Release Notes for OpenVPN Connect on iOS

Added support for the "Global Config" feature that allows configuring the app settings, importing profiles, and creating proxies by applying the configuration file using the MDM solution. Learn more: Global Configuration File Support for iOS.

OpenSSL and some other code libraries were upgraded.

Added support for new DNS server options.

Other minor improvements and fixes.

Enhanced DNS stability and productivity.

Fixed a problem with routing to the 128.0.0.0/1 network.

Resolved an issue with endless reconnect after network interrupts when using profiles with “auth-user-pass“ and “auth-nocache“ directives.

Fixed the bug when the app wouldn't connect to the server-locked profile with SAML auth from iOS settings.

Fixed an issue with the absence of IPv4 traffic when “Block IPv6“ is set to “Yes”.

Fixed a problem with connection via hotspot.

Other minor fixes and changes.

Implemented Device Posture Checks feature.

Added Forced Re-authentication support.

Enhanced DNS stability and productivity.

Updated Import Profiles screen.

Connection through proxy with basic auth is now allowed only with “insecure” security level.

Introduced support for external EC (elliptic serves signature algorithms) certificates.

Import profile for Access Server users with a mixed authentication setup will now contain the direct link to web import.

Fixed an issue when the enter password dialog doesn't show up while connecting via the iOS settings.

Other minor fixes and improvements.

Added confirmation dialog when connecting with a profile that contains unsupported directives.

Updated Import Profile screen with a link to the website with useful information.

Ended support for devices running iOS 12, 13, or 14.

Fixed an issue when the app disconnects after ten minutes in Airplane mode.

Minor fixes and improvements.

Temporary ignore of unsupported options in a profile.

Fixed issue on iOS17 when the connection was dropping during sleep and setting "Battery Saver" enabled.

Dropped support of iOS 11.

Moved from OpenSSL 1.1.1 to OpenSSL 3.0.8.

Introduced setting "Security Level."

Introduced setting "System Browser Auth."

Removed onboarding screens.

Various bug fixes and UX improvements.

Fixed connectivity issues on iOS 16.5.

Fixed MFA issue when a message contains non-Latin symbols.

Fixed issue with the display of available application update.

Updated information exchange for CloudConnexa users.

Resolved stability issues.

Improved performance.

Changed Web Auth flow to use external browser for authentication.

Removed the “force AES-CBC cipher” legacy compatibility option.

Added Kill Switch feature.

Added Siri Shortcuts support.

Added new functionality for software updates.

Added captive portal detection.

Added an Advanced Settings section.

Added new setting to manage disconnect and reconnect alerts.

Updated OpenVPN3 library to 3.6.

Various bug fixes and UX improvements.

Increased default connection timeout to 1 minute.

Minor fix for Web Auth flow.

Minor changes for Web Auth flow.

Switchover from MbedTLS library to OpenSSL library.

As part of the transition from MbedTLS to OpenSSL the list of negotiable TLS cipher suites no longer includes weak ciphers suites without forward secrecy support (DH/ECDH).

Support of TLS 1.3 version.

Support signing with RSA-PSS signatures during TLS handshake.

Update of OpenVPN3 library to 3.5.5 version.

Improved stability and performance.

MbedTLS update to 2.7.13 including fix for CVE-2019-18222.

New profile import flow with WebAuth support and "Connect after import" ability.

Removed "Reconnect on Wakeup" setting.

Added "Battery Saver" setting in order to prevent multiple reconnections in the device’s sleep mode.

Added app notification in case when the VPN connection was interrupted.

New profile import flow with WebAuth support and "Connect after import" ability.

Removed "Reconnect on Wakeup" setting.

Added "Battery Saver" setting in order to prevent multiple reconnections in the device’s sleep mode.

Added dialog on connection with ability to select an external PKCS certificate or proceed without it.

Added app notification in case when the VPN connection was interrupted.

Removed the Private Tunnel section. The Private Tunnel app can be downloaded from the App Store separately.

Improved connection stability when device is in sleep mode.

Improved error messages during profile import and connection attempts.

Changed timeout logic when network is unavailable.

Fixed usage of basic authentication for proxies.

Fixed the ‘AES-CBC cipher algorithm’ setting to help connect to legacy servers.

