OpenVPN for Android
Server Address:
Server Port:
Location
Unable to read directory
Select
Cancel
No Data
LZO Compression
No Certificate
Client Certificate
Client Certificate Key
PKCS12 File
CA Certificate
You must select a certificate
Source code and issue tracker available at http://code.google.com/p/ics-openvpn/
This program uses the following components; see the source code for full details on
the licenses
About
Profiles
Type
PKCS12 Password
Select…
You must select a file
Use TLS Authentication
TLS Direction
Enter IPv6 Address/Netmask in CIDR Format (e.g. 2000:dd::23/64)
Enter IPv4 Address/Netmask in CIDR Format (e.g. 1.2.3.4/24)
IPv4 Address
IPv6 Address
Enter custom OpenVPN options. Use with caution. Also note that many of the tun
related OpenVPN settings cannot be supported by design of the VPNSettings. If you think an important option is
missing contact the author
Username
Password
For the static configuration the TLS Auth Keys will be used as static keys
Configure the VPN
Add Profile
Enter a name identifying the new Profile
Please enter a unique Profile Name
Profile Name
You must select a User certificate
No error found
Error in Configuration
Error parsing the IPv4 address
Error parsing the custom routes
(leave empty to query on demand)
OpenVPN Shortcut
Connect to VPN
Profile specified in shortcut not found
Random Host Prefix
Adds 6 random chars in front of hostname
Enable Custom Options
Specify custom options. Use with care!
Route rejected by Android
Disconnect
Disconnect VPN
clear log
Cancel Confirmation
Disconnect the connected VPN/cancel the connection attempt?
Remove VPN
Checks whether the server uses a certificate with TLS Server extensions
(--remote-cert-tls server)
Expect TLS server certificate
Checks the Remote Server Certificate Subject DN
Certificate Hostname Check
Specify the check used to verify the remote certificate DN (e.g. C=DE,
L=Paderborn, OU=Avian IP Carriers, CN=openvpn.blinkt.de)\n\nSpecify the complete DN or the RDN
(openvpn.blinkt.de in the example) or an RDN prefix for verification.\n\nWhen using RDN prefix \"Server\"
matches \"Server-1\" and \"Server-2\"\n\nLeaving the text field empty will check the RDN against the server
hostname.\n\nFor more details see the OpenVPN 2.3.1+ manpage under —verify-x509-name
Remote certificate subject
Enables the TLS Key Authentication
TLS Auth File
Requests IP addresses, routes and timing options from the server.
No information is requested from the server. Settings need to be specified below.
Pull Settings
DNS
Override DNS Settings by Server
Use your own DNS Servers
searchDomain
DNS Server to be used.
DNS Server
Secondary DNS Server used if the normal DNS Server cannot be reached.
Backup DNS Server
Ignore pushed routes
Ignore routed pushed by the server.
Redirects all Traffic over the VPN
Use default Route
Enter custom routes. Only enter destination in CIDR format. \"10.0.0.0/8
2002::/16\" would direct the networks 10.0.0.0/8 and 2002::/16 over the VPN.
Custom Routes
Log verbosity level
Allows authenticated packets from any IP
Allow floating server
Custom Options
Edit VPN Settings
Remove the VPN Profile \'%s\'?
On some custom ICS images the permission on /dev/tun might be wrong, or the tun
module might be missing completely. For CM9 images try the fix ownership option under general settings
Failed to open the tun interface
"Error: "
Clear
info
Opening tun interface:
Local IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d
DNS Server: %1$s, Domain: %2$s
Routes: %s
Routes IPv6: %s
Got interface information %1$s and %2$s, assuming second address is peer address of
remote. Using /32 netmask for local IP. Mode given by OpenVPN is \"%3$s\".
Cannot make sense of %1$s and %2$s as IP route with CIDR netmask, using /32 as
netmask.
Corrected route %1$s/%2$s to %3$s/%2$s
Cannot access the Android Keychain Certificates. This can be caused by a firmware
upgrade or by restoring a backup of the app/app settings. Please edit the VPN and reselect the certificate under
basic settings to recreate the permission to access the certificate.
