FAQ regarding OpenVPN Connect iOS

Some common errors and solutions

If you experience issues after a recent OpenVPN Connect update: 

  • Delete and then re-import your connection profile(s). Fill in appropriate credentials.

error parsing certificate : X509 - The date tag or value is invalid 

This error message occurs with a faulty certificate. Refer to this detailed forum post for more info.

certificate verification failed : x509 - certificate verification failed, e.g. crl, ca or signature check failed

This error message occurs when a certificate can’t be verified properly. Certificate verification failure can occur, for example, if you are using an MD5-signed certificate. With an MD5-signed certificate, the security level is so low that the authenticity of the certificate can’t by any reasonable means be assured. In other words, it could very well be a fake certificate. The solution is to use a certificate not signed with MD5 but with SHA256 or better. Refer to the MD5 signature algorithm support section for more information.

digest_error: NONE: not usable

This error message occurs if you specify auth none and also tls-auth in your client profile. This happens because tls-auth needs an auth digest, but it isn’t specified. To resolve the error, remove the tls-auth directive. It’s not possible to enable it with auth none enabled.

SSL - Processing of the ServerKeyExchange handshake message failed

This error message likely occurs when using older versions of OpenVPN/OpenSSL on the server-side. Some users have solved this issue by updating their OpenVPN and OpenSSL software on the server-side.

BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

This error message relates to cipher suites. You can usually remedy this by going to the app settings in OpenVPN Connect and checking the box for AES-CBC Cipher Algorithm.

Login failed: Profile was not saved

This error message displays when you download a profile from a server, but OpenVPN Connect can’t temporarily save the profile to the filesystem before importing it to the iOS VPN settings. A possible reason for this could be lack of available storage space.

Login failed: Profile was not added in system

This error message displays when the profile wasn’t successfully imported into iOS VPN Settings. It can occur when the user denies permission for OpenVPN Connect to import a profile.

Other client error messages

Refer to general OpenVPN client connectivity error messages and solutions for more error messages.

MD5 signature algorithm support

We recommend not using MD5 as an algorithm for a signing certificate due to its possible insecurity. For example, time-standard home computer equipment takes about eight hours to falsify a certificate signed using MD5 as an algorithm. Using MD5 means it’s possible to fake the identity of the server. This opens up to a risk for a man-in-the-middle attack. Such an attack leads to the interception of data communication.

You should only support the use of MD5 for older equipment.

We pushed out a security and functionality upgrade of OpenVPN Connect for Android in November 2017 and discovered that many people’s devices still used MD5-signed certificates.

We recommend converting to a setup with SHA256-signed certificates for any installations that still use MD5-signed certificates. If the devices in use don’t support this option, we recommend updating the device to add the function or replacing the device completely.

For your reference, we have a list of deprecated options and ciphers here: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

Refer to these links for more information about MD5 signatures:

To determine if you are using an MD5 type certificate, use this command with openssl as your testing tool:

openssl x509 -in ca.crt -noout -text | grep "Signature Algorithm"

Example result if certificate is using MD5:

Signature Algorithm: md5WithRSAEncryption

If you see this result on the CA certificate or client certificate, we recommend converting to a proper, securely signed certificate set that uses at least SHA256 or better.

OpenVPN Access Server doesn’t use MD5-certificate signatures. 

For open-source OpenVPN users or users with a third-party device that includes OpenVPN functionality using MD5-type certificates, you should investigate the option to update the software on your device or change the signature algorithm type, if possible.

The default settings of a program like EasyRSA 3, used by open-source OpenVPN for generating client certificates and keys, are pretty secure and will generate certificates that are not signed with MD5.

I am getting the error "mbedTLS: error parsing cert certificate : X509 - The date tag or value is invalid"

This message displays when certificates are formatted incorrectly. It’s not a bug in OpenVPN or mbedTLS and you can refer to this detailed forum post for more info.

For OpenVPN Connect version 1.1.1 and later, we’ve relaxed the format check to accept certificates that were previously rejected with this message.

I am getting the error "Client exception in transport_recv_excode: mbedTLS: SSL read error : SSL - Processing of the ServerKeyExchange handshake message failed".

This error message may be related to older versions of OpenVPN/OpenSSL on the server side. Resolving this issue may require updating your OpenVPN server-side software and/or OpenSSL.

