OpenVPN Connect (Android) FAQ

OpenVpn Newbie
Posts: 4
Joined: Thu Nov 07, 2013 10:30 am

OpenVPN Connect (Android) FAQ

Postby Nadu » Sat Nov 30, 2013 2:06 am

I couldn't find the FAQ online so I thought it might be a good idea to post them here. I hope this is alright with the authors. Please remove th post if this is not the case.


Code: Select all

OpenVPN Connect Android FAQ

Q: How to get started?

A: To use this app, you must have an OpenVPN profile and a server to connect to. OpenVPN profiles are files that have an extension of .ovpnThere are several methods available to import a profile:If you have a .ovpn profile, copy the profile and any files it references to the SD card folder on your device (copy all files to the same folder). Then go to Menu / Import / Import Profile from SD card.If you have an account on an OpenVPN Access Server, you can import the profile directly from the Access Server by going to Menu / Import / Import Access Server Profile.If you have an account on the Private Tunnel service, go to Menu / Import / Import Private Tunnel Profile.

Q: I am having trouble importing my .ovpn file.

A: Here are some basic pointers for importing .ovpn files:When you import a .ovpn file, make sure that all files referenced by the .ovpn file such as ca, cert, and key files are in the same directory on the device as the .ovpn file.Profiles must be UTF-8 (or ASCII) and under 256 KB in size.Consider using the unified format for OpenVPN profiles which allows all certs and keys to be embedded into the .ovpn file. This eases management of the OpenVPN configuration because it integrates all elements of the configuration into a single file.For example, a traditional OpenVPN profile might specify certs and keys as follows:ca ca.crtcert client.crtkey client.keytls-auth ta.key 1You can convert this usage tounified form by pasting the content of the certificate and key files directly into the OpenVPN profile as follows using an XML-like syntax:<ca>-----BEGIN CERTIFICATE-----MIIBszCCARygAwIBAgIE.... . ./NygscQs1bxBSZ0X3KRk...Lq9iNBNgWg==-----END CERTIFICATE-----</ca><cert>-----BEGIN CERTIFICATE-----. . .</cert><key>-----BEGIN RSA PRIVATE KEY-----. . .</key>key-direction 1<tls-auth>-----BEGIN OpenVPN Static key V1-----. . .</key>Another approach to eliminate certificates and keys from the OpenVPN profile is to use the Android Keychain as described below.NOTE: when converting tls-authto unified format, check if there is a second parameter after the filename (usually a 0 or 1). This parameter is known as the key-direction parameter and must be specified as a standalone directive when tls-auth is converted to unified format. For example if the parameter is 1, add this line to the profile:key-direction 1If there is no second parameter totls-auth, you must add this line to the profile:key-direction bidirectional

Q: Where are the support forums for OpenVPN Connect?


Q: Is IPv6 supported?

A: Yes. The OpenVPN app supports IPv6 transport and IPv6 tunnels as long as the server supports them as well.

Q: Why does OpenVPN Connect show two notification icons when connected?

A: This is something Android requires to affirm that the VPN session is high priority and should not be arbitrarily terminated by the system.

Q: Can I disable the connection notification sound?

A: On some Android devices, a connection notification sound is played by Android whenever a VPN tunnel is established, and cannot be silenced by a non-root app.Note that it is possible to reduce the frequency of these notifications by going to the Preferences menu and selecting the Seamless Tunnel option.

Q: How can I maximize battery life?

A: Consider selecting the Battery Saveroption in the Preferences menu to Pause the VPN when the device screen is blanked. This will cause the VPN to disconnect when the screen is blanked and automatically reconnect when the screen becomes visible again. While this option can extend battery life, it should not be used if you have apps running in the background that require continuous access to the internet via the VPN (such as a new email notifier).Note that if you select both the Battery Saver and Seamless Tunnel options, you will block any app from reaching the internet while the VPN is active but the device screen is blanked. This can be useful for additional energy savings, as long as you don't have any background apps that need constant internet access.

Q: Can I control the VPN from outside the app?

A: Yes, using shortcuts. Go to Menu / Add Shortcut to add a shortcut to your home page. Shortcuts can be created for:connecting a specific profile,disconnecting, andlaunching the app

Q: How can I ensure that the VPN stays continuously connected?

A: In the Preferences menu, select theReconnect on reboot option. Also, consider setting the Connection Timeout preference to "continuously retry". If you want to prevent apps from accessing the internet, except through the VPN, select the Seamless Tunnelpreference.

Q: Why does the VPN disconnect when I make or receive a voice call?

A: Some cellular networks are incapable of maintaining a data connection during a voice call. If Android detects this as a loss of network connectivity, the VPN should enter a pause state during the duration of the call, and automatically resume after the call is complete. However if the loss of data connectivity isn't detected by Android, the VPN connection may time out and disconnect.

