OpenVPN Connect – OpenVPN App

- Added confirmation dialog when connecting with a profile that contains unsupported directives
- Updated Import Profile screen with a link to the website with useful information
- Ended support for devices running IOS 12, 13, 14
- Fixed issue when app disconnects after 10 min in Airplane mode
- Minor fixes and improvements

- Temporarily ignoring unsupported options in a profile
- Fixed an issue on iOS 17 where the connection would drop during sleep when 'Battery Saver' was enabled

- Dropped support of iOS 11
- Moved from OpenSSL 1.1.1 to OpenSSL 3.0.8
- Updated OpenVPN 3 library to version 3.8
- Introduced setting “Security Level”
- Introduced setting “System Browser Auth”
- Removed onboarding screens
- Various bug fixes and UX improvements

- Fixed connectivity issues on iOS 16.5
- Fixed MFA issue when a message contains non-Latin symbols
- Fixed issue with display of available application update

- Updated information exchange for OpenVPN Cloud users

- Resolved stability issues
- Improved performance

Changes from 3.2.3 to 3.3.0:
- Changed Web Auth flow to use external browser for authentication
- Removed the "force AES-CBC cipher" legacy compatibility option
- Added Kill Switch feature
- Added Siri Shortcuts support
- Added new functionality for software updates
- Added captive portal detection
- Added an Advanced Settings section
- Added new setting to manage disconnect and reconnect alerts
- Updated OpenVPN 3 library to 3.6
- Various bug fixes and UX improvements

Changes from 3.2.1 to 3.2.2:
- Increased default connection timeout to 1 minute.

Changes from 3.2.1 to 3.2.2:
- Minor fix for Web Auth flow.

Changes from 3.2.0 to 3.2.1:
- Minor changes for Web Auth flow.

Changes from 3.1.2 to 3.2.0:
- Switchover from MbedTLS library to OpenSSL library
- As part of the transition from MbedTLS to OpenSSL the list of negotiable TLS cipher suites no longer includes weak ciphers suites without forward secrecy support (DH/ECDH)
- Support of TLS 1.3 version
- Support signing with RSA-PSS signatures during TLS handshake
- Update of OpenVPN3 library to 3.5.5 version
- Improved stability and performance

* MbedTLS update to 2.7.13 including fix for CVE-2019-18222

* New profile import flow with WebAuth support and "Connect after import" ability
* Removed "Reconnect on Wakeup" setting
* Added "Battery Saver" setting in order to prevent multiple reconnections in the device’s sleep mode
* Added app notification in case when the VPN connection was interrupted

* New profile import flow with WebAuth support and "Connect after import" ability
* Removed "Reconnect on Wakeup" setting
* Added "Battery Saver" setting in order to prevent multiple reconnections in the device’s sleep mode
* Added dialog on connection with ability to select an external PKCS certificate or proceed without it
* Added app notification in case when the VPN connection was interrupted

* Removed the Private Tunnel section. The Private Tunnel app can be downloaded from the App Store separately
* Improved connection stability when device is in sleep mode
* Improved error messages during profile import and connection attempts
* Improved security by saving profile passwords in System Security storage
* Changed timeout logic when network is unavailable
* Fixed usage of basic authentication for proxies
* Fixed the ‘AES-CBC cipher algorithm’ setting to help connect to legacy servers
* Other various connectivity fixes

* Added Data Policy Agreement
* Added "Certificates" screen with the possibility to remove external certs
* Removed outdated "Network State detection" setting and enabled it by default
* Increased max length of inputs - username, hostname, etc.
* Added missed labels for Voice Over
* Fixed iOS 12 connectivity issues
* Fixed 'high battery usage' issue by reducing speed stats frequency. Now Speed Chart shows data with 10 sec interval
* Allowed empty password for certificates
* Added custom error messages for connection attempt without network available or proper certificate
* Disabled "Compression" by default (because it is insecure)
* Changed icons for "Edit Profile" and "Edit Proxy" buttons, and improved UX by increasing touch area
* Small UI improvements

* Fixed VoiceOver issues
* Fixed crash on start issue
* Dropped MD5 support and added error message when using an MD5-signed certificate
* Improved logic of Private Tunnel login and connection processes

Changes from 1.2.9 to 3.0.0:
* new UI layer with two skins
* completely updated profile and proxy management
* new functional settings
* settings moved to app from system
* Private Tunnel and Access Server sections
* automated import from Access Server with link and credentials
* extended statistics about connection and visualization of data flow
* fixed various bugs

Changes from 1.2.8 to 1.2.9:
* show MD5 warning pop-up only once per VPN session
* fix glitch upon key re-negotiation when using tls-crypt
* fix interoperability issue with private keys created using OpenSSL 1.1 default settings (aka add support for private keys encrypted using PKCS#5v2.0 with PRF newer than SHA1)