I am getting the error "digest_error: NONE: not usable"

This error message may display if you specify auth none and also tls-auth in your client profile. This occurs because tls-auth needs an auth digest, but it wasn’t specified. To fix this:

  • Remove the tls-auth directive. It can’t be enabled unless you have a non-none auth directive.

Can OpenVPN profiles be connected from the Settings App?

Yes, you can connect from Settings if you have an autologin connection profile.

Is OpenVPN Connect for iOS vulnerable to Heartbleed?

No, OpenVPN Connect for iOS uses the OpenSSL library, which is immune to Heartbleed.

Does OpenVPN Connect support the tls-crypt option?

Yes, OpenVPN Connect supports the tls-crypt option starting with version 1.2.5

Are CRLs (certificate revocation lists) supported?

Yes, OpenVPN Connect supports certificate revocation lists (CRLs) as of iOS version 1.0.5.

To use a CRL, you must add it to the .ovpn profile:

<crl-verify>
 -----BEGIN X509 CRL-----
 MIHxMFwwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKT3BlblZQTiBDQRcNMTQw
 NDIyMDQzOTI3WhcNMjQwNDE5MDQzOTI3WjAWMBQCAQEYDzIwMTQwNDIyMDQzOTI3
 WjANBgkqhkiG9w0BAQQFAAOBgQBQXzbNjXkx8+/TeG8qbFQD5wd6wOTe8HnypQTt
 eELsI7eyNtiRRhJD3qKfawPVUabSijnwhAPHfhoIOLKe67RLfzOwAsFKPNJAVdmq
 rYw1t2eucHvGjH8PnTh0aJPJaI67jmNbSI4CnHNcRgZ+1ow1GS+RAK7kotS+dZz9
 0tc7Qw==
 -----END X509 CRL-----
 </crl-verify>

You can concatenate multiple CRLs together within the crl-verify block above.

If you are importing a .ovpn file that references an external CRL file such as crl-verify crl.pem make sure to drop the file crl.pem into the same place as the .ovpn file during import so the profile parser can access it.

I am having trouble importing my .ovpn file.

To import a .ovpn file on iOS:

  1. Save the .ovpn file to your macOS desktop.
  2. Connect to your iPhone or iPad using USB or USB-C cable or with a WiFi connection.
  3. In Finder (on mac), select iPhone.
  4. Select Files.
  5. Locate the OpenVPN directory (note: OpenVPN Connect must already be installed on your mobile device).
  6. Drag the .ovpn file from your desktop to the OpenVPN location.
  7. Launch OpenVPN Connect on your mobile device.
  8. Tap Add then File.
  9. “1 new OpenVPN profiles are available for import” displays and you can tap Add.

Note: Profiles must be UTF-8 (or ASCII) and under 256 KB in size.

Also, consider using the unified format for OpenVPN profiles which embeds all certs and keys into the .ovpn file. This eases management of the OpenVPN configuration as it integrates all elements of the configuration into a single file.

For example, a traditional OpenVPN profile might specify certs and keys as follows:

ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1

You can convert this usage to unified form by pasting the content of the certificate and key files directly into the OpenVPN profile as follows using an XML-like syntax:

<ca>
-----BEGIN CERTIFICATE-----
MIIBszCCARygAwIBAgIE...
. . .
/NygscQs1bxBSZ0X3KRk...
Lq9iNBNgWg==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
. . .
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
. . .
</key>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
. . .
</tls-auth>

Another approach to eliminate certificates and keys from the OpenVPN profile is to use the iOS Keychain as described below.

Note: When converting tls-auth to unified format, check if there is a second parameter after the filename (usually a 0 or 1). This parameter is known as the key-direction parameter and must be specified as a standalone directive when tls-auth is converted to unified format. For example if the parameter is 1, add this line to the profile:

key-direction 1

If there is no second parameter to tls-auth, you must add this line to the profile:

key-direction bidirectional

Where are the support forums for OpenVPN Connect?

https://forums.openvpn.net/

Is IPv6 supported?

Yes. OpenVPN Connect supports IPv6 transport and IPv6 tunnels as long as the server supports them as well.

How to make IPv6 routing work on iOS 7?

There is a known issue where IPv6 tunnel routes can’t be added to the routing table on iOS 7.0.x. We fixed this issue in iOS 7.1.

A possible workaround is to use redirect-gateway instead of pushing specific IPv6 routes.

For example, in the server configuration file:

push "redirect-gateway ipv6"

Or the client configuration file:

redirect-gateway ipv6

Note that iOS 7 and higher requires that if you use redirect-gateway you must use it for both IPv4 and IPv6 as the above directive accomplishes.

