View on GitHub


OpenVPN for Android

Quick Start

Get a working config (tested on your computer or download from your provider/organisation)

If it is a single file with no extra pem/pkcs12 files you can email the file yourself and open the attachment. If you have multiple files put them on your sd card.

Click on the email attachment/Use the folder icon in the vpn list to import the config file

If there are errors about missing files put the missing files on your sd card.

Click on the save symbol to add the imported VPN to your VPN list

Connect the VPN by clicking on the name of the VPN

If there are error or warnings in the log try to understand the warnings/error and try to fix them

Block non VPN connection ("Killswitch")

It is often desired to block connections without VPN. Other apps often use markting terms like "Killswitch" or "Seamless tunnel" for this feature. OpenVPN and this app offer persist-tun, a feature to implement this functionality.

The problem with all these methods offered by apps is that they can only provide best effort and are no complete solutions. On boot, app crashing and other corner cases the app cannot ensure that this block of non VPN connection works. Thus giving the user a false sense of security.

The only reliable way to ensure non VPN connections are blocked is to use Android 8.0 or later and use the "block connections without VPN" setting that can be found under Settings > Network & Internet > Advanced/VPN > OpenVPN for Android > Enable Always ON VPN, Enable Block Connections without VPN

Remote API

OpenVPN for Android supports two remote APIs, a sophisticated API using AIDL (remoteEXample in the git repository) and a simple one using Intents.

Examples using adb shell and the intents. Replace profilname with your profile name

adb shell am start-activity -a android.intent.action.MAIN de.blinkt.openvpn/.api.DisconnectVPN

adb shell am start-activity -a android.intent.action.MAIN -e de.blinkt.openvpn.api.profileName Blinkt de.blinkt.openvpn/.api.ConnectVPN

Weak (MD5) hashes in certificate signature (SSL_CTX_use_certificate md too weak)

Starting with OpenSSL version 1.1, OpenSSL rejects weak signatures in certificates like MD5.

MD5 signatures are completely insecure and should not be used anymore. MD5 collisions can be created in few hours at a minimal cost.. You should update the VPN certificates as soon as possible.

Unfortunately, older easy-rsa distributions included the config option "default_md md5". If you are using an old easy-rsa version, update to the latest version) or change md5 to sha256 and regenerate your certificates.

If you really want to use old and broken certificates use the custom configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your imported configuration

Samsung phones

5.0 (Lollipop) and later
Even though Samsung phones are among the most selling Android phones, Samsung's firmware are also among the most buggy Android firmwares. The bugs are not limited to the VPN operation on these devices but many of them can be workarounded. In the following some of these bugs are described.

DNS does not work unless the DNS server in the VPN range.

On many Samsung 5.x devices the allowed/disallowed apps feature does not work.

On Samsung 6.x VPN is reported not to work unless the VPN app is exempted from Powersave features.

Duplicate notifications

If Android is under system memory (RAM) pressure, apps and service which are not needed at the moment are removed from active memory. This terminates an ongoing VPN connection. To ensure that the connection/OpenVPN survives the service runs with higher priority. To run with higher priority the application must display a notification. The key notification icon is imposed by the system as described in the previous FAQ entry. It does not count as app notification for purpose of running with higher priority.

Differences between the OpenVPN Android clients

Multiple OpenVPN clients for Android exist. The most common ones are OpenVPN for Android (this client), OpenVPN Connect and OpenVPN Settings.

The clients can be grouped into two groups: OpenVPN for Android and OpenVPN Connect use the official VPNService API (Android 4.0+) and require no root and OpenVPN Settings which uses root.

OpenVPN for Android is an open source client and developed by Arne Schwabe. It is targeted at more advanced users and offers many settings and the ability to import profiles from files and to configure/change profiles inside the app. The client is based on the community version of OpenVPN. It is based on the OpenVPN 2.x source code. This client can be seen as the semi officially client of the community.

