FAQ regarding OpenVPN Connect Android

Some common errors and solutions

The following are common error messages and information about them.

error parsing certificate : X509 - The date tag or value is invalid

This error message occurs with a faulty certificate. Refer to this detailed forum post for more info.

certificate verification failed : x509 - certificate verification failed, e.g. crl, ca or signature check failed

This error message occurs when a certificate can’t be verified properly. Certificate verification failure can occur, for example, if you are using an MD5-signed certificate. With an MD5-signed certificate, the security level is so low that the authenticity of the certificate can’t by any reasonable means be assured. In other words, it could very well be a fake certificate. The solution is to use a certificate not signed with MD5 but with SHA256 or better. Refer to the MD5 signature algorithm support section for more information.

digest_error: NONE: not usable

This error message occurs if you specify auth none and also tls-auth in your client profile. This happens because tls-auth needs an auth digest, but it isn’t specified. To resolve the error, remove the tls-auth directive. It’s not possible to enable it with auth none enabled.

SSL - Processing of the ServerKeyExchange handshake message failed

This error message likely occurs when using older versions of OpenVPN/OpenSSL on the server-side. Some users have solved this issue by updating their OpenVPN and OpenSSL software on the server-side.

BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

This error message relates to cipher suites. You can usually remedy this by going to the app settings in OpenVPN Connect and checking the box for AES-CBC Cipher Algorithm.

Other client error messages

Refer to general OpenVPN client connectivity error messages and solutions for more error messages.

MD5 signature algorithm support

We recommend not using MD5 as an algorithm for a signing certificate due to its possible insecurity. For example, time-standard home computer equipment takes about eight hours to falsify a certificate signed using MD5 as an algorithm. Using MD5 means it’s possible to fake the identity of the server. This opens up to a risk for a man-in-the-middle attack. Such an attack leads to the interception of data communication.

You should only support the use of MD5 for older equipment.

We pushed out a security and functionality upgrade of OpenVPN Connect for Android in November 2017 and discovered that many people’s devices still used MD5-signed certificates.

We recommend converting to a setup with SHA256-signed certificates for any installations that still use MD5-signed certificates. If the devices in use don’t support this option, we recommend updating the device to add the function or replacing the device completely.

For your reference, we have a list of deprecated options and ciphers here: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

Refer to these links for more information about MD5 signatures:

To determine if you are using an MD5 type certificate, use this command with openssl as your testing tool:

openssl x509 -in ca.crt -noout -text | grep "Signature Algorithm"

Example result if the certificate is using MD5:

Signature Algorithm: md5WithRSAEncryption

If you see this result on the CA certificate or client certificate, we recommend converting to a proper, securely signed certificate set that uses at least SHA256 or better.

OpenVPN Access Server doesn’t use MD5-certificate signatures. 

For open-source OpenVPN users or users with a third-party device that includes OpenVPN functionality using MD5-type certificates, you should investigate the option to update the software on your device or change the signature algorithm type, if possible.

The default settings of a program like EasyRSA 3, used by open-source OpenVPN for generating client certificates and keys, are pretty secure and will generate certificates that are not signed with MD5.

How to get started with OpenVPN Connect

To use OpenVPN Connect, you must have an OpenVPN profile that connects to a VPN server. OpenVPN profiles are files with the extension .ovpn.

To import a profile, do one of the following:

  • If you have a .ovpn profile, copy the profile and any files it references to a folder or SD card on your device. Ensure you copy all files to the same folder. Launch OpenVPN Connect, tap the menu icon, tap Import Profile, and tap File. Select the .ovpn profile from the folder location.
  • If you need to connect with OpenVPN Access Server, import the profile directly from Access Server: launch OpenVPN Connect, tap the menu icon, tap Import Profile, and enter the URL for the Access Server Client UI.

If you need to connect with OpenVPN Cloud, import the profile directly from your private Cloud service: launch OpenVPN Connect, tap the menu icon, tap Import Profile, and enter your OpenVPN Cloud URL.

Is OpenVPN Connect for Android vulnerable to Heartbleed?

No—all versions of OpenVPN Connect for Android use the OpenSSL library, which is immune to Heartbleed.

Are CRLs (certificate revocation lists) supported?

Yes, OpenVPN Connect supports certificate revocation lists (CRLs) as of Android version 1.1.14.

To use a CRL, you must add it to the .ovpn profile:

<crl-verify>
-----BEGIN X509 CRL-----
MIHxMFwwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKT3BlblZQTiBDQRcNMTQw
NDIyMDQzOTI3WhcNMjQwNDE5MDQzOTI3WjAWMBQCAQEYDzIwMTQwNDIyMDQzOTI3
WjANBgkqhkiG9w0BAQQFAAOBgQBQXzbNjXkx8+/TeG8qbFQD5wd6wOTe8HnypQTt
eELsI7eyNtiRRhJD3qKfawPVUabSijnwhAPHfhoIOLKe67RLfzOwAsFKPNJAVdmq
rYw1t2eucHvGjH8PnTh0aJPJaI67jmNbSI4CnHNcRgZ+1ow1GS+RAK7kotS+dZz9
0tc7Qw==
-----END X509 CRL-----
</crl-verify>

You can concatenate multiple CRLs together within the crl-verify block above.