Why does the VPN disconnect when I make or receive a voice call?

Some cellular networks are incapable of maintaining a data connection during a voice call. If iOS detects this as a loss of network connectivity, the VPN pauses during the call and automatically resumes when the call ends.

Given that mobile devices are easily lost or stolen, how best to secure VPN profiles against compromise if the device falls into the wrong hands?

We recommend two steps to provide extra protection for your phone:

  1. Save the private key in the device keychain—it’s the most sensitive data in a profile. Consider removing the client certificate and private key from the profile and saving them in the device Keychain instead. For more information, refer to the section about using the iOS Keychain.
  2. Use a strong device-level password. A strong password is critical for protecting data stored in the device Keychain.

Is it safe to save passwords?

Yes, it is safe to save your password if you have set up a strong device-level password. OpenVPN Connect stores authentication and private key passwords in the iOS Keychain, which is protected by the device-level password.

Note: OpenVPN Connect can access the iOS Keychain only after the user has unlocked the device at least once after restart.

Why is the save password switch sometimes disabled?

The save password switch on the authentication password field is typically enabled, but you can disable it by adding the following OpenVPN directive to the profile:

setenv ALLOW_PASSWORD_SAVE 0

Note: The above directive only applies to the authentication password. The private key password, if it exists, can always be saved.

If my OpenVPN profile uses redirect-gateway, does that guarantee that all of my network traffic will be routed through the VPN tunnel?

Yes, all traffic routes through the VPN tunnel with a profile that uses redirect-gateway, but with some important exceptions:

  • Apple services such as Push Notifications and FaceTime never route through a VPN tunnel, per Apple policy.
  • During pause, resume, and reconnect states—such as when transitioning between WiFi and Cellular data—the VPN tunnel may temporarily disengage, allowing network traffic to bypass the tunnel and route directly to the internet. If you are running iOS 8 or higher, you can enable the Seamless Tunnel Setting in the OpenVPN section of the Settings App. It will make a best-effort to keep the tunnel active during pause, resume, and reconnect states to prevent packet leakage to the internet.

How can I use OpenVPN Connect with profiles that lack a client certificate/key?

If you have a profile that connects to a server without a client certificate/key, you must include the following directive to your profile: without a client certificate/key, you will need to add the following directive to your profile:

setenv CLIENT_CERT 0

Including this directive is necessary to resolve an ambiguity when the profile doesn’t contain a client certificate or key. When there isn’t a client certificate or key in the profile, OpenVPN Connect doesn’t know whether to obtain an external certificate/key pair from the Android Keychain or whether the server requires a client certificate/key. For example, a server that doesn’t require a client certificate/key is configured with the client-cert-not-required directive. The option is given as a “setenv” to avoid breaking other OpenVPN clients that might not recognize it.

Why doesn't the app support tap-style tunnels?

The iOS VPN API currently only supports TUN-style tunnels. This is a limitation of the iOS platform. If you try to connect a profile that uses a TAP-based tunnel, you get an error that only layer 3 tunnels are currently supported.

Are there any OpenVPN directives not supported by the app?

While OpenVPN Connect supports most OpenVPN client directives, we’ve made an effort to reduce bloat and improve maintainability by eliminating what we believe to be obsolete or rarely-used directives. Please email us at ios@openvpn.net if you think that we should reconsider a specific directive that we’ve excluded.

Here is a partial list of directives not currently supported:

  • dev tap — This directive is not supported because the underlying Android VPN API doesn't support TAP-style tunnels.
  • fragment — The fragment directive is not supported due to the complexity it adds to the OpenVPN implementation. It’s better to leave fragmentation up to the lower-level transport protocols. Note as well that the client doesn’t support connecting to a server that uses the fragment directive.
  • secret — Static key encryption mode (non-TLS) isn’t supported.
  • socks-proxy — Socks proxy support is currently not supported.
  • Not all ciphers are supported - OpenVPN Connect fully supports the AES-GCM and AES-CBC ciphers, and ChaCha20-Poly1305 as of Connect v3.3. The AES-GCM cipher algorithm in particular is well-suited for modern processors generally used in Android devices, iOS devices, macs and modern PCs. The deprecated DES and Blowfish ciphers are currently supported but will be removed in the future. 
  • proxy directives — While proxy directives are currently supported (http-proxy and http-proxy-option), they are currently NOT supported in <connection> profiles.