Q: Given that mobile devices are easily lost or stolen, how best to secure VPN profiles against compromise if the device falls into the wrong hands?

A: The most sensitive piece of data in a profile is the private key. Consider removing the client certificate and private key from the profile and save them in the device Keychain instead (this is discussed below).Use a strong device-level password. This is critical to protect data stored in the device Keychain.

Q: Is it safe to save passwords?

A: If you check the Save checkbox on the authentication or private key password fields, the app will store your password in an encrypted form, however a determined attacker with physical possession of the device would still be able to recover the password with some reverse engineering.Currently, the best options for security are to avoid saving passwords, and to use the Android Keychain as a repository for your private key (see below).The Android developers are in the process of implementing an API for secure storage of passwords that will leverage on the hardware-backed keystore and master device password, however this development is not complete as of Android 4.2. This approach will protect saved passwords even if the device is rooted. When this development is complete, we plan to support it in the app.

Q: Why is the save password switch sometimes disabled?

A: The save password switch on the authentication password field is normally enabled, but can be disabled by the following:Profiles that make use of static challenge/response (i.e. one-time passwords) will disable the save switch, since there is no reason to save a password which constantly changes.The following OpenVPN directive, if present in a profile, will disable the password save switch:setenv ALLOW_PASSWORD_SAVE 0Note however that the above directive only applies to the authentication password. The private key password, if it exists, can always be saved.

Q: How to make the app work with profiles that lack a client certificate/key?

A: If you have a profile that connects to a server without a client certificate/key, you will need to add the following directive to your profile:setenv CLIENT_CERT 0This is necessary to resolve an ambiguity when the profile contains no client certificate or key, because otherwise the client app can't know whether an external certificate/key pair should be obtained from the Android Keychain, or whether the server actually doesn't require a client certificate/key (for example if the server is configured with the client-cert-not-required directive). The option is given as a "setenv" to avoid breaking other OpenVPN clients that might not recognize it.

Q: Why doesn't the app support tap-style tunnels?

A: The Android VPN API supports only tun-style tunnels at the moment. This is a limitation of the Android platform. If you try to connect a profile that uses a tap-based tunnel, you will get an error that only layer 3 tunnels are currently supported.If you really want to see tap-style tunnels supported in OpenVPN Connect, we would encourage you tocontact the Google Android team and ask that the VpnService API be extended to allow this. Without such changes to the VpnService API, it is not possible for non-root apps such as OpenVPN Connect to support tap-style tunnels.

Q: Are there any OpenVPN directives not supported by the app?

A: While most OpenVPN client directives are supported by the app, we have made an effort to reduce bloat by eliminating what we believe to be obsolete or rarely-used directives. Please email us if you believe that a specific directive that is not included should be reconsidered for inclusion.Here is a partial list of directives not currently supported:dev tap €” This directive is not supported because the underlying Android VPN API doesn't support tap-style tunnels.fragment €” The fragment directive is not supported due to the complexity it adds to the OpenVPN implementation and the fact that it is usually better to leave fragmentation up to the lower-level transport protocols. Note as well that the client does not support connecting to a server that uses the fragment directive.mssfix €” This directive will be added in a future release. Since the functionality of mssfix can be achieved on either the client or server side, specifying it on the server side will enable it even if the client doesn't support the directive.secret €” Static key encryption mode (non-TLS) is not supported.Ciphers other than AES and Blowfish €” Currently, only AES and Blowfish ciphers are supported. This is done to reduce bloat and improve energy efficiency. The AES cipher algorithm, in particular, is well-suited for the ARM processor generally used in Android devices.proxy directives €” The app fully supports HTTP proxy connections at the UI level (see Menu -> Add Proxy) so it is unnecessary to specify these directives in the profile.

Q: Can I have multiple profiles?

A: Yes, you can import any number of profiles from the Import menu -- tap the profile field to select one. Keep in mind that OpenVPN will assign a name to a profile based on the server that the profile connects to. If you import a profile with the same name as one that already exists, the new profile will replace the old one. You can prevent this from happening by renaming the old profile.

Q: How do I delete or rename a profile?

A: Doing a "long touch" on the profile field will bring up a context menu for that profile that includes delete, rename, etc.

Q: Can I have multiple proxies?

A: Yes, you can add any number of proxies from the main menu. Once a proxy is added, a proxy selection field will appear on the main page. Tap the field to select a proxy or None at the end of the list to connect directly.

Q: How do I edit or delete a proxy?

A: Doing a "long touch" on the proxy field will bring up a context menu for that proxy that includes edit, delete, etc.