If you are importing a .ovpn file that references an external CRL file such as crl-verify crl.pem make sure to drop the file crl.pem into the same place as the .ovpn file during import so the profile parser can access it.

I am having trouble importing my .ovpn file.

The following pointers can help with importing .ovpn files:

1. All files must be in the same directory

When you import a .ovpn file, ensure that all files referenced by the .ovpn file, such as ca, cert, and key files, are in the same directory on the device as the .ovpn file.

2. Check formatting and size

Profiles must be UTF-8 (or ASCII) and under 256 KB in size.

3. Use the unified format for OpenVPN profiles

Consider using the unified format for OpenVPN profiles which allows all certs and keys to be embedded into the .ovpn file. This simplifies OpenVPN configuration management because it integrates all elements of the configuration into a single file.

For example, a traditional OpenVPN profile might specify certs and keys as follows: ca ca.crt cert client.crt key client.key tls-auth ta.key 1. You can convert this usage to unified form by pasting the content of the certificate and key files directly into the OpenVPN profile as follows using an XML-like syntax:

<ca> -----BEGIN CERTIFICATE----- MIIBszCCARygAwIBAgIE... . . . /NygscQs1bxBSZ0X3KRk... Lq9iNBNgWg== -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- . . . </cert> <key> -----BEGIN RSA PRIVATE KEY----- . . . </key> key-direction 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- . . . </tls-auth>

Another approach to eliminate certificates and keys from the OpenVPN profile is to use the Android Keychain. For information about this, refer to the section on using the Android Keychain below.

Note: When converting tls-auth to unified format, check for a second parameter after the filename (usually a 0 or 1). This parameter is also known as the key-direction parameter and must be specified as a standalone directive when tls-auth is converted to a unified format. For example, if the parameter is 1, add this line to the profile: key-direction 1. If there is no second parameter to tls-auth, you must add this line to the profile: key-direction bidirectional.

Where are the support forums for OpenVPN Connect?

https://forums.openvpn.net/

Is IPv6 supported?

Yes. OpenVPN Connect supports IPv6 transport and IPv6 tunnels as long as the server supports them as well.

Why does OpenVPN Connect show two notification icons when connected?

The Android operating system requires two notification icons. They show that the VPN session is a high priority and shouldn’t be arbitrarily terminated by the system.

Can I disable the connection notification sound?

On some Android devices, a connection notification sound plays whenever a VPN tunnel is established and can’t be silenced by a non-root app.

How can I maximize battery life?

You can enable Battery Saver within OpenVPN Connect to pause the VPN when the phone screen goes blank:

  1. Launch OpenVPN Connect.
  2. Tap the menu icon.
  3. Tap Settings.
  4. Tap to enable Battery Saver

Note: It’s possible if you enable Battery Saver settings and Seamless Tunnel options, you will block any app from reaching the internet while the VPN is active, but the device screen isn’t on. Enabling both can be useful for additional energy savings, as long as you don’t have any background apps that need constant internet access.

Can I control the VPN from outside the app?

Yes, you can control the VPN connection using shortcuts. You can quickly connect to a specific profile by adding a shortcut on your phone for OpenVPN Connect:

  1. Launch OpenVPN Connect.
  2. Tap the edit icon for the profile you want to make a shortcut.
  3. Tap Set Connect Shortcut.
  4. Enter a shortcut name, or keep the default suggestions and tap Create.
  5. Add the app shortcut to your home screen.

You can quickly disconnect from the VPN by adding a shortcut on your phone for OpenVPN Connect:

  1. Launch OpenVPN Connect.
  2. Tap the menu icon at the top left.
  3. Tap Settings.
  4. Tap Set Disconnect Shortcut.
  5. Add the app shortcut to your home screen.

How can I ensure that the VPN stays continuously connected?

In the Preferences menu, select the Reconnect on reboot option. Also, consider setting

You can enable reconnecting on reboot within OpenVPN Connect. If there’s an active VPN connection when the phone restarts, the app will reconnect on reboot.

  1. Launch OpenVPN Connect.
  2. Tap the menu icon.
  3. Tap Settings.
  4. Tap to enable Reconnect on Reboot.

Additionally, you can set the Connection Timeout under Settings to Continuously Retry.

Why does the VPN disconnect when I make or receive a voice call?