Additionally you can find unsupported options in the connection log under the section "UNUSED OPTIONS", where OpenVPN Connect will print all those directives specified in the profile that are not used by the app.

Can I have multiple profiles?

Yes, you can import any number of profiles from the Import menu:

  1. Launch OpenVPN Connect.
  2. Tap the Add icon.
  3. Enter the URL and username credentials or import from file.
  4. To connect to the profile, tap the profile’s radio button.
  5. Enter your password.

OpenVPN Connect assigns a name to the profile based on the server hostname, username and filename. If you import a profile with the same name as one that already exists, OpenVPN Connect adds (1), (2), etc to the profile name.

How do I delete a profile?

To delete a profile, tap the Edit icon next to the profile. From the Edit Profile screen, tap Delete Profile.

How do I rename a profile?

To rename a profile, tap the Edit icon next to the profile. From the Edit Profile screen, tap the Profile Name field and change it.

How do I configure OpenVPN to connect via an HTTP proxy?

You can add any number of proxies within OpenVPN Connect. Each profile can have one proxy assigned.

To add a proxy:

  1. Launch OpenVPN Connect.
  2. Tape the Menu icon in the top left.
  3. Tap Proxies.
  4. Tap the Add icon.
  5. Enter the connection information for the proxy and tap Save.

One you’ve added a proxy, you can add it to your profile:

  1. Tape the Edit icon for the profile.
  2. Under Proxy, tap the radio button of the proxy to add.
  3. Tap Save.

The profile now displays both the OpenVPN Profile and the proxy name. When you connect, your connection to the VPN server authenticates using the proxy server.

How do I edit or delete a proxy?

To edit or delete a proxy:

  1. Launch OpenVPN Connect.
  2. Tap the Menu icon in the top left.
  3. Tap Proxies.
  4. Tap the Edit icon next to the proxy you wish to edit or delete.
  5. Edit the proxy details and tap Save or if you want to delete, tap Delete Proxy.

You can also edit or delete a proxy from within a profile:

  1. Launch OpenVPN Connect.
  2. Tap the Edit icon for a profile.
  3. Tap the Edit icon for the proxy.
  4. Edit the proxy details and tap Save or if you want to delete, tap Delete Proxy.

How do I use a client certificate and private key from the iOS Keychain?

Using the iOS keychain to store your private key leverages the hardware-backed keystore that exists on many iOS devices. This protects with the iOS-level device password and prevents key compromise even if the device is rooted.

If you already have your client certificate and private key bundled into a PKCS#12 file (extension .p12 or .pfx), you can import it into the app private section of the iOS Keychain using Mail or Safari. Ensure that the file extension is .ovpn12 for the file to be picked up by OpenVPN Connect (and not by iOS).

Note that on iOS, when you import a PKCS#12 file into the Keychain, only the client certificate and private key are imported. The CA (certificate authority) certificates are NOT imported (unless you manually extract the CA certificates and import them separately, one-at-a-time). Therefore, you must give the CA list in the profile using the ca directive. If you already have a PKCS#12 file, the CA list may be extracted from the file using this openssl command, where the CA certs in client.p12 are written to ca.crt:

openssl pkcs12 -in client.p12 -cacerts -nokeys -out ca.crt

Then add a reference to ca.crt to your profile:

ca ca.crt

or paste the contents of ca.crt directly into your profile:

<ca>
paste contents of ca.crt here
</ca>

If you don't have a PKCS#12 file, you can convert your certificate and key files into PKCS#12 form using this openssl command (where cert, key, and ca are your client certificate, client key, and root CA files):

openssl pkcs12 -export -in cert -inkey key -certfile ca -name MyClient -out client.ovpn12

Then choose import from file to import the client.ovpn12 file.

Once this is done, remove the cert and key directives from your .ovpn file and re-import it, making sure that the ca directive remains. Once imported, any profile that lacks cert and key directives causes a Certificate row to appear on the main view, allowing the profile to be linked with an Identity from the iOS Keychain (on iOS, an Identity refers to a certificate/private-key pair that was previously imported using a PKCS#12 file). Tap the Certificate row and select the MyClient certificate. At this point, you should be able to connect normally.

Note: The iOS Keychain is accessible by the app only after the user has unlocked the device at least once after restart.

This is a security measure to prevent an unknown person from accessing a VPN network using a device previously switched off.

How do I delete an imported PKCS#12 file?

To delete an imported PKCS#12 file tap Certificates then tap the delete icon next to the certificate.