Other various connectivity fixes.

Added Data Policy Agreement.

Added "Certificates" screen with the possibility to remove external certs.

Removed outdated "Network State detection" setting and enabled it by default.

Increased max length of inputs — username, hostname, etc.

Added missed labels for Voice Over.

Fixed iOS 12 connectivity issues.

Fixed 'high battery usage' issue by reducing speed stats frequency. Now Speed Chart shows data with 10 sec interval.

Allowed empty password for certificates.

Added custom error messages for connection attempt without network available or proper certificate.

Disabled "Compression" by default (because it is insecure).

Changed icons for "Edit Profile" and "Edit Proxy" buttons, and improved UX by increasing touch area.

Small UI improvements.

Fixed VoiceOver issues.

Fixed crash on start issue.

Dropped MD5 support and added error message when using an MD5-signed certificate.

Improved logic of Private Tunnel login and connection processes.

New UI layer with two skins.

Completely updated profile and proxy management.

New functional settings.

Settings moved to app from system.

Private Tunnel and Access Server sections.

Automated import from Access Server with link and credentials.

Extended statistics about connection and visualization of data flow.

Fixed various bugs.

Show MD5 warning pop-up only once per VPN session.

Fix glitch upon key re-negotiation when using tls-crypt.

Fix interoperability issue with private keys created using OpenSSL 1.1 default settings (aka add support for private keys encrypted using PKCS#5v2.0 with PRF newer than SHA1).

Fixed spurious crash on reconnection after sleep.

Restored access to CertificatePayloads (p12 bundles) uploaded via Provisioning Profiles (.mobileconfig files).

Show warning pop-up when connecting to server using insecure MD5 algorithm to sign certificates (MD5 support will be dropped end of Apr 2018).

Report unique app specific UUID to server within peer info (variable IV_HWADDR).

Added support for ECDSA ciphersuites (for EC certificates; only supported with certs embedded in .ovpn file).

Fixed VPN status after closing and re-opening App with tunnel activated (VPN IPs, last event, etc.).

Fixed profiles loading from iCloud with Files app (due to an iOS bug, only 1 file can be loaded at once).

Improved .ovpn12 file import.

Fixed WiFi detection while connected via LTE.

Fixed tunnel reconfiguration after reconnection with seamless tunnel ON.

Added message about new .ovpn12 extension in cert list (when empty).

Fixed issue with DNS upon reconnection in split tunnel setups.

Fixed tunnel disconnection when closing App from background app list.

Fixed spurious connection crash when connecting using TCP.

Fixed several connection instabilities.

Fixed routing towards VPN IPs other than the VPN server.

Fixed usage of PROXY_AUTO_CONFIG_URL and PROXY_BYPASS setting.

Fixed DNS settings when server directive comes as last one.

Fixed reconnection with external certificate or password when device is still locked.

Fixed blank-screen issue on iPods.

Fixed reconnection after sleep or connectivity loss.

Fixed seamless tunnel handling.

Fixed tls-auth setup. missing key-direction in new profiles is again interpreted as "bidirectional" mode.

Fixed DNS server assignment on split tunnel configurations.

Fixed IPv6 DNS server assignment on split tunnel configurations.

Fixed search domain assignment on split tunnel configurations.

Fixed profile renaming.

Fixed PROXY settings assignment.

Fixed permanent disconnection due to TRANSPORT_ERROR when uplink is unavailable.

Improved log verbosity.

Added preference switch to disable MD5 in TLS.

Converted VPN backend to new Apple Network Extensions framework.

Implemented private keychain for storing certificates and passwords. PKCS#12 bundles imported via Safari or Mail must now end with '.ovpn12'.

Implemented support for "tls-crypt" config option. If the OpenVPN server you are connecting to has enabled this option, it will provider a safer method to exchange certificates during the initial TLS handshake.

Updated mbedTLS to 2.6.0 (MD5 support will be dropped on Apr, 31st 2018).

Updated ovpn3 backend.

Updated ovpn3 backend and plugin.

Better support for NAT64.

Workaround for sweet32 vulnerability.

Implementation of relay protocol.

Updated mbedTLS (formerly PolarSSL).

