Last update: 2016-10-11 20:53
This is not a bug in OpenVPN or mbedTLS/PolarSSL but is actually caused by incorrectly formatted certificates. See this detailed forum post for more info.
This may be related to using older versions of OpenVPN/OpenSSL on the server side. Some users have solved this issue by updating their OpenVPN server-side software and/or OpenSSL.
This is usually remedied by going to the OpenVPN Preferences menu and selecting "Force AES-CBC ciphersuites".
This can occur if you specify auth none and also tls-auth in your client profile. This occurs because tls-auth needs an auth digest, but none was specified. There's a straightforward fix: just remove the tls-auth directive, since it can't be enabled anyway unless you have a non-none auth directive.
A: To use this app, you must have an OpenVPN profile and a server to connect to. OpenVPN profiles are files that have an extension of .ovpn
There are several methods available to import a profile:
A: No, all versions of OpenVPN Connect for Android use the PolarSSL library, which is immune to Heartbleed.
A: Yes, CRLs are supported starting with version 1.1.14 for Android.
To use a CRL, it must be added to the .ovpn profile, such as:
-----BEGIN X509 CRL-----
-----END X509 CRL-----
Multiple CRLs may be concatenated together within the crl-verify block above.
If you are importing a .ovpn file that references an external CRL file such as
make sure to drop the file crl.pem into the same place as the .ovpn file during import, so the profile parser can access it.
A: Here are some basic pointers for importing .ovpn files:
When you import a .ovpn file, make sure that all files referenced by the .ovpn file such as ca, cert, and key files are in the same directory on the device as the .ovpn file.
Profiles must be UTF-8 (or ASCII) and under 256 KB in size.
Consider using the unified format for OpenVPN profiles which allows all certs and keys to be embedded into the .ovpn file. This eases management of the OpenVPN configuration because it integrates all elements of the configuration into a single file.
For example, a traditional OpenVPN profile might specify certs and keys as follows:
tls-auth ta.key 1
You can convert this usage to unified form by pasting the content of the certificate and key files directly into the OpenVPN profile as follows using an XML-like syntax:
. . .
. . .
-----BEGIN RSA PRIVATE KEY-----
. . .
-----BEGIN OpenVPN Static key V1-----
. . .
Another approach to eliminate certificates and keys from the OpenVPN profile is to use the Android Keychain as described below.
NOTE: when converting tls-auth to unified format, check if there is a second parameter after the filename (usually a 0 or 1). This parameter is known as the key-direction parameter and must be specified as a standalone directive when tls-auth is converted to unified format. For example if the parameter is 1, add this line to the profile:
If there is no second parameter to tls-auth, you must add this line to the profile:
A: Yes. The OpenVPN app supports IPv6 transport and IPv6 tunnels as long as the server supports them as well.
A: This is something Android requires to affirm that the VPN session is high priority and should not be arbitrarily terminated by the system.
A: On some Android devices, a connection notification sound is played by Android whenever a VPN tunnel is established, and cannot be silenced by a non-root app.
Note that it is possible to reduce the frequency of these notifications by going to the Preferences menu and selecting the Seamless Tunnel option.
A: Consider selecting the Battery Saver option in the Preferences menu to Pause the VPN when the device screen is blanked. This will cause the VPN to disconnect when the screen is blanked and automatically reconnect when the screen becomes visible again. While this option can extend battery life, it should not be used if you have apps running in the background that require continuous access to the internet via the VPN (such as a new email notifier).
Note that if you select both the Battery Saver and Seamless Tunnel options, you will block any app from reaching the internet while the VPN is active but the device screen is blanked. This can be useful for additional energy savings, as long as you don't have any background apps that need constant internet access.
A: Yes, using shortcuts. Go to Menu / Add Shortcut to add a shortcut to your home page. Shortcuts can be created for:
A: In the Preferences menu, select the Reconnect on reboot option. Also, consider setting the Connection Timeout preference to "continuously retry". If you want to prevent apps from accessing the internet, except through the VPN, select the Seamless Tunnel preference.
A: Some cellular networks are incapable of maintaining a data connection during a voice call. If Android detects this as a loss of network connectivity, the VPN should enter a pause state during the duration of the call, and automatically resume after the call is complete. However if the loss of data connectivity isn't detected by Android, the VPN connection may time out and disconnect.
A: If you check the Save checkbox on the authentication or private key password fields, the app will store your password in an encrypted form, however a determined attacker with physical possession of the device would still be able to recover the password with some reverse engineering.
Currently, the best options for security are to avoid saving passwords, and to use the Android Keychain as a repository for your private key (see below).
The Android developers are in the process of implementing an API for secure storage of passwords that will leverage on the hardware-backed keystore and master device password, however this development is not complete as of Android 4.2. This approach will protect saved passwords even if the device is rooted. When this development is complete, we plan to support it in the app.