When I try to import a PKCS#12 file, why am I being asked for a password?

When you generate a PKCS#12 file, you’re prompted for an "export password" to encrypt the file. You must enter this password when you import the PKCS#12 file into the iOS Keychain. This prevents interception and recovery of the private key during transport.

When I try to import a PKCS#12 file, why am I being asked for a password even if I haven't set any?

When you import a PKCS#12, a password must always be specified. If you have set an empty password, just tap OK without entering any text.

Why doesn't the PKCS#12 file in my OpenVPN configuration file work the same as on desktop systems?

iOS uses PKCS#12 files differently than on desktops using OpenVPN. iOS manages PKCS#12 in the iOS Keychain. In contrast, desktops can reference the PKCS#12 files bundled in the OpenVPN profile. The iOS approach is much better from a security perspective because the Keychain can leverage hardware features in the device, such as hardware-backed keystores. However, it requires that you load the PKCS#12 file into the iOS Keychain separately from importing the OpenVPN profile. It also moves the responsibility for managing PKCS#12 files to the iOS Keychain and away from OpenVPN, potentially introducing compatibility issues.

To use a PKCS#12 file on iOS, see the FAQ item above: How do I use a client certificate and private key from the iOS Keychain?

After importing my PKCS#12 file into the iOS Keychain, I am getting an error when I try to connect: "mbedTLS: ca certificate is undefined"

This error displays if you don't include a ca directive in your profile, since the iOS Keychain doesn’t provide the CA list from the PKCS#12 file to OpenVPN. To resolve this, extract the CA list from the PKCS#12 file and add it to your profile via the ca directive. Refer to the FAQ item above: How do I use a client certificate and private key from the iOS Keychain?

Can an OpenVPN server push proxy settings to an iOS device?

Yes, An OpenVPN server can push HTTP and HTTPS proxy settings to an iOS client to be used by Safari (or other iOS browsers) for the duration of the VPN session. For example, if you want iOS clients to use an HTTP/HTTPS proxy when they’re connected to your OpenVPN server, you can configure the proxy connection. Let’s say you have a proxy at 10.144.4.14 on port 3128. In order to push the proxy settings to clients, you add the following directives to the OpenVPN server-side configuration:

push "dhcp-option PROXY_HTTP 10.144.5.14 3128"
push "dhcp-option PROXY_HTTPS 10.144.5.14 3128"

If you want several web domains to connect directly and go through the proxy, run a command such as this:

push "dhcp-option PROXY_BYPASS example1.tld example2.tld example3.tld"

If your site uses a Proxy Autoconfiguration URL, specify the URL as follows:

push "dhcp-option PROXY_AUTO_CONFIG_URL http://example.tld/proxy.pac"

If you don't want to (or can't) modify the OpenVPN server configuration, you can add proxy directives directly to the client .ovpn profile. Remove the enclosing push "…" from the directive:

dhcp-option PROXY_HTTP 10.144.5.14 3128
dhcp-option PROXY_HTTPS 10.144.5.14 3128

Note: When you push proxy options, it may also be necessary to push a DNS server address:

push "dhcp-option DNS 1.2.3.4"

Note: This feature controls application proxy use over the VPN tunnel and is not related to the connection proxy capability of OpenVPN to connect to a server through an HTTP proxy. The connection proxy capability is under the proxies menu.

How does iOS interpret pushed DNS servers and search domains?

On a split-tunnel, where redirect-gateway is not pushed by the server, and at least one pushed DNS server is present, you should do one of the following:

  • Route all DNS requests through pushed DNS server(s) if no added search domains.
  • Route DNS requests for added search domains only, if at least one added search domain.

For example, the following directive on the server directs the client to route all DNS requests to 172.16.0.23:

push "dhcp-option DNS 172.16.0.23"

Alternatively, these directives on the server only route foo.tld and bar.tld DNS requests to 172.16.0.23:

push "dhcp-option DNS 172.16.0.23"
push "dhcp-option DOMAIN foo.tld"
push "dhcp-option DOMAIN bar.tld"

Note: With redirect-gateway, the above discussion is moot, since all DNS requests always route through the VPN regardless of the presence or absence of added search domains.

Can I push IPv6 DNS servers to my clients?

Yes, you can push an IPv6 DNS by using the same format used for IPv4 ones.

An example command might look like this:

an IPv6 DNS by using the same format used for IPv4 ones. For Example:

push "dhcp-option DNS 2001:abde::1"

How do I set my own local domain for automatic resolution?

