OpenVPN for Android v4.0+ Setup Guide

EASY Setup Guides for Alternate Configurations (Advanced):

Android OpenVPN Connect Setup
Use a strong device-level password. How do I set up my profile for server failover? If you import a profile with the same name as one that already exists, the new profile will replace the old one. The default settings of a program like EasyRSA 3, which is used by open source OpenVPN for generating client certificates and keys, are pretty secure and will generate certificate that are not signed with MD5. PC Mag quote reprinted from www.

How to connect to EarthVPN

How to Configure OpenVPN on Android

You can then enter this port into your software. Port Forwarding reduces privacy. For maximum privacy, please keep port forwarding disabled. This ensures that no IPv6 traffic leaks out over your normal internet connection when you are connected to the VPN. This includes 6to4 and Teredo tunneled IPv6 traffic. The dns leak protection feature activates VPN dns leak protection. This enables the greatest level of privacy and security but may cause connectivity issues in non-standard network configurations.

This can be enabled and disabled in the Windows application, while it is enabled by default on our macOS application. After connecting we set your operating system's DNS servers to If you change your DNS servers manually or if for some other reason they are changed this does not necessarily mean your DNS is leaking. Even if you use different DNS servers the queries will still be routed through the VPN connection and will be anonymous.

The internet kill switch activates VPN disconnect protection. If you disconnect from the VPN, your internet access will stop working. This could lead to an MiTM attack which could lead to interception of traffic. Therefore, MD5 support has been around only to allow connections to older equipment. We discovered that when we tried to cut support in November of during a security and functionality upgrade of OpenVPN Connect for Android that a lot of people were still using devices that use MD5 signed certificates.

This is extremely insecure. It is recommended that any installations that still use MD5 signed certificates are converted to a setup with SHA signed certificates, or better. If the device you are using does not offer you the option to do so, then you should try updating the device to add this function if possible, or replace the device with a solution that does support it.

We have therefore decided to implement a transitional period in which we will still allow MD5 signed certificates to function, until May , when we will start cutting support for MD5 out of OpenVPN entirely.

You should plan accordingly. We have a list of deprecated options and ciphers here: To determine if you are using an MD5 type certificate now using openssl as testing tool:.

If you see this result on the CA certificate or client certificate, then you must convert to a new and properly secure signed certificate set that uses at least SHA or better. For open source OpenVPN users, or users that have a third-party device that includes OpenVPN functionality, and you discover you have MD5 type certificates, you should investigate the option to update the software on your device, or to change the signature algorithm type, if possible.

If it is not possible, you could try contacting the manufacturer of your device to see if they still support your device, and if they can create a means by which to replace the certificates with a properly secure type certificate. The default settings of a program like EasyRSA 3, which is used by open source OpenVPN for generating client certificates and keys, are pretty secure and will generate certificate that are not signed with MD5.

To use this app, you must have an OpenVPN profile and a server to connect to. OpenVPN profiles are files that have an extension of. Another approach to eliminate certificates and keys from the OpenVPN profile is to use the Android Keychain as described below. For example if the parameter is 1, add this line to the profile:. This is something Android requires to affirm that the VPN session is high priority and should not be arbitrarily terminated by the system.

On some Android devices, a connection notification sound is played by Android whenever a VPN tunnel is established, and cannot be silenced by a non-root app. This will cause the VPN to disconnect when the screen is blanked and automatically reconnect when the screen becomes visible again.

While this option can extend battery life, it should not be used if you have apps running in the background that require continuous access to the internet via the VPN such as a new email notifier. This can be useful for additional energy savings, as long as you don't have any background apps that need constant internet access. Shortcuts can be created for:. Some cellular networks are incapable of maintaining a data connection during a voice call.

If Android detects this as a loss of network connectivity, the VPN should enter a pause state during the duration of the call, and automatically resume after the call is complete. However if the loss of data connectivity isn't detected by Android, the VPN connection may time out and disconnect. Currently, the best options for security are to avoid saving passwords, and to use the Android Keychain as a repository for your private key see below.

The Android developers are in the process of implementing an API for secure storage of passwords that will leverage on the hardware-backed keystore and master device password, however this development is not complete as of Android 4.

This approach will protect saved passwords even if the device is rooted. When this development is complete, we plan to support it in the app.

The save password switch on the authentication password field is normally enabled, but can be disabled by the following:. Note however that the above directive only applies to the authentication password. The private key password, if it exists, can always be saved. The option is given as a "setenv" to avoid breaking other OpenVPN clients that might not recognize it. TAP-style or bridged tunnels on Layer 2 are not possible on Android.

This is a limitation of the Android platform. If you try to connect a profile that uses a TAP-based tunnel, you will get an error that says only Layer 3 tunnels are currently supported. Currently we have very little demand for this feature because Layer 3 is for a number of reasons the better choice anyways.

While most OpenVPN client directives are supported by the app, we have made an effort to reduce bloat and improve maintainability by eliminating what we believe to be obsolete or rarely-used directives. Yes, you can import any number of profiles from the Import menu -- tap the profile field to select one.

Keep in mind that OpenVPN will assign a name to a profile based on the server that the profile connects to. If you import a profile with the same name as one that already exists, the new profile will replace the old one.

You can prevent this from happening by renaming the old profile. Doing a "long touch" on the profile field will bring up a context menu for that profile that includes delete, rename, etc. Yes, you can add any number of proxies from the main menu. Once a proxy is added, a proxy selection field will appear on the main page.

Doing a "long touch" on the proxy field will bring up a context menu for that proxy that includes edit, delete, etc. Using the Android keychain to store your private key has the added security advantage of leveraging on the hardware-backed keystores that exist on many Android devices, allowing the key to be protected by the Android-level device password, and preventing key compromise even if the device is rooted.

If you already have your client certificate and private key bundled into a PKCS 12 file extension. When you connect the first time, the app will ask you to select a certificate to use for the profile.

When you generate a PKCS 12 file, you will always be asked for an "export password" to encrypt the file. This is to prevent interception and recovery of the private key during transport.

This approach is much better from a security perspective, because the Keychain can then leverage on hardware features in the device such as hardware-backed keystores. How do I use a client certificate and private key from the Android Keychain? You can provide OpenVPN with a list of servers to connect to.

How To Set Up OpenVPN on Android

May 10,  · Openvpn for Android is an open source client based on the open source OpenVPN project. It uses the VPNService API of Android + and requires neither Jailbreak nor root on your telephone. FAQ Can I get free Internet No, this app is for connecting to an OpenVPN server/5(32K). Find out how you can set up the OpenVPN protocol on your Android device - recommended by NordVPN for the most security-conscious. Step-by-step Guide to Setting Up OpenVPN on Android ; Step 1: Search "openvpn" in Google Play Store Step 2: Install OpenVPN Connect app Step 3: Download one of the VPNBook OpenVPN certificate bundles Step 4: Unzip certificate bundle and open one of the Profiles with OpenVPN Connect app Step alternatives: If you have the .