Changes from 1.2.7 to 1.2.8:
* fixed spurious crash on reconnection after sleep
* restored access to CertificatePayloads (p12 bundles) uploaded via Provisioning Profiles (.mobileconfig files)
* show warning pop-up when connecting to server using insecure MD5 algorithm to sign certificates (MD5 support will be dropped end of Apr 2018)
* report unique app specific UUID to server within peer info (variable IV_HWADDR)
* added support for ECDSA ciphersuites (for EC certificates; only supported with certs embedded in .ovpn file)
* fixed VPN status after closing and re-opening App with tunnel activated (VPN IPs, last event, etc.)
* fixed profiles loading from iCloud with Files app (due to an iOS bug, only 1 file can be loaded at once)
* improved .ovpn12 file import

Changes from 1.2.6 to 1.2.7:
* fixed WiFi detection while connected via LTE
* fixed tunnel reconfiguration after reconnection with seamless tunnel ON
* added message about new .ovpn12 extension in cert list (when empty)
* fixed issue with DNS upon reconnection in split tunnel setups
* fixed tunnel disconnection when closing App from background app list
* fixed spurious connection crash when connecting using TCP
* fixed several connection instabilities
* fixed routing towards VPN IPs other than the VPN server
* fixed usage of PROXY_AUTO_CONFIG_URL and PROXY_BYPASS setting
* fixed DNS settings when server directive comes as last one

Changes between 1.2.5 and 1.2.6:

* fixed reconnection with external certificate or password when
device is still locked
* fixed blank-screen issue on iPods
* fixed reconnection after sleep or connectivity loss
* fixed seamless tunnel handling
* fixed tls-auth setup. missing key-direction in new profiles
is again interpreted as "bidirectional" mode
* fixed DNS server assignment on split tunnel configurations
* fixed IPv6 DNS server assignment on split tunnel configurations
* fixed search domain assignment on split tunnel configurations
* fixed profile renaming
* fixed PROXY settings assignment
* fixed permanent disconnection due to TRANSPORT_ERROR
when uplink is unavailable

Changes between 1.1.1 and 1.2.5:

* converted VPN backend to new Apple Network Extensions
framework
* implemented private keychain for storing certificates and
passwords. PKCS#12 bundles imported via Safari or Mail
must now end with '.ovpn12'
* implemented support for "tls-crypt" config option.
If the OpenVPN server you are connecting to has enabled
this option, it will provider a safer method to exchange
certificates during the initial TLS handshake
* improved log verbosity
* added preference switch to disable MD5 in TLS
* updated mbedTLS to 2.6.0 (MD5 support will be
dropped on Apr, 31st 2018)
* updated ovpn3 backend

Changes between 1.1.1 and 1.2.5:

* improved log verbosity
* added preference switch to disable MD5 in TLS
* converted VPN backend to new Apple Network Extensions
framework
* implemented private keychain for storing certificates and
passwords. PKCS#12 bundles imported via Safari or Mail
must now end with '.ovpn12'
* implemented support for "tls-crypt" config option.
If the OpenVPN server you are connecting to has enabled
this option, it will provider a safer method to exchange
certificates during the initial TLS handshake
* updated mbedTLS to 2.6.0 (MD5 support will be
dropped on Apr, 31st 2018)
* updated ovpn3 backend

Changes between 1.1.0 and 1.1.1:
* updated ovpn3 backend and plugin
* better support for NAT64
* workaround for sweet32 vulnerability
* implementation of relay protocol

Changes between 1.0.7 and 1.1.0:

* The OpenVPN Setting "Force AES-CBC ciphersuites" is now
off by default. If you experience connection issues with
this change, you can easily turn it back on in the Settings
App under OpenVPN.

* Known issue: sometimes after install, the OpenVPN settings
in the Settings app may vanish. This is a known iOS
issue. A suggested workaround is to quit the Settings app
by double-tapping the home button, and then dragging
Settings out of the list of apps. The next time you launch
Settings, the OpenVPN settings ought to show up.

* NAT64 is now fully supported.

* Improved network reachability detection.

* Implemented automatic per-key data limits on Blowfish and
other 64-bit block-size ciphers to sidestep "Sweet32"
vulnerability (CVE-2016-6329).

* Relaxed mbedTLS/PolarSSL certificate date checking:
1. allow dates that omit the seconds field
2. allow dates that specify a timezone
This should solve the error "PolarSSL: error parsing cert
certificate : X509 - The date tag or value is invalid"

* Added fix for error "digest_error: NONE: not usable".

* Added mbedTLS/PolarSSL log level setting.

* Library updates:
mbedTLS/PolarSSL : 1.3.17

Changes between 1.1.0 and 1.1.1:
* updated ovpn3 backend and plugin
* better support for NAT64
* workaround for sweet32 vulnerability
* implementation of relay protocol

Changes between 1.0.7 and 1.1.0:

* The OpenVPN Setting "Force AES-CBC ciphersuites" is now
off by default. If you experience connection issues with
this change, you can easily turn it back on in the Settings
App under OpenVPN.