OpenVPN Connect is non open source client that is developed by OpenVPN Technologies, Inc. The client is indented to be general use client and more targeted at the average user and allows the import of OpenVPN profiles. This client is based on the OpenVPN C++ reimplementation of the OpenVPN protocol (This was required to allow OpenVPN Technologies, Inc to publish an iOS OpenVPN app). This client is the official client of the OpenVPN technologies

OpenVPN Settings is the oldest of the clients and also a UI for the open source OpenVPN. In contrast to OpenVPN for Android it requires root and does not use the VPNService API. It does not depend on Android 4.0+

Reinstalling VPN apps

5.0 (Lollipop) - 5.1 (Lollipop MR1)
VPN apps may stop working when uninstalled and reinstalled again. For details see #80074

VPN and Tethering

5.0 (Lollipop) - 5.1 (Lollipop MR1)
4.3 (Jelly Bean MR2) and earlier
The Android Tethering feature (over WiFi, USB or Bluetooth) and the VPNService API (used by this program) do not work together. For more details see the issue #34

Broken Images

5.0 (Lollipop) - 5.1 (Lollipop MR1)
4.3 (Jelly Bean MR2) and earlier
4.3 (Jelly Bean MR2) and earlier

Official HTC images are known to have a strange routing problem causing traffic not to flow through the tunnel (See also Issue 18 in the bug tracker.)

Older official SONY images from Xperia Arc S and Xperia Ray have been reported to be missing the VPNService completely from the image. (See also Issue 29 in the bug tracker.)

On custom build images the tun module might be missing or the rights of /dev/tun might be wrong. Some CM9 images need the "Fix ownership" option under "Device specific hacks" enabled.

Most importantly: If your device has a broken Android image, report it to your vendor. The more people who report an issue to the vendor, the more likely they are to fix it.

Battery consumption

In my personal tests the main reason for high battery consumption of OpenVPN are the keepalive packets. Most OpenVPN servers have a configuration directive like 'keepalive 10 60' which causes the client and server to exchange keepalive packets every ten seconds.

While these packets are small and do not use much traffic, they keep the mobile radio network busy and increase the energy consumption. (See also The Radio State Machine | Android Developers)

This keepalive setting cannot be changed on the client. Only the system administrator of the OpenVPN can change the setting.

Unfortunately using a keepalive larger than 60 seconds with UDP can cause some NAT gateways to drop the connection due to an inactivity timeout. Using TCP with a long keep alive timeout works, but tunneling TCP over TCP performs extremely poorly on connections with high packet loss. (See Why TCP Over TCP Is A Bad Idea)

Connection warning and notification sound

4.4 (Kit Kat) and earlier
The VPN connection warning telling you that this app can intercept all traffic is imposed by the system to prevent abuse of the VPNService API.

The VPN connection notification (The key symbol) is also imposed by the Android system to signal an ongoing VPN connection. On some images this notification plays a sound.

Android introduced these system dialogs for your own safety and made sure that they cannot be circumvented. (On some images this unfortunately includes a notification sound)

Tap Mode

Tap Mode is not possible with the non root VPN API. Therefore this application cannot provide tap support

Secondary tablet users

4.3 (Jelly Bean MR2)
VPN does not work at all for secondary users.

Vpn Confirmation Dialog

4.3 (Jelly Bean MR2)
4.3 (Jelly Bean MR2) and later
"Starting with Android 4.3 the VPN confirmation is guarded against "overlaying apps". This results in the dialog not reacting to touch input. If you have an app that uses overlays it may cause this behaviour. If you find an offending app contact the author of the app. This problem affect all VPN applications on Android 4.3 and later. See also Issue 185 for additional details"

Connections fails with SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Newer OpenVPN for Android versions (0.6.29/March 2015) use a more secure default for the allowed cipher suites (tls-cipher "DEFAULT:!EXP:!PSK:!SRP:!kRSA"). Unfortunately, omitting the less secure cipher suites and export cipher suites, especially the omission of cipher suites that do not support Perfect Forward Secrecy (Diffie-Hellman) causes some problems. This usually caused by an well-intentioned but poorly executed attempt to strengthen TLS security by setting tls-cipher on the server or some embedded OSes with stripped down SSL (e.g. MikroTik).

To solve this problem the problem, set the tls-cipher settings on the server to reasonable default like tls-cipher "DEFAULT:!EXP:!PSK:!SRP:!kRSA". To work around the problem on the client add the custom option tls-cipher DEFAULT on the Android client.