A: The save password switch on the authentication password field is normally enabled, but can be disabled by the following:
The following OpenVPN directive, if present in a profile, will disable the password save switch:
setenv ALLOW_PASSWORD_SAVE 0
Note however that the above directive only applies to the authentication password. The private key password, if it exists, can always be saved.
A: If you have a profile that connects to a server without a client certificate/key, you will need to add the following directive to your profile:
setenv CLIENT_CERT 0
This is necessary to resolve an ambiguity when the profile contains no client certificate or key, because otherwise the client app can't know whether an external certificate/key pair should be obtained from the Android Keychain, or whether the server actually doesn't require a client certificate/key (for example if the server is configured with the client-cert-not-required directive). The option is given as a "setenv" to avoid breaking other OpenVPN clients that might not recognize it.
A: The Android VPN API supports only tun-style tunnels at the moment. This is a limitation of the Android platform. If you try to connect a profile that uses a tap-based tunnel, you will get an error that only layer 3 tunnels are currently supported.
If you really want to see tap-style tunnels supported in OpenVPN Connect, we would encourage you to contact the Google Android team and ask that the VpnService API be extended to allow this. Without such changes to the VpnService API, it is not possible for non-root apps such as OpenVPN Connect to support tap-style tunnels.
A: While most OpenVPN client directives are supported by the app, we have made an effort to reduce bloat and improve maintainability by eliminating what we believe to be obsolete or rarely-used directives. Please email us at firstname.lastname@example.org if you believe that a specific directive that is not included should be reconsidered for inclusion.
Here is a partial list of directives not currently supported:
A: Yes, you can import any number of profiles from the Import menu -- tap the profile field to select one. Keep in mind that OpenVPN will assign a name to a profile based on the server that the profile connects to. If you import a profile with the same name as one that already exists, the new profile will replace the old one. You can prevent this from happening by renaming the old profile.
A: Doing a "long touch" on the profile field will bring up a context menu for that profile that includes delete, rename, etc.
A: Yes, you can add any number of proxies from the main menu. Once a proxy is added, a proxy selection field will appear on the main page. Tap the field to select a proxy or None at the end of the list to connect directly.
A: Doing a "long touch" on the proxy field will bring up a context menu for that proxy that includes edit, delete, etc.
A: Using the Android keychain to store your private key has the added security advantage of leveraging on the hardware-backed keystores that exist on many Android devices, allowing the key to be protected by the Android-level device password, and preventing key compromise even if the device is rooted.
If you already have your client certificate and private key bundled into a PKCS#12 file (extension .p12 or .pfx), you can import it into the Android Keychain using either the Import menu or the Settings app.
If you don't have a PKCS#12 file, you can convert your certificate and key files into PKCS#12 form using this openssl command (where cert, key, and ca are your client certificate, client key, and root CA files).
openssl pkcs12 -export -in cert -inkey key -certfile ca -name MyClient -out client.p12
Then import the client.p12 file from the previous step into the app using the Import / Import PKCS#12 menu option.
Once this is done, remove the ca, cert, and key directives from your .ovpn file and re-import it. When you connect the first time, the app will ask you to select a certificate to use for the profile. Just select the MyClient certificate and you should be able to connect normally.
A: When you generate a PKCS#12 file, you will always be asked for an "export password" to encrypt the file. This password must again be presented when the PKCS#12 file is imported into the Android Keychain. This is to prevent interception and recovery of the private key during transport.
PKCS#12 files on Android are used somewhat differently than on desktop versions of OpenVPN. In desktop versions, PKCS#12 files can be bundled or referenced in the OpenVPN profile. On Android, however, PKCS#12 management is built into the Android Keychain. This approach is much better from a security perspective, because the Keychain can then leverage on hardware features in the device such as hardware-backed keystores. However, it does require that the PKCS#12 file is loaded into the Android Keychain as a separate step from importing the OpenVPN profile. It also moves the responsibility for managing PKCS#12 files to the Android Keychain, and away from OpenVPN, so it can potentially introduce compatibility issues.
To use a PKCS#12 file on Android, see the FAQ item above: How do I use a client certificate and private key from the Android Keychain?
A: You can provide OpenVPN with a list of servers to connect to. On connection failure, OpenVPN will rotate through the list until it finds a responsive server. For example, the following entries in the profile will first try to connect to server A via UDP port 1194, then TCP port 443, then repeat the process with server B. OpenVPN will continue to retry until it successfully connects or hits the Connection Timeout, which can be configured in the Preferences.
remote server-a.example.tld 1194 udp
remote server-a.example.tld 443 tcp
remote server-b.example.tld 1194 udp
remote server-b.example.tld 443 tcp
A: Send email to email@example.com.