If you want to set your own local domain for automatic resolution, you can do this with either redirect-gateway or configuring a VPN-specific DNS, then use the following command (with your domain instead of the example domain):

push "dhcp-option ADAPTER_DOMAIN_PREFIX foo.tld"

When the iOS DNS subsystem first tries to resolve a partly qualified domain name (PQDN), if it can’t succeed, it concatenates the PQDN with the system domain prefix (normally assigned by your uplink gateway, for example: ".lan"). The above command specifies a different domain to append by having the server push a special directive including the new name.

See the previous FAQ "How does iOS interpret pushed DNS servers and search domains?" to learn how to specify a DNS.

How do I set up my profile for server failover?

To set up your profile for server failover, you can provide OpenVPN with a connection list of servers. On connection failure, OpenVPN rotates through the list until it finds a responsive server. For example, the following entries in the profile will first try to connect to server A via UDP port 1194, then TCP port 443, then repeat the process with server B. OpenVPN continues to retry until it successfully connects or hits the Connection Timeout, which can be configured in the settings within OpenVPN Connect.

remote server-a.example.tld 1194 udp
remote server-a.example.tld 443 tcp
remote server-b.example.tld 1194 udp
remote server-b.example.tld 443 tcp

What are the meanings of the various settings in OpenVPN Connect?

  • Battery Saver — Pause the VPN connection when the mobile device screen goes blank.
  • Seamless Tunnel (requires iOS 8 or higher) — Make a best-effort to keep the tunnel active during pause, resume, and reconnect states. Typically, during VPN pause, resume, or reconnect (for example when transitioning between WiFi and Cellular data), the VPN tunnel may disengage for a short period of time, normally on the order of seconds or less. During this time, network traffic can potentially bypass the tunnel and route directly to the internet. This option can reduce the incidence of packet leakage by keeping the tunnel continuously engaged until it is manually disconnected, even across sleep/wakeup or network reconfiguration events. Consider also enabling the Layer 2 reachability setting (below) when using Seamless Tunnel.
  • VPN Protocol — Force a particular transport protocol (UDP or TCP), or set to adaptive, which chooses the protocol from the remote lines in the profile one by one.
  • IPv6 — Set no preference, a combined IPv4/IPv6 tunnel, or only allowing an IPv4 tunnel.
  • Connection Timeout — How long tries to connect OpenVPN before giving up. If set to None, OpenVPN will retry indefinitely.
  • Allow Compression — Select tunnel compression options.
  • AES-CBC Cipher Algorithm — Enable using the AES-CBC cipher.
  • Minimum TLS version — Set the minimum TLS version. If a specific TLS version is selected it will override any profile setting. If Profile Default is selected, the app will use the tls-version-min profile directive if it exists, or TLS 1.0 otherwise. If Disabled is selected AND Force AES-CBC ciphersuites (above) is enabled, the app will NOT require a minimum TLS version from the server, which means that the SSL version negotiated could be as low as SSL 3.
  • DNS Fallback — If ON, use Google DNS servers (8.8.8.8 and 8.8.4.4) as a fallback for connections that route all internet traffic through the VPN tunnel but don't define any VPN DNS servers.
  • Connect Via — Connect to the VPN server by WiFi, Cellular Data, or either.
  • Layer 2 Reachability — If ON, and if Seamless Tunnel (above) is also ON, use a more robust test of network reachability when transitioning between WiFi and Cellular networks.
  • Theme — Choose between the default colors or a dark theme.

Can I import an OpenVPN profile via an iOS .mobileconfig file?

Yes, OpenVPN profiles can be created using the iPhone Configuration Utility (iPCU) and exported to a .mobileconfig file, which in turn can be imported onto one or more iOS devices. Unfortunately, the process is a bit cumbersome because you must manually enter the directives of the OpenVPN profile as key/value pairs into the iPCU.

To create a .mobileconfig-based profile:

  1. Open iPCU.
  2. Tap File.
  3. Select "New Configuration Profile".
  4. Edit the newly created Configuration Profile.
  5. Click General in the left pane.
  6. Fill out the fields such as Name, Identifier, Organization, and so on.
  7. Click on VPN in the left pane and a "Configure VPN" dialog box should appear in the main window.
  8. Click Configure.
  9. Fill out the VPN settings as described below:
  • Connection Name should be set to a name that will identify this profile on the device.
  • Connection Type should be set to Custom SSL.
  • Identifier should be set to "net.openvpn.connect.app". (on older versions this used to be net.openvpn.OpenVPN-Connect.vpnplugin)
  • Server must be set to "DEFAULT". The actual server hostname will be configured via OpenVPN remote directives in the Custom Data section.
  • User Authentication should be set to Password, and the password field should be left blank.