%1$s %2$s
Send log file
Send
ICS OpenVPN log file
Copied log entry to clip board
Tap Mode
Tap Mode is not possible with the non root VPN API. Therefore this application cannot
provide tap support
Again? Are you kidding? No, tap mode is really not supported and sending more mail asking if
it will be supported will not help.
A third time? Actually, one could write a a tap emulator based on tun that would add layer2
information on send and strip layer2 information on receive. But this tap emulator would also have to implement
ARP and possibly a DHCP client. I am not aware of anybody doing any work in this direction. Contact me if you
want to start coding on this.
FAQ
Copying log entries
To copy a single log entry press and and hold on the log entry. To copy/send the whole
log use the Send Log option. Use the hardware menu button if not visible in the GUI.
Shortcut to start
You can place a shortcut to start OpenVPN on your desktop. Depending on your
homescreen program you will have to add either a shortcut or a widget.
Your image does not support the VPNService API, sorry :(
Encryption
Enter encryption method
Enter the encryption cipher algorithm used by OpenVPN. Leave empty to use
default cipher.
Enter the authentication digest used for OpenVPN. Leave empty to use default
digest.
Authentication/Encryption
File Explorer
Inline File
Error importing File
Could not import File from filesystem
[[Inline file data]]
Refusing to open tun device without IP information
Import Profile from ovpn file
Import
Could not read Profile to import
Error reading config file
add Profile
Could not find file %1$s mentioned in the imported config file
Importing config file from source %1$s
Your configuration had a few configuration options that are not mapped
to UI configurations. These options were added as custom configuration options. The custom configuration is
displayed below:
Done reading config file.
Do not bind to local address and port
No local binding
Import configuration file
Security considerations
"As OpenVPN is security sensitive a few notes about security are sensible. All data on
the sdcard is inherently insecure. Every app can read it (for example this program requires no special sd card
rights). The data of this application can only be read by the application itself. By using the import option for
cacert/cert/key in the file dialog the data is stored in the VPN profile. The VPN profiles are only accessible
by this application. (Do not forget to delete the copies on the sd card afterwards). Even though accessible only
by this application the data is still unencrypted. By rooting the telephone or other exploits it may be possible
to retrieve the data. Saved passwords are stored in plain text as well. For pkcs12 files it is highly
recommended that you import them into the android keystore."
Import
Error showing certificate selection
Got an exception trying to show the Android 4.0+ certificate selection dialog. This
should never happen as this a standard feature of Android 4.0+. Maybe your Android ROM support for certificate
storage is broken
IPv4
IPv6
Waiting for state message…
imported profile
imported profile %d
Broken Images
<p>Official HTC images are known to have a strange routing problem causing
traffic not to flow through the tunnel (See also <a
href="http://code.google.com/p/ics-openvpn/issues/detail?id=18">Issue 18</a> in the bug tracker.)</p><p>Older
official SONY images from Xperia Arc S and Xperia Ray have been reported to be missing the VPNService completely
from the image. (See also <a href="http://code.google.com/p/ics-openvpn/issues/detail?id=29">Issue 29</a>
in the bug tracker.)</p><p>On custom build images the tun module might be missing or the rights of
/dev/tun might be wrong. Some CM9 images need the "Fix ownership" option under "Device specific hacks" enabled.</p><p>Most
importantly: If your device has a broken Android image, report it to your vendor. The more people who report an
issue to the vendor, the more likely they are to fix it.</p>
PKCS12 File Encryption Key
Private Key Password
Password
file icon
TLS Authentication
Generated Config
Settings
Tries to set the owner of /dev/tun to system. Some CM9 images need this to make the
VPNService API work. Requires root.
Fix ownership of /dev/tun
Shows the generated OpenVPN Configuration File
Editing \"%s\"
Building configuration…
Turning this option on will force a reconnect if the network state is changed (e.g.
WiFi to/from mobile)
Reconnect on network change
Got certificate \'%s\' from Keystore
Network Status: %s
The CA cert is usually returned from the Android Keystore. Specify a separate certificate
if you get certificate verification errors.