Q: How do I use a client certificate and private key from the Android Keychain?

A: Using the Android keychain to store your private key has the added security advantage of leveraging on the hardware-backed keystores that exist on many Android devices, allowing the key to be protected by the Android-level device password, and preventing key compromise even if the device is rooted.If you already have your client certificate and private key bundled into a PKCS#12 file (extension .p12 or .pfx), you can import it into the Android Keychain using either the Import menu or the Settings app.If you don't have a PKCS#12 file, you can convert your certificate and key files into PKCS#12 form using thisopenssl command (where cert, key, andca are your client certificate, client key, and root CA files).openssl pkcs12 -export -in cert -inkey key -certfile ca -name MyClient -out client.p12Then import the client.p12 file from the previous step into the app using the Import / Import PKCS#12 menu option.Once this is done, remove the ca, cert, and key directives from your .ovpn file and re-import it. When you connect the first time, the app will ask you to select a certificate to use for the profile. Just select the MyClient certificate and you should be able to connect normally.

Q: When I try to import a PKCS#12 file, why am I being asked for a password?

A: When you generate a PKCS#12 file, you will always be asked for an "export password" to encrypt the file. This password must again be presented when the PKCS#12 file is imported into the Android Keychain. This is to prevent interception and recovery of the private key during transport.

Q: Why doesn't the PKCS#12 file in my OpenVPN configuration file work the same as on desktop systems?

PKCS#12 files on Android are used somewhat differently than on desktop versions of OpenVPN. In desktop versions, PKCS#12 files can be bundled or referenced in the OpenVPN profile. On Android, however, PKCS#12 management is built into the Android Keychain. This approach is much better from a security perspective, because the Keychain can then leverage on hardware features in the device such as hardware-backed keystores. However, it does require that the PKCS#12 file is loaded into the Android Keychain as a separate step from importing the OpenVPN profile. It also moves the responsibility for managing PKCS#12 files to the Android Keychain, and away from OpenVPN, so it can potentially introduce compatibility issues.To use a PKCS#12 file on Android, see the FAQ item above: How do I use a client certificate and private key from the Android Keychain?

Q: How do I set up my profile for server failover?

A: You can provide OpenVPN with a list of servers to connect to. On connection failure, OpenVPN will rotate through the list until it finds a responsive server. For example, the following entries in the profile will first try to connect to server A via UDP port 1194, then TCP port 443, then repeat the process with server B. OpenVPN will continue to retry until it successfully connects or hits the Connection Timeout, which can be configured in the Preferences.remote server-a.example.tld 1194 udpremote server-a.example.tld 443 tcpremote server-b.example.tld 1194 udpremote server-b.example.tld 443 tcp

Q: How can I contact the developers about bugs or feature requests?

A: Send email to

OpenVpn Newbie
Posts: 4
Joined: Sat Feb 08, 2014 3:27 pm

Re: OpenVPN Connect (Android) FAQ

Postby dgcruzing » Sun Feb 09, 2014 11:52 am

Thanks for posting this.. I used it and the VPNUK setup instructions and have got it setup this afternoon very quickly..

As I am behind the GCFW openvpn is always a harder option to use on any device compared to the other protocols.. So I am happy to have this option going as once a openvpn is running smoothly it usually is a better option for streaming..

One thing that could be addressed a little more is the option to transfer all the setup to another device..

At the moment I have used Titanium backup to make a backup of data files and got that unpacked to this 2nd device I using... But even thru I know all the files I have setup..about 20 connection points I haven't been able to pull up the 'shortcuts' that I have created on the other device..thus at the moment I can not access the other access points I have loaded in..

I could be missing something here but is there an option to list all the config files you have loaded in..from with the program?.. Thus I can make new shortcuts to them for future access..?

Sent from my GT-I9300 using Tapatalk

OpenVpn Newbie
Posts: 4
Joined: Sat Feb 08, 2014 3:27 pm

Re: OpenVPN Connect (Android) FAQ

Postby dgcruzing » Sun Feb 09, 2014 12:18 pm

Can't seem to edit the above post.. But anyway found the option to pull down the servers I have entered so will work shortcuts out..

Good job...makes life so much easier for those that are always flashing Roms to their devices..

Sent from my GT-I9300 using Tapatalk

OpenVpn Newbie
Posts: 5
Joined: Fri Apr 18, 2014 6:44 am

Re: OpenVPN Connect (Android) FAQ

Postby iunlock » Fri Apr 18, 2014 6:48 am

I am getting these error messages:

Error Message1: "Problem creating TUN interface: Possibly the tun.ko kernel module is not loaded in your Android Kernel"

Error Message2: "Error creating the tun interface: cannot acquire tun interface socket"

I changed the APN protocol to IPv4/IPv6 and APN roaming protocol to IPv4/IPv6 as well as this is the only way that it seems to stay connected to VPN. However, I'm not quite sure about the APN protocol also being on IPv6? DNS leak? Yes...I've checked.