The OpenVPN Setting "Force AES-CBC ciphersuites" is now off by default. If you experience connection issues with this change, you can easily turn it back on in the Settings App under OpenVPN.

Added "Minimum TLS version" setting. If you experience connection issues with this option, try setting it to "Disabled" in the Settings App under OpenVPN.

Added AES-GCM cipher support.

Developers can now detect if OpenVPN is installed: BOOL installed = [application canOpenURL:[NSURL URLWithString:@"openvpn://"]];

Library updates: mbedTLS : 1.3.16.

Fixed Import Profiles bug that affects 1.0.4 on iOS 8. This issue causes OpenVPN to fail to detect new profiles that are available for import.

Support new iOS 8 feature where Settings App can be used to launch native OpenVPN profiles. Note that only autologin profiles (i.e. profiles that don't require credential entry) can be launched using this mechanism.

Added "Seamless Tunnel" setting (See OpenVPN section of Settings App) for iOS 8 and higher. Make a best-effort to keep the VPN tunnel active during pause, resume, and reconnect states to minimize the likelihood of packet leakage during sleep/wakeup and network reconfiguration events.

Connection speed improvements.

Support OpenVPN "float" directive.

Don't fail the connection when OpenVPN "topology net30" directive is mixed with "ifconfig-ipv6", since the topology setting doesn't really affect IPv6.

Recognize backslash as a directory separator, to allow import of Windows profiles.

Library updates: PolarSSL : 1.3.8 Boost : 1.56.0.

Added "Force AES-CBC ciphersuites" setting to revert to SSL/TLS negotiation strategy used in OpenVPN Connect 1.0.0 and 1.0.1. This option constrains the OpenVPN TLS negotiation to one of two standard AES-CBC ciphersuites and is provided as a compatibility option when connecting to servers that use legacy SSL implementations.

Known issue: Automatic reconnect/wakeup onto cellular data doesn't work with iOS 7.0.x. A fix is expected in iOS 7.1.

Known issue: IPv6 tunnel routes may not be added to the routing table on iOS 7. Workaround: use redirect-gateway instead of pushing specific IPv6 routes. For example, from the server: push "redirect-gateway ipv6" or client: redirect-gateway ipv6.

Added support for "http-proxy" and "http-proxy-option" directives in the profile. Note that these directives are currently only supported in the main profile, outside of blocks. Also note that proxy settings in the Settings app under OpenVPN always have priority over proxy directives given in the profile.

Worked around an issue where connect slider control was sending repeating ON/OFF messages to the app. This could potentially cause connection failures where the connect slider control would move into the ON position, the credentials fields would be cleared, but no connection would occur, or the connection slider would freeze in the OFF position.

iOS 7 allows OpenVPN VPN-On-Demand (VoD) profiles to be connected and disconnected using the Settings App.

Allow "Certificate" field in UI to remain unselected for profiles that connect without a client certificate.

Re-added support for DES-CBC cipher that was inadvertently dropped in 1.0.2 (Note: DES-CBC is an obsolete, insecure cipher that should no longer be used. It is provided only for compatibility with legacy systems).

Added additional PKCS#1 signature methods. This may fix an issue where the following error is seen in the log: "PolarSSLContext::epki_sign unrecognized parameters, mode=1 hash_id=11 hashlen=32".

Added new OpenVPN Setting "Network state detection" that allows control over how OpenVPN handles network state changes. For more info, see app Help FAQ under the section "What is the meaning of the various OpenVPN settings in the iOS Settings App?"

Support iOS .mobileconfig profiles that contain standard OpenVPN profiles (previously only VPN-On-Demand .mobileconfig profiles were supported). See app Help for detailed instructions on how to create an OpenVPN .mobileconfig profile.

Allow importing of profiles via iTunes where auth-user-pass directive references an external creds file.

Added LZ4 compression support.

Report client app name/version to server via IV_GUI_VER parameter.

Raised minimum required iOS version to 6.1 (iOS 5.1.1 installer will not install Connect, and will delete previous working 1.0.1 install).

Added support for ARM-64 including iPhone 5s and iPad Air.

Allow password to be saved for static challenge/response profiles.