Select
No CA Certificate returned while reading from Android keystore. Auhtentication will
probably fail.
Shows the log window on connect. The log window can always be accessed from the
notification status.
Show log window
Running on %1$s (%2$s) %3$s, Android API %4$d
Error signing with Android keystore key %1$s: %2$s
The VPN connection warning telling you that this app can intercept all traffic is
imposed by the system to prevent abuse of the VPNService API.\nThe VPN connection notification (The key symbol)
is also imposed by the Android system to signal an ongoing VPN connection. On some images this notification
plays a sound.\nAndroid introduced these system dialogs for your own safety and made sure that they cannot be
circumenvented. (On some images this unfortunely includes a notifciation sound)
Connection warning and notification sound
English translation by Arne Schwabe<arne@rfc2549.org>
IP and DNS
Basic
Routing
Obscure OpenVPN Settings. Normally not needed.
Advanced
ICS Openvpn Config
No DNS servers being used. Name resolution may not work. Consider setting custom DNS
Servers. Please also note that Android will keep using your proxy settings specified for your mobile/Wi-Fi
connection when no DNS servers are set.
Could not add DNS Server \"%1$s\", rejected by the system: %2$s
Could not configure IP Address \"%1$s\", rejected by the system: %2$s
<p>Get a working config (tested on your computer or download from your
provider/organisation)</p><p>If it is a single file no with no extra pem/pks12 files you can email
the file yourself and open the attachment. If you have multiple files put them on your sd card.</p><p>Click
on the email attachment/Use the folder icon in the vpn list to import the config file</p><p>If there
are errors about missing files put the missing files on your sd card.</p><p>Click on the save symbol
to add the imported VPN to your VPN list</p><p>Connect the VPN by clicking on the name of the VPN</p><p>If
there are error or warnings in the log try to understand the warnings/error and try to fix
them</p>
Quick Start
Try to load the tun.ko kernel module before trying to connect. Needs rooted
devices.
Load tun module
Import PKCS12 from configuration into Android Keystore
Error getting proxy settings: %s
Using proxy %1$s %2$d
Use system proxy
Use the system wide configuration for HTTP/HTTPS proxies to connect.
You can <a
href=\"https://www.paypal.com/cgi-bin/webscr?hosted_button_id=R2M6ZP9AF25LS&cmd=_s-xclick\">donate
with PayPal</a>
OpenVPN will reconnect a VPN if it was active on system reboot/shutdown. Please
read the Connection warning FAQ before using this option.
Reconnect on reboot
Ignore
Restart
Configuration changes are applied after restarting the VPN. (Re)start the
VPN now?
Configuration changed
Could not determine last connected profile for editing
Duplicate notifications
If Android is under system memory (RAM) pressure, apps and service which
are not needed at the moment are removed from active memory. This terminates an ongoing VPN connection. To
ensure that the connection/OpenVPN survives the service runs with higher priority. To run with higher priority
the application must display a notification. The key notification icon is imposed by the system as described in
the previous FAQ entry. It does not count as app notification for purpose of running with higher priority.
No VPN profiles defined.
Use the <img src=\"ic_menu_add\"/> icon to add a new VPN
Use the <img src=\"ic_menu_archive\"/> icon to import an existing (.ovpn or
.conf) profile from your sdcard.
Be sure to also check out the FAQ. There is a quick start guide.
Routing/Interface Configuration
The Routing and interface configuration is not done via traditionell ifconfig/route
command but by using the VPNService API. This results in a different routing configuration than on other OSes.
The configuration only consists of the IP of the tunnel interface and the networks that should be routed over
this interface. Especially no peer partner address or gateway address is needed. Special routes to reach the VPN
Server (for example added when using redirect-gateway) are not needed either. The application will consequently
ignore these settings when importing a configuration. The app ensures with the VPNService API that the
connection to the server is not routed through the VPN tunnel. Since only specifing networks to be routed via
tunnel is supported extra routes not pointing to the tunnel cannot be supported either. (e.g. route x.x.x.x
y.y.y.y net_gateway). The log windows shows the current configuration of the VPNService upon establishing a
connection.