Security considerations

"As OpenVPN is security sensitive a few notes about security are sensible. All data on the sdcard is inherently insecure. Every app can read it (for example this program requires no special sd card rights). The data of this application can only be read by the application itself. By using the import option for cacert/cert/key in the file dialog the data is stored in the VPN profile. The VPN profiles are only accessible by this application. (Do not forget to delete the copies on the sd card afterwards). Even though accessible only by this application the data is still unencrypted. By rooting the telephone or other exploits it may be possible to retrieve the data. Saved passwords are stored in plain text as well. For pkcs12 files it is highly recommended that you import them into the android keystore."

Shortcut to start

You can place a shortcut to start OpenVPN on your desktop. Depending on your homescreen program you will have to add either a shortcut or a widget.

Tap Mode

Again? Are you kidding? No, tap mode is really not supported and sending more mail asking if it will be supported will not help.

VPN and Tethering

4.4 (Kit Kat) and later
Tethering works while the VPN is active. The tethered connection will NOT use the VPN.

Wrong MSS value for VPN connection

4.4 (Kit Kat) and later
4.4 (Kit Kat) - 4.4.1 (Kit Kat)
Early KitKat version set the wrong MSS value on TCP connections (#61948). Try to enable the mssfix option to workaround this bug.

Copying log entries

To copy a single log entry press and hold on the log entry. To copy/send the whole log use the Send Log option. Use the hardware menu button, if the button is not visible in the GUI.

Persist tun mode

4.4 (Kit Kat) - 4.4.2 (Kit Kat)
Opening a tun device while another tun device is active, which is used for persist-tun support, crashes the VPNServices on the device. A reboot is required to make VPN work again. OpenVPN for Android tries to avoid reopening the tun device and if really needed first closes the current TUN before opening the new TUN device to avoid to crash. This may lead to a short window where packets are sent over the non-VPN connection. Even with this workaround the VPNServices sometimes crashes and requires a reboot of the device.

Routing/Interface Configuration

4.4 (Kit Kat) - 4.4.2 (Kit Kat)
4.4 (Kit Kat) and later
The Routing and interface configuration is not done via traditional ifconfig/route commands but by using the VPNService API. This results in a different routing configuration than on other OSes.

The configuration of the VPN tunnel consists of the IP address and the networks that should be routed over this interface. Especially, no peer partner address or gateway address is needed or required. Special routes to reach the VPN Server (for example added when using redirect-gateway) are not needed either. The application will consequently ignore these settings when importing a configuration. The app ensures with the VPNService API that the connection to the server is not routed through the VPN tunnel.

The VPNService API does not allow specifying networks that should not be routed via the VPN. As a workaround the app tries to detect networks that should not be routed over tunnel (e.g. route x.x.x.x y.y.y.y net_gateway) and calculates a set of routes that excludes this routes to emulate the behaviour of other platforms. The log windows shows the configuration of the VPNService upon establishing a connection.

Behind the scenes: Android 4.4+ does use policy routing. Using route/ifconfig will not show the installed routes. Instead use ip rule, iptables -t mangle -L

Random disconnects from mobile network

4.4 (Kit Kat) - 4.4.2 (Kit Kat)
4.4 (Kit Kat) and later
4.4 (Kit Kat)
"Multiple users report that the mobile connection/mobile data connection is frequently dropped while using the VPN app. The behaviour seems to affect only some mobile provider/device combination and so far no cause/workaround for the bug could be identified. "

Remote networks not reachable

4.4 (Kit Kat) - 4.4.2 (Kit Kat)
4.4 (Kit Kat) and later
4.4 (Kit Kat)
4.4 (Kit Kat)
Only destination can be reached over the VPN that are reachable without VPN. IPv6 VPNs does not work at all.

Non CIDR Routes

Android supports only CIDR routes to the VPN. Since non-CIDR routes are almost never used, OpenVPN for Android will use a /32 for routes that are not CIDR and issue a warning.

Proxy behaviour for VPNs

Android will keep using your proxy settings specified for the mobile/Wi-Fi connection when no DNS servers are set. OpenVPN for Android will warn you about this in the log.

Route to the configured IP address

5.0 (Lollipop) and later
The configured client IP and the IPs in its network mask are not routed to the VPN. OpenVPN works around this bug by explicitly adding a route that corrosponds to the client IP and its netmask

Tap Mode

A third time? Actually, one could write a tap emulator based on tun that would add layer2 information on send and strip layer2 information on receive. But this tap emulator would also have to implement ARP and possibly a DHCP client. I am not aware of anybody doing any work in this direction. Contact me if you want to start coding on this.