What is the meaning of the various OpenVPN settings in the iOS Settings App?

UI Settings

  • Raise Keyboard — When ON, the app will try to raise the iOS soft keyboard whenever an input field is selected.

Connection Settings

  • Seamless tunnel (requires iOS 8 or higher) — Make a best-effort to keep the tunnel active during pause, resume, and reconnect states. Typically, during VPN pause, resume, or reconnect (for example when transitioning between WiFi and Cellular data), the VPN tunnel may disengage for a short period of time, normally on the order of seconds or less. During this time, network traffic can potentially bypass the tunnel and route directly to the internet. This option can reduce the incidence of packet leakage by keeping the tunnel continuously engaged until it is manually disconnected, even across sleep/wakeup or network reconfiguration events. Consider also enabling the Layer 2 reachability setting (below) when using Seamless Tunnel.
  • Connect via — Connect to the VPN server by WiFi, Cellular Data, or either.
  • Reconnect on wakeup — Automatically reconnect a VPN profile if it was active prior to device sleep.
  • Protocol — Force a particular transport protocol (UDP or TCP).
  • Compression — Select tunnel compression options.
  • Connection timeout — How long should OpenVPN try to connect before giving up? If set to None, OpenVPN will retry indefinitely.
  • Network state detection — How should OpenVPN handle network state changes or network reconfiguration events where the network comes up, goes down, or transitions between WiFi and Cellular data?
    • Active (default) : When connected, always attempt to reconnect after network reconfiguration events.
    • Lazy : When connected, attempt to preserve existing connection during network reconfiguration events.
    • Disabled : Don't consider network state when initially connecting, and don't use network state changes to trigger pause/reconnect/disconnect behaviour.

Advanced Settings

  • Force AES-CBC ciphersuites — When ON, the connection MUST use one of the following two ciphersuites:
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA, or
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA

    When OFF, no specific ciphersuites are forced.

  • Minimum TLS version — Set the minimum TLS version. If a specific TLS version is selected it will override any profile setting. If Profile Default is selected, the app will use the tls-version-min profile directive if it exists, or TLS 1.0 otherwise. If Disabled is selected AND Force AES-CBC ciphersuites (above) is enabled, the app will NOT require a minimum TLS version from the server, which means that the SSL version negotiated could be as low as SSL 3.
  • Google DNS fallback — If ON, use Google DNS servers (8.8.8.8 and 8.8.4.4) as a fallback for connections that route all internet traffic through the VPN tunnel but don't define any VPN DNS servers.
  • Layer 2 reachability — If ON, and if Seamless Tunnel (above) is also ON, use a more robust test of network reachability when transitioning between WiFi and Cellular networks.

Proxy Settings and Credentials

  • Enable Proxy — When ON, connect to the VPN server via an HTTP proxy.
  • Host — HTTP proxy hostname or IP address.
  • Port — HTTP proxy port number.
  • Allow Basic auth — If ON, allow authentication methods that transmit the proxy password in cleartext.
  • Username — HTTP proxy username. OpenVPN supports NTLMv2, Digest, and Basic authentication.
  • Password — HTTP proxy password.