Galaxy Note 3 w/ Custom Rom

I saw the App (TUN.ko Installer) in the App Store, but it doesn't look like it supports my phone and ROM.


OpenVpn Newbie
Posts: 2
Joined: Tue May 20, 2014 11:29 am

Re: OpenVPN Connect (Android) FAQ

Postby persianvpn » Wed May 21, 2014 9:39 am

Hi Thanks for the post. I managed to connect my android to my windows server However I'm not sure what to do with the client crt and key which I created on my server. since there's no option on openvpn connect app to import the certificates as well as the profile.

How can I make sure the client key and crt are being used and the connection is encrypted? :?

Thank you :)

OpenVPN User
Posts: 16
Joined: Thu Jun 26, 2014 3:56 pm

Re: OpenVPN Connect (Android) FAQ

Postby Fahrenheit » Tue Jul 01, 2014 5:32 pm

[quote="persianvpn"]Hi Thanks for the post. I managed to connect my android to my windows server However I'm not sure what to do with the client crt and key which I created on my server. since there's no option on openvpn connect app to import the certificates as well as the profile.

How can I make sure the client key and crt are being used and the connection is encrypted? :?

Thank you :)[/quote]

The .ovpn file is a connection profile, and contains all the connection and cert info you need to connect. If you have generated this file, you can open it in a text editor and see if the keys were pasted inside it for you. If you're successfully connecting, all should be encrypted.

OpenVpn Newbie
Posts: 1
Joined: Tue Jul 22, 2014 2:03 pm

Re: OpenVPN Connect (Android) FAQ

Postby macmeck » Tue Jul 22, 2014 2:06 pm

I'm using OpenVPN Connect on a tablet with two Android user profiles. It seems to me that only the user who is "owner" of the tablet can connect to the VPN. Application and VPN profiles are set up identically for both Android users.

Could someone confirm or, even better, help me on this?

OpenVpn Newbie
Posts: 3
Joined: Tue Apr 14, 2015 8:51 pm

Re: OpenVPN Connect (Android) FAQ

Postby leaskovski » Tue May 12, 2015 2:18 pm

I believe the comment about TAP not being supported on Android is not exactly true any more, being that I have successfully demo'ed an Open VPN client that supports TAP without my device being rooted. I won't post the link to the App as I don't want to promote against the Free official android Open VPN client. I wonder how they have managed to implement it?

OpenVpn Newbie
Posts: 4
Joined: Thu Jul 16, 2015 11:51 pm

Re: OpenVPN Connect (Android) FAQ

Postby joas1 » Fri Jul 17, 2015 4:59 pm

Hello, am trying to use VPN on my android pad but it refuse to connect. It alwaysnsay this "unknown openvpn event occurred: transport error on NETWORK_EOF_ERROR" or unknown openvpn event occurred: transport error on via HTTP proxy NETWORK_EOF_ERROR'. I need help.

Alex Morris
OpenVPN User
Posts: 23
Joined: Tue Mar 04, 2014 12:38 am

Re: OpenVPN Connect (Android) FAQ

Postby Alex Morris » Sat Mar 12, 2016 12:35 pm

May I suggest adding some information to the Android FAQ regarding the embedding of inline files in the OVPN profile?

I have a .OVPN profile with inline TLS-AUTH and PKCS12 files. This OVPN profile works seamlessly under Windows, but fails under Android (the OpenVPN server whines about failed TLS authentication during any attempts to connect from Android).

I eventually twigged (lightbulb moment!) that it's because OpenVPN for Android uses PolarSSL, and PolarSSL does not support the PKCS12 directive (see the "--pkcs12 file" section on ... n23ManPage). Once I replaced the inline PKCS12 data with three inline CA, CERT, and KEY files, the VPN authentication from my Android phone worked as desired.

The caveat for this: embedding the certificate data inline in the OVPN profile can be less secure than using Android's keychain to store an external PKCS12 certificate.

Background: my Android phone runs KitKat (the manufacturer says Lollipop won't be provided), and KitKat does not allow certificates to be stored with anything less than a PIN or Password for the screen lock. In contrast, Lollipop allows certificates to be stored with a Pattern as the screen lock.

I want to use both OpenVPN and a Pattern screen lock on my phone, and the only way I can do that is to use inline certificates in my OpenVPN profiles. Or buy a new phone with either Lollipop or Marshmallow...

Return to “OpenVPN Connect (Android)”

Who is online

Users browsing this forum: No registered users and 1 guest