You must define parameters normally given in the OpenVPN client configuration file using key/value pairs in the Custom Data section:

  • Define each OpenVPN directive as a key, with arguments specified as the value. As in the OpenVPN configuration file, arguments are space-delimited and may be quoted.
  • Key value pairs for remote, ca, cert, key, tls-auth, key-direction, auth-user-pass, comp-lzo, cipher, auth, ns-cert-type, remote-cert-tls must be defined if the server requires them.
  • If your server doesn't require clients to authenticate with a client certificate and private key, you can omit key/value pairs for ca and cert, but be sure to add the key/value pair "setenv" : "CLIENT_CERT 0".
  • The client certificate and private key can be separately imported onto the iOS device using a PKCS#12 file, in which case you can omit key/value pairs for ca and cert.
  • If you are attaching a private key to the configuration using the key directive, consider encrypting the key with a password to protect it while in transit to the target iOS device.
  • You must add a special key/value pair "vpn-on-demand" : "0" so that OpenVPN can distinguish this profile from an iOS VPN-On-Demand profile.
  • For OpenVPN directives with no arguments, use "NOARGS" as the value.
  • If multiple instances of the same directive are present, when entering the directive as a key, number the directives in the order they should be given to OpenVPN by appending .n to the directive, where n is an integer, such as remote.1 or remote.2.
  • For multi-line directives such as ca, cert, key and tls-auth, where the argument is a multi-line file, an escaping model is provided to allow the file content to be specified as a single-line value. The procedure is to convert the multi-line data to a single line by replacing line breaks with "\n" (without the quotes). Note that because of this escaping model, you must use "\\" to pass backslash itself.
  • For OpenVPN Access Server meta-directives such as "OVPN_ACCESS_SERVER_USERNAME", remove the OVPN_ACCESS_SERVER_ prefix, giving USERNAME as the directive.

Once you’ve defined the profile, you have two options for exporting it to an iOS device:

  • If your device is currently tethered, click on your device name in the left pane. Then in the main window, click on the Configuration Profiles tab. You should see the name of your Configuration Profile and a button to install it on the device.
  • You can also save the Configuration Profile as a .mobileconfig file, and make it available to iOS clients via email or the web. To do this, select your Configuration Profile, go to the File menu, and select "Export...". An Export Configuration Profile dialog box will appear. Select a Security option -- "Sign configuration profile" is a reasonable choice. Press the Export button and save the profile.

When an iOS device receives an OpenVPN .mobileconfig profile (via Mail attachment, Safari download, or pushed by iPCU), it will raise a dialog box to facilitate import of the profile. After import, the profile is visible in OpenVPN.

For a sample Provisioning Profile without .p12 payload, please visit this page.

Can I use iOS 6+ VPN-On-Demand with OpenVPN?

Yes. VPN-On-Demand (VoD) is a new technology introduced by Apple in iOS 6 that allows a VPN profile to specify the conditions under which it automatically connects. In addition, you can connect and disconnect a VoD profile on iOS 7 using the iOS Settings App under the VPN tab (although note that on iOS 8 and higher, ordinary OpenVPN profiles can be connected using the Settings App, as long as they don't require credential entry). OpenVPN on iOS fully supports VoD, with the following features:

  • You can create an OpenVPN VoD profile with iPCU by entering OpenVPN configuration file parameters as key/value pairs.
  • OpenVPN Connect supports connect and disconnect actions triggered by the iOS VoD subsystem.
  • OpenVPN Connect recognizes VoD profiles, shows them in the UI and allows them to be monitored and controlled like other OpenVPN profiles (with the exception that VoD profiles cannot be manually connected from the app UI, they can only be disconnected — this is because a VoD profile is designed to be connected automatically by iOS).

As noted, you can create OpenVPN VoD profiles using iPCU, unfortunately, it’s not a simple process because you must manually enter the directives of the OpenVPN profile as key/value pairs into iPCU.