Do not fallback to no VPN connection when OpenVPN is reconnecting.
Persistent tun
OpenVPN Log
Import OpenVPN configuration
Battery consumption
In my personal tests the main reason for high battery consumption of OpenVPN are
the keepalive packets. Most OpenVPN servers have a configuration directive like \'keepalive 10 60\' which causes
the client and server to exchange keepalive packets every ten seconds. <p> While these packets are small
and do not use much traffic, they keep the mobile radio network busy and increase the energy consumption. (See
also <a
href="http://developer.android.com/training/efficient-downloads/efficient-network-access.html#RadioStateMachine">The
Radio State Machine | Android Developers</a>) <p> This keepalive setting cannot be changed on the
client. Only the system administrator of the OpenVPN can change the setting. <p> Unfortunately using a
keepalive larger than 60 seconds with UDP can cause some NAT gateways to drop the connection due to an
inactivity timeout. Using TCP with a long keepalive timeout works, but tunneling TCP over TCP performs extremely
poorly on connections with high packet loss. (See <a href="http://sites.inka.de/bigred/devel/tcp-tcp.html">Why
TCP Over TCP Is A Bad Idea</a>)
The Android Tethering feature (over WiFi, USB or Bluetooth) and the VPNService API
(used by this program) do not work together. For more details see the <a
href=\"http://code.google.com/p/ics-openvpn/issues/detail?id=34\">issue #34</a>
VPN and Tethering
Connection retries
Reconnection settings
Number of seconds to wait between connection attempts.
Seconds between connections
OpenVPN crashed unexpectedly. Please consider using the send Minidump option in
the main menu
Send Minidump to developer
Sends debugging information about last crash to developer
OpenVPN - %s
%1$s - %2$s
%1$s - %3$s, %2$s
Connecting
Waiting for server reply
Authenticating
Getting client configuration
Assigning IP addresses
Adding routes
Connected
Disconnect
Reconnecting
Exiting
Not running
Resolving host names
Connecting (TCP)
Authentication failed
Waiting for usable network
↓%2$s/s %1$s - ↑%4$s/s %3$s
Not connected
Connecting to VPN %s
Connecting to VPN %s
Some versions of Android 4.1 have problems if the name of the
keystore certificate contains non alphanumeric characters (like spaces, underscores or dashes). Try to reimport
the certificate without special characters
Encryption cipher
Packets authentication
Enter packet authentication method
Toggle timestamps
Running on %1$s (%2$s) %3$s, Android API %4$d, version %5$s, %6$s
built by %s
debug build
official build
Copy into profile
Crashdump
Add
Send config file
Complete DN
Your imported configuration used the old DEPRECATED tls-remote option which uses a
different DN format.
RDN (common name)
RDN prefix
tls-remote (DEPRECATED)
You can help translating by visiting http://crowdin.net/project/ics-openvpn/invite
%1$s attempts to control %2$s
By proceeding, you are giving the application permission to completely control OpenVPN
for Android and to intercept all network traffic.
Do NOT accept unless you trust the application.
Otherwise, you run the risk of having your data compromised by malicious software."
I trust this application.
No app allowed to use external API
Allowed apps: %s
Clear list of allowed external apps?\nCurrent list of allowed apps:\n\n%s
"Pause VPN when screen is off and less than 64 kB transferred data in 60s. When the
\"Persistent Tun\" option is enabled pausing the VPN will leave your device with NO network connectivity.
Without the \"Persistent Tun\" option the device will have no VPN connection/protection.
Pause VPN connection after screen off
Pausing connection in screen off state: less than %1$s in %2$ss
Warning: Persistent tun not enabled for this VPN. Traffic will use the normal
Internet connection when the screen is off.
Save Password
Pause VPN
Resume VPN
VPN pause requested by user
VPN paused - screen off
Device specifics Hacks
Cannot display certificate information
Application behaviour
VPN behaviour
Allow changes to VPN Profiles
Hardware Keystore:
Icon of app trying to use OpenVPN for Android