyMDQzOTI3WhcNMjQwNDE5MDQzOTI3WjAWMBQCAQEYDzIwMTQwNDIyMDQzOTI3
WjANBgkqhkiG9w0BAQQFAAOBgQBQXzbNjXkx8+/TeG8qbFQD5wd6wOTe8HnypQTt
eELsI7eyNtiRRhJD3qKfawPVUabSijnwhAPHfhoIOLKe67RLfzOwAsFKPNJAVdmq
rYw1t2eucHvGjH8PnTh0aJPJaI67jmNbSI4CnHNcRgZ+1ow1GS+RAK7kotS+dZz9
0tc7Qw==
-----END X509 CRL-----
</crl-verify>

You can concatenate multiple CRLs together within the crl-verify block.

If you are importing a .ovpn file that references an external CRL file such as crl-verify crl.pem, ensure you drop the file crl.pem into the same place as the .ovpn file during import so the profile parser can access it.

Yes, you can create OpenVPN profiles using the iPhone Configuration Utility (iPCU) and export them to a .mobileconfig file. Refer to Using Mobileconfig Profiles.

Yes. OpenVPN Connect supports IPv6 transport and IPv6 tunnels as long as the server supports them.

When you generate a PKCS#12 file, you’re prompted for an "export password" to encrypt the file. You must enter this password when you import the PKCS#12 file into the iOS Keychain. This prevents interception and recovery of the private key during transport.

When you import a PKCS#12, you must always specify a password. If you set an empty password, tap OK without entering text.

iOS uses PKCS#12 files differently than on desktops using OpenVPN. iOS manages PKCS#12 in the iOS Keychain. In contrast, desktops can reference the PKCS#12 files bundled in the OpenVPN profile. The iOS approach is much better from a security perspective because the Keychain can leverage hardware features in the device, such as hardware-backed keystores. However, you must load the PKCS#12 file into the iOS Keychain separately from importing the OpenVPN profile. It also moves the responsibility for managing PKCS#12 files to the iOS Keychain and away from OpenVPN, potentially introducing compatibility issues.

Some cellular networks can't maintain a data connection during a voice call. If the mobile device detects this as a loss of network connectivity, the VPN pauses during the call and automatically resumes when the call ends.

If you experience issues after a recent OpenVPN Connect update:

  1. Delete your connection profile(s).

  2. Reimport your connection profile(s).

  3. Fill in the appropriate credentials to connect.

See the tips for handling the following error messages.

BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

This error relates to cipher suites. To fix this, you can adjust the security level:

  1. Launch OpenVPN Connect.

  2. Tap the menu icon.

  3. Tap Settings.

  4. Tap to expand Advanced Settings.

  5. Set the Security Level to Legacy.

    • Legacy allows some older but still secure algorithms, including AES-CBC.

Certificate verification failed: x509 — certificate verification failed, e.g. crl, ca or signature check failed

This error occurs when a certificate can’t be adequately verified.

One example where certificate verification failure can occur is if you use an MD5-signed certificate. With an MD5-signed certificate, the security level is so low that the certificate's authenticity can’t be assured by any reasonable means. In other words, it could very well be a fake certificate. The solution is to use a certificate that is not signed with MD5 but with SHA256 or better. Refer to the MD5 signature algorithm support section for more information.

Digest_error: NONE: not usable

This error occurs if you specify both auth none and tls-auth in your client profile. This happens because tls-auth needs an auth digest, but it isn’t specified.

To resolve the error, remove the tls-auth directive. You can't enable it with auth none enabled.

Error parsing certificate: X509 — The date tag or value is invalid

This error occurs with a faulty certificate. Refer to this detailed forum post for more info.

SSL — Processing of the ServerKeyExchange handshake message failed

This error likely occurs when using older versions of OpenVPN/OpenSSL on the server side. Some users have solved this issue by updating their OpenVPN and OpenSSL software on the server side.

mbedTLS: error parsing cert certificate : X509 - The date tag or value is invalid

This error occurs with incorrectly formatted certificates. OpenVPN Connect 1.1.1 and newer has a more relaxed format check to accept certificates previously rejected with this error. For more, refer to this detailed forum post.

TLS Error: incoming packet authentication failed from [....]

When you encounter an error message similar to this on the server, this is from a directive change. With OpenVPN 1.0.1 and newer, we changed the default value for the key-direction directive to "bidirectional" for compatibility with the OpenVPN 2.x branch (previously, the default value was "1"). In general, profiles imported before upgrading should still work because the previous default is retained for such profiles. For help, refer to Help Transferring the .ovpn File to iOS or Help Transferring a Profile to Android.

For VPN-on-Demand profiles, refer to Can I Use iOS 6+ VPN-on-Demand With OpenVPN?.

Yes, you can connect from Settings if you have an autologin connection profile.

After importing the PKCS#12 file into the iOS Keychain, you may encounter an error when connecting: "mbedTLS: ca certificate is undefined."

This error displays if you don't include a ca directive in your profile, since the iOS Keychain doesn’t provide the CA list from the PKCS#12 file to OpenVPN. To resolve this, extract the CA list from the PKCS#12 file and add it to your profile via the ca directive.

The iOS VPN API currently only supports TUN-style tunnels. This is a limitation of the iOS platform. If you try to connect a profile that uses a TAP-based tunnel, you get an error that only layer 3 tunnels are currently supported.

For those using a developer, preview, or beta version of the iOS app, thank you for your interest in our product. We appreciate your input. We don't immediately issue bug fixes for issues found in developer preview releases that aren’t available to the general public.

Submit a ticket and report bugs to support.

While we don’t issue immediate fixes for bugs in developer, preview, or beta releases on the iOS platform, we put the bug reports into a queue of known issues for review and resolution. We recommend you install the production version of the app if the bug in the beta version keeps you from using the product to function as expected.

Users running developer, preview, or beta versions should expect some issues—these early releases are not fully polished for general use by nature. By opting in, you acknowledge this in the terms agreed upon with Apple when installing an early iOS preview or beta on your device.

We also test on these versions and are typically aware of the issues. Rest assured, our software will be updated to work smoothly when the final iOS release is available for general use.

This is a known iOS issue. The workaround is to try these steps:

  1. Double-tap the home button to quit Settings.

  2. Drag Settings out of the list of apps.

  3. The next time you launch Settings, apps should display again.