Some cellular networks are incapable of maintaining a data connection during a voice call. If Android detects this as a loss of network connectivity, the VPN pauses during the call and automatically resumes when the call ends.

Given that mobile devices are easily lost or stolen, how best to secure VPN profiles against compromise if the device falls into the wrong hands?

The safest option is not to save your password and use the Android Keychain as a repository for your private key (see below).

You have the option to save the password by checking Save Password when you edit the profile. When you check this, OpenVPN Connect stores your password in the keychain.

Is it safe to save passwords?

If you check the Save checkbox on the authentication or private key password fields, the app will store your password in an encrypted form, however a determined attacker with physical possession of the device would still be able to recover the password with some reverse engineering.

Currently, the best options for security are to avoid saving passwords, and to use the Android Keychain as a repository for your private key (see below).

The Android developers are in the process of implementing an API for secure storage of passwords that will leverage on the hardware-backed keystore and master device password, however this development is not complete as of Android 4.2. This approach will protect saved passwords even if the device is rooted. When this development is complete, we plan to support it in the app.

Why is the save password switch sometimes disabled?

The save password switch on the authentication password field is typically enabled, but you can disable it by adding the following OpenVPN directive to the profile:

setenv ALLOW_PASSWORD_SAVE 0

Note: The above directive only applies to the authentication password. The private key password, if it exists, can always be saved.

How can I use OpenVPN Connect with profiles that lack a client certificate/key?

If you have a profile that connects to a server without a client certificate/key, you must include the following directive in your profile:

setenv CLIENT_CERT 0

Including this directive is necessary to resolve an ambiguity when the profile doesn’t contain a client certificate or key. When there isn’t a client certificate or key in the profile, OpenVPN Connect doesn’t know whether to obtain an external certificate/key pair from the Android Keychain or whether the server requires a client certificate/key. For example, a server that doesn’t require a client certificate/key is configured with the client-cert-not-required directive. The option is given as a “setenv” to avoid breaking other OpenVPN clients that might not recognize it.

Why does the app not support TAP-style tunnels?

The Android VPN API currently supports only TUN-style or routed tunnels on Layer 3. TAP-style or bridged tunnels on Layer 2 are not possible on Android. This is a limitation of the Android platform. If you try to connect a profile that uses a TAP-based tunnel, you get an error that says only Layer 3 tunnels are currently supported.

If you want to see TAP-style tunnels supported in OpenVPN Connect, contact the Google Android team and ask them to extend the VpnService API to allow this. Without such changes to the VpnService API, non-root apps such as OpenVPN Connect can’t support TAP-style tunnels.

Are there any OpenVPN directives not supported by the app?

While OpenVPN Connect supports most OpenVPN client directives, we’ve made an effort to reduce bloat and improve maintainability by eliminating what we believe to be obsolete or rarely-used directives. Please email us at android@openvpn.net if you think that we should reconsider a specific directive that we’ve excluded.

Here is a partial list of directives not currently supported:

  • dev tap — This directive is not supported because the underlying Android VPN API doesn't support tap-style tunnels.
  • fragment — The fragment directive is not supported due to the complexity it adds to the OpenVPN implementation. It’s better to leave fragmentation up to the lower-level transport protocols. Note as well that the client doesn’t support connecting to a server that uses the fragment directive.
  • secret — Static key encryption mode (non-TLS) isn’t supported.
  • socks-proxy — Socks proxy support is currently not supported.
  • Not all ciphers are supported - OpenVPN Connect fully supports the AES-GCM and AES-CBC ciphers, and ChaCha20-Poly1305 as of Connect v3.3. The AES-GCM cipher algorithm in particular is well-suited for modern processors generally used in Android devices, iOS devices, macs and modern PCs. The deprecated DES and Blowfish ciphers are currently still supported but will be removed in the future. 
  • proxy directives — While proxy directives are currently supported (http-proxy and http-proxy-option), they are currently NOT supported in <connection> profiles.

Can I have multiple profiles?

Yes, you can import any number of profiles from the Import menu:

  1. Launch OpenVPN Connect.
  2. Tap the Add icon.
  3. Enter the URL and username credentials or import a .ovpn file.
  4. To connect to the profile, tap the profile’s radio button.
  5. Enter your password.

OpenVPN Connect assigns a name to the profile based on the server hostname, username and filename. If you import a profile with the same name as one that already exists, OpenVPN Connect adds (1), (2), etc to the profile name.

How do I delete or rename a profile?

To delete a profile, tap the Edit icon next to the profile. From the Edit Profile screen, tap Delete Profile.

To rename a profile, tap the Edit icon next to the profile. From the Edit Profile screen, tap the Profile Name field and change it.

Can I have multiple proxies?

Yes, you can add any number of proxies from the main menu. Each profile can have one proxy assigned.

