Page 1 of 1

suspect connection

Posted: Fri Apr 13, 2018 11:07 pm
by hadi5
When I set openvpn to connect automatically when the network becomes available, there is always a second https connection established by the openvpn app (see screenshot)

This does not happen if I manually activate the VPN connection after being connected to the network first

Is there some default connection being made by openvpn, maybe to check for updates or something? This is kinda unsettling.

Any ideas?

Edit: the connection also happens when the VPN is manuyally activated, but it does not seem to happen every time

Re: suspect connection

Posted: Sat Apr 14, 2018 8:22 am
by hadi5
Found out some more:

The IP was resolved from the DNS name ""
Codepush seems to be a service for apps provided by Microsoft.

The question remains why this connection is made and what is transmitted.
Since the connection is made through the VPN as well as outside it, this behavior breaks anonymity as well.

Edit: sha256 of my openvpn apk file

Edit2: Virus total results confirm the connection ... c/behavior

Re: suspect connection

Posted: Sat Apr 14, 2018 10:29 am
by novaflash
Hi hadi5,

Your forum post has been passed around internally a bit here and we're puzzled as well. As far as we know we aren't doing anything with We take this case extremely seriously though so we are investigating to see if there is any possible blame on our software. You provided an sha256 hash but what version of OpenVPN Connect for Android are you running right now? And you appear to be side-loading it- any reason for that as opposed to just using the Google Play Store? See, personally I'm thinking this might have something to do with the issue, so that's why I'm asking for details.

Re: suspect connection

Posted: Sat Apr 14, 2018 11:16 am
by hadi5
I am using lineages 15.1 (Oreo) and since I don't want to use google services, I am using yalp store which downloaded the apks from the play store directly without requiring a google account.

The openvpn connect version is 3.0.4 (1147)

The source of the apk is also what I suspect to be the source, that's why I provided the hash.
Can you confirm that the hash is correct?

I am going to upload the apk file shortly as well

Here is the apk file ... pk.7z.html

Re: suspect connection

Posted: Sun Apr 15, 2018 12:07 pm
by novaflash
I see. Well we didn't test for Lineage OS. We did have someone check the hash of the apk and it appears to be correct. We still have no clue however where this extra connection to azure is coming from though, but it is the weekend, so perhaps some of the dev guys will have some idea of what to check when they get back in the office.

Re: suspect connection

Posted: Wed Apr 18, 2018 6:23 pm
by hadi5
Any news about this?

Re: suspect connection

Posted: Thu Apr 19, 2018 6:36 am
by novaflash
Hello hadi5,

We have finally gotten to the bottom of this. I am sorry it took so long but there was the weekend inbetween and I had to chase it down quite far.

The good news is, it's not a virus. The bad news is, this was not supposed to be in a public release.

We are working on a better update system for the OpenVPN Connect app in Android using something called codepush. It was decided that a better software update mechanism was needed to speed up bug fixes and compatibility fixes. However it was also decided that there should be an opt-out function for this and that the connections would be made to an * domain so that it is easy to understand what is going on.

We are doing an internal investigation as to what happened but it looks like code was prepared, was supposed to not be active, until we finished this up. Somehow this code got activated. Currently it doesn't actually work as it's still in development. We are going to change our procedures so this doesn't happen again, and we'll release an update soon that will resolve the issue, either by killing the code or by implementing it properly with opt-out and * domain for the updates.

So, our apologies, but this is what happened, and it is fortunately not a malware or a virus thing. It actually currently doesn't even work. It's our fault and we'll fix it asap.

Re: suspect connection

Posted: Thu Apr 19, 2018 9:02 am
by hadi5
Thanks for the information
Looking forward to the next release

Re: suspect connection

Posted: Sat May 05, 2018 8:40 am
by hadi5
Has this been fixed in any on the new releases?
I have not yet found any mention of this in any of the recent release notes

Re: suspect connection

Posted: Sun May 20, 2018 12:12 pm
by ordex
I think it was not mentioned in the Changelog but the fix should be in the latest release already.

Re: suspect connection

Posted: Mon May 21, 2018 10:14 am
by BohdanHamulets
This was deleted in the 3.0.5 app version. Feel free to update.