OpenVPN Connect Android FAQ

Last update: 2016-10-11 20:53

Q: I am getting the error "PolarSSL: error parsing cert certificate : X509 - The date tag or value is invalid"

This is not a bug in OpenVPN or mbedTLS/PolarSSL but is actually caused by incorrectly formatted certificates. See this detailed forum post for more info.

Q: I am getting the error "Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the ServerKeyExchange handshake message failed".

This may be related to using older versions of OpenVPN/OpenSSL on the server side. Some users have solved this issue by updating their OpenVPN server-side software and/or OpenSSL.

Q: I cannot connect to the server (client times out), and the server log file shows "TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher".

This is usually remedied by going to the OpenVPN Preferences menu and selecting "Force AES-CBC ciphersuites".

Q: I am getting the error "digest_error: NONE: not usable"

This can occur if you specify auth none and also tls-auth in your client profile. This occurs because tls-auth needs an auth digest, but none was specified. There's a straightforward fix: just remove the tls-auth directive, since it can't be enabled anyway unless you have a non-none auth directive.

Q: How to get started?

A: To use this app, you must have an OpenVPN profile and a server to connect to. OpenVPN profiles are files that have an extension of .ovpn

There are several methods available to import a profile:

Q: Is OpenVPN Connect for Android vulnerable to Heartbleed?

A: No, all versions of OpenVPN Connect for Android use the PolarSSL library, which is immune to Heartbleed.

Q: Are CRLs (certificate revocation lists) supported?

A: Yes, CRLs are supported starting with version 1.1.14 for Android.

To use a CRL, it must be added to the .ovpn profile, such as:

<crl-verify>
-----BEGIN X509 CRL-----
MIHxMFwwDQYJKoZIhvcNAQEEBQAwFTETMBEGA1UEAxMKT3BlblZQTiBDQRcNMTQw
NDIyMDQzOTI3WhcNMjQwNDE5MDQzOTI3WjAWMBQCAQEYDzIwMTQwNDIyMDQzOTI3
WjANBgkqhkiG9w0BAQQFAAOBgQBQXzbNjXkx8+/TeG8qbFQD5wd6wOTe8HnypQTt
eELsI7eyNtiRRhJD3qKfawPVUabSijnwhAPHfhoIOLKe67RLfzOwAsFKPNJAVdmq
rYw1t2eucHvGjH8PnTh0aJPJaI67jmNbSI4CnHNcRgZ+1ow1GS+RAK7kotS+dZz9
0tc7Qw==
-----END X509 CRL-----
</crl-verify>

Multiple CRLs may be concatenated together within the crl-verify block above.

If you are importing a .ovpn file that references an external CRL file such as

crl-verify crl.pem

make sure to drop the file crl.pem into the same place as the .ovpn file during import, so the profile parser can access it.

Q: I am having trouble importing my .ovpn file.

A: Here are some basic pointers for importing .ovpn files:

Q: Where are the support forums for OpenVPN Connect?

A: https://forums.openvpn.net/

Q: Is IPv6 supported?

A: Yes. The OpenVPN app supports IPv6 transport and IPv6 tunnels as long as the server supports them as well.

Q: Why does OpenVPN Connect show two notification icons when connected?

A: This is something Android requires to affirm that the VPN session is high priority and should not be arbitrarily terminated by the system.

Q: Can I disable the connection notification sound?

A: On some Android devices, a connection notification sound is played by Android whenever a VPN tunnel is established, and cannot be silenced by a non-root app.

Note that it is possible to reduce the frequency of these notifications by going to the Preferences menu and selecting the Seamless Tunnel option.

Q: How can I maximize battery life?

A: Consider selecting the Battery Saver option in the Preferences menu to Pause the VPN when the device screen is blanked. This will cause the VPN to disconnect when the screen is blanked and automatically reconnect when the screen becomes visible again. While this option can extend battery life, it should not be used if you have apps running in the background that require continuous access to the internet via the VPN (such as a new email notifier).

Note that if you select both the Battery Saver and Seamless Tunnel options, you will block any app from reaching the internet while the VPN is active but the device screen is blanked. This can be useful for additional energy savings, as long as you don't have any background apps that need constant internet access.

Q: Can I control the VPN from outside the app?

A: Yes, using shortcuts. Go to Menu / Add Shortcut to add a shortcut to your home page. Shortcuts can be created for:

Q: How can I ensure that the VPN stays continuously connected?

A: In the Preferences menu, select the Reconnect on reboot option. Also, consider setting the Connection Timeout preference to "continuously retry". If you want to prevent apps from accessing the internet, except through the VPN, select the Seamless Tunnel preference.

Q: Why does the VPN disconnect when I make or receive a voice call?

A: Some cellular networks are incapable of maintaining a data connection during a voice call. If Android detects this as a loss of network connectivity, the VPN should enter a pause state during the duration of the call, and automatically resume after the call is complete. However if the loss of data connectivity isn't detected by Android, the VPN connection may time out and disconnect.

Q: Given that mobile devices are easily lost or stolen, how best to secure VPN profiles against compromise if the device falls into the wrong hands?

Q: Is it safe to save passwords?

A: If you check the Save checkbox on the authentication or private key password fields, the app will store your password in an encrypted form, however a determined attacker with physical possession of the device would still be able to recover the password with some reverse engineering.

Currently, the best options for security are to avoid saving passwords, and to use the Android Keychain as a repository for your private key (see below).