To add a proxy:

  1. Launch OpenVPN Connect.
  2. Tap the Menu icon in the top left.
  3. Tap Proxies.
  4. Tap the Add icon.
  5. Enter the connection information for the proxy and tap Save.

Once you’ve added a proxy, you can add it to your profile:

  1. Tap the Edit icon for the profile.
  2. Under Proxy, tap the radio button of the proxy to add.
  3. Tap Save.

The profile now displays both the OpenVPN Profile and the proxy name. When you connect, your connection to the VPN server authenticates using the proxy server.

How do I edit or delete a proxy?

To edit or delete a proxy:

  1. Launch OpenVPN Connect.
  2. Tap the Menu icon in the top left.
  3. Tap Proxies.
  4. Tap the Edit icon next to the proxy you wish to edit or delete.
  5. Edit the proxy details and tap Save or if you want to delete, tap Delete Proxy.

You can also edit or delete a proxy from within a profile:

  1. Launch OpenVPN Connect.
  2. Tap the Edit icon for a profile.
  3. Tap the Edit icon for the proxy.
  4. Edit the proxy details and tap Save or if you want to delete, tap Delete Proxy.

How do I use a client certificate and private key from the Android Keychain?

Using the Android Keychain to store your private key leverages the hardware-backed Keystore on many Android devices. This protects the key with the Android-level device password and prevents key compromise even if the device is rooted.

If you already have your client certificate and private key bundled into a PKCS#12 file (extension .p12 or .pfx), you can import it into the Android Keychain using the Import menu or Android Settings.

If you don't have a PKCS#12 file, you can convert your certificate and key files into PKCS#12 form using this openssl command (where cert, key, and ca are your client certificate, client key, and root CA files).

openssl pkcs12 -export -in cert -inkey key -certfile ca -name MyClient -out client.p12

After converting your certificate and key files into PKCS#12 form, import the client.p12 file into OpenVPN Connect using the Import / Import PKCS#12 menu option.

Once you’ve done this, remove the ca, cert, and key directives from your .ovpn file and re-import it. When you connect the first time, the app will ask you to select a certificate to use for the profile. Just select the MyClient certificate, and you should be able to connect normally.

When I try to import a PKCS#12 file, why am I being asked for a password?

When you generate a PKCS#12 file, you’re prompted for an "export password" to encrypt the file. You must enter this password when you import the PKCS#12 file into the Android Keychain. This prevents interception and recovery of the private key during transport.

Why doesn't the PKCS#12 file in my OpenVPN configuration file work the same as on desktop systems?

Android uses PKCS#12 files differently than on desktops using OpenVPN. Android manages PKCS#12 in the Android Keychain. In contrast, desktops can reference the PKCS#12 files bundled in the OpenVPN profile. The Android approach is much better from a security perspective because the Keychain can leverage hardware features in the device, such as hardware-backed keystores. However, it requires that you load the PKCS#12 file into the Android Keychain separate from importing the OpenVPN profile. It also moves the responsibility for managing PKCS#12 files to the Android Keychain and away from OpenVPN, potentially introducing compatibility issues.

To use a PKCS#12 file on Android, see the FAQ item above: How do I use a client certificate and private key from the Android Keychain?

How do I set up my profile for server failover?

You can provide OpenVPN with a list of servers to make connections. On connection failure, OpenVPN will rotate through the list until it finds a responsive server. For example, the following entries in the profile will first try to connect to server A via UDP port 1194, then TCP port 443, then repeat the process with server B. OpenVPN will continue to retry until it successfully connects or hits the Connection Timeout, which you can configure in Settings.

remote server-a.example.tld 1194 udp
remote server-a.example.tld 443 tcp
remote server-b.example.tld 1194 udp
remote server-b.example.tld 443 tcp

How do I use tasker with OpenVPN Connect for Android?

You can use the following options:

1. CONNECT

Action: net.openvpn.openvpn.CONNECT
OR
Action: android.intent.action.VIEW
Cat: None
Mime Type: {blank}
Data: {blank}
Extra: net.openvpn.openvpn.AUTOSTART_PROFILE_NAME:AS {your_profile_name} (if your profile was downloaded from URL)
OR
Extra: net.openvpn.openvpn.AUTOSTART_PROFILE_NAME:PC {your_profile_name} (if your profile was imported via File)
Extra: net.openvpn.openvpn.AUTOCONNECT:true
Package: net.openvpn.openvpn
Class: net.openvpn.unified.MainActivity
Target: Activity

2. DISCONNECT
Action: net.openvpn.openvpn.DISCONNECT
Cat: None
Mime Type: {blank}
Data: {blank}
Extra: net.openvpn.openvpn.STOP:true
Extra: {blank}
Extra: {blank}
Package: net.openvpn.openvpn
Class: net.openvpn.unified.MainActivity
Target: Activity

How can I contact the developers about bugs or feature requests?

Send an email to android@openvpn.net.