To create a VoD profile with iPCU:

  1. Open iPCU (these directions were tested with version 3.5 on a Mac tethered to an iPad running iOS 6.0.1).
  2. Click the File menu.
  3. Select New Configuration Profile.
  4. Edit the newly created configuration profile:
    1. Click General in the left pane.
    2. Fill out the fields such as Name, Identifier, Organization, and so on.
    3. Click VPN in the left pane and a "Configure VPN" dialog box should appear in the main window.
    4. Click Configure.
    5. Fill out the VPN settings as described below.
Connection NameSet this to a name that identifies the profile on the device.
Connection TypeSet to Custom SSL.
IdentifierSet to net.openvpn.connect.app. (On older versions, this used to be net.openvpn.OpenVPN-Connect.vpnplugin.)
ServerSet to a hostname, or DEFAULT to use the hostname(s) from the OpenVPN configuration.
User AuthenticationSet to Certificate and the client certificate+key should be attached as a PKCS#12 file.
VPN On DemandSet to enabled and then define for iOS the conditions under which the VPN profile should automatically connect.

In addition, you can define the key-value pairs in the Custom Data section rather than give these parameters in the OpenVPN client configuration file:

  • VoD requires an OpenVPN autologin profile, i.e. a profile that authenticates using only a client certificate and key, without requiring a connection password.
  • Define each OpenVPN directive as a key, with arguments specified as the value. As in the OpenVPN configuration file, arguments are space-delimited and may be quoted.
  • At a minimum, you must define key/value pairs for ca and remote. (Note that OpenVPN cannot get the CA list from the VoD profile, therefore you must provide it using a ca key/value pair).
  • Define the key value pairs for tls-auth, key-direction, comp-lzo, cipher, ns-cert-type, and remote-cert-tls if the server requires them.
  • For OpenVPN directives with no arguments, use "NOARGS" as the value.
  • If multiple instances of the same directive are present, when entering the directive as a key, number the directives in the order they should be given to OpenVPN by appending .n to the directive, where n is an integer, such as remote.1 or remote.2.
  • For multi-line directives such as ca and tls-auth, where the argument is a multi-line file, we provide an escaping model to allow you to specify the file content as a single-line value. You must convert the multi-line data to a single line by replacing line breaks with "\n" (without the quotes). Note that because of this escaping model, you must use "\\" to pass backslash itself.
  • For OpenVPN Access Server meta-directives such as "OVPN_ACCESS_SERVER_USERNAME", remove the OVPN_ACCESS_SERVER_ prefix, giving USERNAME as the directive.

Once you’ve defined the VoD profile, you have two options for exporting it to an iOS device:

  • If your device is currently tethered, click on your device name in the left pane. Then in the main window, click on the Configuration Profiles tab. You should see the name of your Configuration Profile and a button to install it on the device.
  • You can also save the Configuration Profile as a .mobileconfig file, and make it available to iOS clients via email or the web. To do this, select your Configuration Profile, go to the File menu, and select "Export...". An Export Configuration Profile dialog box will appear. Select a Security option — "Sign configuration profile" is a reasonable choice. Press the Export button and save the profile.

When an iOS device receives a VoD profile (via Mail attachment, Safari download, or pushed by iPCU), it raises a dialog box to facilitate the profile import. After import, the profile is visible in the Settings App under General / Profiles. It is also visible as a profile in OpenVPN Connect. Note that the profile must be the currently-enabled VPN profile in order for the VoD functionality to work.

I am using a developer, preview, or beta version, of the iOS platform, and I have found a bug in OpenVPN Connect

Thank you for your interest in our product. We appreciate your input. For issues found in developer preview releases that aren’t available to the general public, we don’t issue bug fixes immediately.

See below for how to report the bug.

While we don’t issue immediate fixes for bugs in developer, preview, or beta releases on the iOS platform, we do put the bug reports into a queue of known issues for review and resolution. We recommend you install the production version of the app if the bug in a beta version keeps you from using the product to function as expected.

For those using the developer, preview, or beta versions of releases, you should expect to encounter issues. This is normal and expected. It is after all a developer version or preview version or beta software and is by its nature not ready for general use yet, and you accepted something along those lines in the terms of the agreement with Apple when you started using such an early preview/beta release of iOS on your device.

We are testing on such versions as well, and are usually aware of these issues and we will be making sure that when such a new iOS release does finally go out for general release, that our software product will be updated to function properly on that version.

How can I contact the developers about bugs or feature requests?

Send an email to ios@openvpn.net or open a ticket on our bug tracker (registration required). When opening a ticket, please select OpenVPN Connect in the component drop-down menu.