Resolved the issue where iOS plugin was not able to fully enumerate the cert chain from Keychain Identities. Note that this solution is still not ideal because the iOS keychain appears unable to import a PKCS#12 file as a bundle. It only imports the leaf cert/key and ignores the rest. So for this fix to be effective, each of the root and intermediate certs in the PKCS#12 file must be manually extracted and separately imported as .crt files.

Added the capability for server to push proxy options, e.g.:

Updated PolarSSL to 1.2.10. This version of PolarSSL adds support for PKCS#8 private keys.

Fixed issue where some pushed options were incorrectly persisting across reconnections.

Fixed core bug that could cause reconnected TCP sessions to lock up with repeating replay errors.

Fixed core bug where server-pushed keepalive parms (ping, ping-restart) would be ignored.

"Session invalidated" errors will now explicitly reference a reason code.

Implemented "client-cert-not-required" directive as an alias for "setenv CLIENT_CERT 0".

Added core support for tun-mtu directive.

Fixed options parsing issue if non-aggregate option was specified in profile as well as pushed by server (the pushed version should win).

Implemented "inactive" directive.

Relax options parser somewhat and follow OpenVPN 2.x behavior where if more than one instance of an option exists, and a single instance of the option is required, use the last instance. Previously we would raise an exception in this case.

Added tls-version-min directive, to require server to support a minimum TLS version. For example:

Support "setenv opt" prefix before directives, where its presence indicates that the directive is optional, i.e. if a client doesn't understand the directive, it should simply ignore it.

Log unused options, i.e. options specified in config file that were unrecognized, ignored, or unused.

Fixed proxy error "NTLM phase-2 Content-Length is not zero".

Updated PolarSSL to 1.1.6.

Implemented "tls-remote", "route-nopull", "remote-random", "cipher none", and "auth none" directives.

Support DNS names that resolve to multiple addresses by trying each address in sequence.

At Apple's request, require one-time user confirmation before starting initial VPN connection.

Log invalid server-pushed routes or dhcp-options but don't disconnect.

As device moves between WiFi and cellular networks, proactively reconnect.

Raise an error when unsupported modes are used, such as static key mode.

Support "tcp-client" usage such as this: remote foo.bar 1194 tcp-client

Client will report its protocol as UDPv4 or TCPv4_CLIENT in options compatibility string even if running over IPv6 transport to maintain compatibility with OpenVPN 2.x branch.

Support client profiles that use Windows UTF-8 BOM.

Added "Reconnect on wakeup" preference (on by default).

The "key-direction" default has been changed to "bidirectional" for compatibility with OpenVPN 2.x branch, however the previous default ("1") will be retained for profiles imported with 1.0.0 to avoid breakage. Note, however, that the previous default cannot be retained for previously imported VPN-on-Demand profiles, which could potentially fail to connect if they don't declare a key-direction key/value pair on the assumption that it defaults to "1". The solution is to explicitly declare key-direction in VPN-on-Demand profiles if the OpenVPN configuration file they are derived from declares it as well.

Fixed bug where pushed ifconfig subnet was not routing into the tunnel.

When split-tunnel VPN configuration is used (i.e. not redirect-gateway), and at least one pushed DNS server is present: (a) route all DNS requests through pushed DNS server if no added search domains, or (b) route DNS requests for only specifically added search domains if at least one added search domain.

Fixed bug where app would crash on startup if device keychain had certificate with nil subjectSummary.

Fixed issue where "reneg-sec 0" was causing an infinite reconnect loop.

Don't add IPv4 or v6 routes if the ifconfig for the particular IP protocol is absent.

Added support for "net_gateway" as a route destination. This effectively excludes the route from the tunnel.

Allow clients to connect without a client certificate or key, if the server allows it, and if the client profile contains the following directive: setenv CLIENT_CERT 0

Allow "dhcp-option DOMAIN …" directives to be pushed with multiple space-separated domains.

Fixed an issue that prevented an External Certificate profile from also being an Autologin profile.

Fixed a corner case where profiles with saved passwords that connect to a server that uses Session ID tokens (such as an Access Server) would fail to automatically reconnect after long pause periods, such as when the device is asleep.

Add "OS Event" logging to OpenVPN log file, including: (a) network available/unavailable and (b) sleep/wakeup.

First release.