The Android developers are in the process of implementing an API for secure storage of passwords that will leverage on the hardware-backed keystore and master device password, however this development is not complete as of Android 4.2. This approach will protect saved passwords even if the device is rooted. When this development is complete, we plan to support it in the app.

Q: Why is the save password switch sometimes disabled?

A: The save password switch on the authentication password field is normally enabled, but can be disabled by the following:

Q: How to make the app work with profiles that lack a client certificate/key?

A: If you have a profile that connects to a server without a client certificate/key, you will need to add the following directive to your profile:

setenv CLIENT_CERT 0

This is necessary to resolve an ambiguity when the profile contains no client certificate or key, because otherwise the client app can't know whether an external certificate/key pair should be obtained from the Android Keychain, or whether the server actually doesn't require a client certificate/key (for example if the server is configured with the client-cert-not-required directive). The option is given as a "setenv" to avoid breaking other OpenVPN clients that might not recognize it.

Q: Why doesn't the app support tap-style tunnels?

A: The Android VPN API supports only tun-style tunnels at the moment. This is a limitation of the Android platform. If you try to connect a profile that uses a tap-based tunnel, you will get an error that only layer 3 tunnels are currently supported.

If you really want to see tap-style tunnels supported in OpenVPN Connect, we would encourage you to contact the Google Android team and ask that the VpnService API be extended to allow this. Without such changes to the VpnService API, it is not possible for non-root apps such as OpenVPN Connect to support tap-style tunnels.

Q: Are there any OpenVPN directives not supported by the app?

A: While most OpenVPN client directives are supported by the app, we have made an effort to reduce bloat and improve maintainability by eliminating what we believe to be obsolete or rarely-used directives. Please email us at android@openvpn.net if you believe that a specific directive that is not included should be reconsidered for inclusion.

Here is a partial list of directives not currently supported:

Q: Can I have multiple profiles?

A: Yes, you can import any number of profiles from the Import menu -- tap the profile field to select one. Keep in mind that OpenVPN will assign a name to a profile based on the server that the profile connects to. If you import a profile with the same name as one that already exists, the new profile will replace the old one. You can prevent this from happening by renaming the old profile.

Q: How do I delete or rename a profile?

A: Doing a "long touch" on the profile field will bring up a context menu for that profile that includes delete, rename, etc.

Q: Can I have multiple proxies?

A: Yes, you can add any number of proxies from the main menu. Once a proxy is added, a proxy selection field will appear on the main page. Tap the field to select a proxy or None at the end of the list to connect directly.

Q: How do I edit or delete a proxy?

A: Doing a "long touch" on the proxy field will bring up a context menu for that proxy that includes edit, delete, etc.

Q: How do I use a client certificate and private key from the Android Keychain?

A: Using the Android keychain to store your private key has the added security advantage of leveraging on the hardware-backed keystores that exist on many Android devices, allowing the key to be protected by the Android-level device password, and preventing key compromise even if the device is rooted.

If you already have your client certificate and private key bundled into a PKCS#12 file (extension .p12 or .pfx), you can import it into the Android Keychain using either the Import menu or the Settings app.

If you don't have a PKCS#12 file, you can convert your certificate and key files into PKCS#12 form using this openssl command (where cert, key, and ca are your client certificate, client key, and root CA files).

openssl pkcs12 -export -in cert -inkey key -certfile ca -name MyClient -out client.p12

Then import the client.p12 file from the previous step into the app using the Import / Import PKCS#12 menu option.

Once this is done, remove the ca, cert, and key directives from your .ovpn file and re-import it. When you connect the first time, the app will ask you to select a certificate to use for the profile. Just select the MyClient certificate and you should be able to connect normally.

Q: When I try to import a PKCS#12 file, why am I being asked for a password?

A: When you generate a PKCS#12 file, you will always be asked for an "export password" to encrypt the file. This password must again be presented when the PKCS#12 file is imported into the Android Keychain. This is to prevent interception and recovery of the private key during transport.

Q: Why doesn't the PKCS#12 file in my OpenVPN configuration file work the same as on desktop systems?

PKCS#12 files on Android are used somewhat differently than on desktop versions of OpenVPN. In desktop versions, PKCS#12 files can be bundled or referenced in the OpenVPN profile. On Android, however, PKCS#12 management is built into the Android Keychain. This approach is much better from a security perspective, because the Keychain can then leverage on hardware features in the device such as hardware-backed keystores. However, it does require that the PKCS#12 file is loaded into the Android Keychain as a separate step from importing the OpenVPN profile. It also moves the responsibility for managing PKCS#12 files to the Android Keychain, and away from OpenVPN, so it can potentially introduce compatibility issues.

To use a PKCS#12 file on Android, see the FAQ item above: How do I use a client certificate and private key from the Android Keychain?

Q: How do I set up my profile for server failover?

A: You can provide OpenVPN with a list of servers to connect to. On connection failure, OpenVPN will rotate through the list until it finds a responsive server. For example, the following entries in the profile will first try to connect to server A via UDP port 1194, then TCP port 443, then repeat the process with server B. OpenVPN will continue to retry until it successfully connects or hits the Connection Timeout, which can be configured in the Preferences.

remote server-a.example.tld 1194 udp
remote server-a.example.tld 443 tcp
remote server-b.example.tld 1194 udp
remote server-b.example.tld 443 tcp

Q: How can I contact the developers about bugs or feature requests?

A: Send email to android@openvpn.net.