* Known issue: sometimes after install, the OpenVPN settings
in the Settings app may vanish. This is a known iOS
issue. A suggested workaround is to quit the Settings app
by double-tapping the home button, and then dragging
Settings out of the list of apps. The next time you launch
Settings, the OpenVPN settings ought to show up.

* NAT64 is now fully supported.

* Improved network reachability detection.

* Implemented automatic per-key data limits on Blowfish and
other 64-bit block-size ciphers to sidestep "Sweet32"
vulnerability (CVE-2016-6329).

* Relaxed mbedTLS/PolarSSL certificate date checking:
1. allow dates that omit the seconds field
2. allow dates that specify a timezone
This should solve the error "PolarSSL: error parsing cert
certificate : X509 - The date tag or value is invalid"

* Added fix for error "digest_error: NONE: not usable".

* Added mbedTLS/PolarSSL log level setting.

* Library updates:
mbedTLS/PolarSSL : 1.3.17

Changes in 1.0.7 (from 1.0.5):

* Updated mbedTLS (formerly PolarSSL).

* The OpenVPN Setting "Force AES-CBC ciphersuites" is now off by
default. If you experience connection issues with this change,
you can easily turn it back on in the Settings App under OpenVPN.

* Added "Minimum TLS version" setting. If you experience connection
issues with this option, try setting it to "Disabled" in the
Settings App under OpenVPN.

* Added AES-GCM cipher support.

* Developers can now detect if OpenVPN is installed:

BOOL installed = [application canOpenURL:[NSURL
URLWithString:@"openvpn://"]];

* Library updates:
mbedTLS : 1.3.16

Changes between 1.0.4 and 1.0.5:

* Fixed Import Profiles bug that affects 1.0.4 on iOS 8. This issue causes OpenVPN to fail to detect new profiles that are available for import.

* Support new iOS 8 feature where Settings App can be used to launch native OpenVPN profiles. Note that only autologin profiles (i.e. profiles that don't require credential entry) can be launched using this mechanism.

* Added "Seamless Tunnel" setting (See OpenVPN section of Settings App) for iOS 8 and higher. Make a best-effort to keep the VPN tunnel active during pause, resume, and reconnect states to minimize the likelihood of packet leakage during sleep/wakeup and network reconfiguration events.

* Connection speed improvements.

* Support OpenVPN "float" directive.

* Don't fail the connection when OpenVPN "topology net30" directive is mixed with "ifconfig-ipv6", since the topology setting doesn't really affect IPv6.

* Recognize backslash as a directory separator, to allow import of Windows profiles.

* Library updates:
PolarSSL : 1.3.8
Boost : 1.56.0

Changes between 1.0.3 and 1.0.4:

* Added "Force AES-CBC ciphersuites" setting to revert to SSL/TLS negotiation strategy used in OpenVPN Connect 1.0.0 and 1.0.1. This option constrains the OpenVPN TLS negotiation to one of two standard AES-CBC ciphersuites and is provided as a compatibility option when connecting to servers that use legacy SSL implementations.

* Known issue: Automatic reconnect/wakeup onto cellular data doesn't work with iOS 7.0.x. A fix is expected in iOS 7.1.

* Known issue: IPv6 tunnel routes may not be added to the routing table on iOS 7. Workaround: use redirect-gateway instead of pushing specific IPv6 routes. For example, from the server:

push "redirect-gateway ipv6"

or client:

redirect-gateway ipv6

Note that iOS 7 requires that if redirect-gateway is used, that it is used for both IPv4 and IPv6 as the above directive accomplishes.

* Added support for "http-proxy" and "http-proxy-option" directives in the profile. Note that these directives are currently only supported in the main profile, outside of blocks. Also note that proxy settings in the Settings app under OpenVPN always have priority over proxy directives given in the profile.

* Worked around an issue where connect slider control was sending repeating ON/OFF messages to the app. This could potentially cause connection failures where the connect slider control would move into the ON position, the credentials fields would be cleared, but no connection would occur, or the connection slider would freeze in the OFF position.

* iOS 7 allows OpenVPN VPN-On-Demand (VoD) profiles to be connected and disconnected using the Settings App.

* Allow "Certificate" field in UI to remain unselected for profiles that connect without a client certificate.

* Re-added support for DES-CBC cipher that was inadvertently dropped in 1.0.2 (Note: DES-CBC is an obsolete, insecure cipher that should no longer be used. It is provided only for compatibility with legacy systems).

* Added additional PKCS#1 signature methods. This may fix an issue where the following error is seen in the log: "PolarSSLContext::epki_sign unrecognized parameters, mode=1 hash_id=11 hashlen=32"

* Added new OpenVPN Setting "Network state detection" that allows control over how OpenVPN handles network state changes. For more info, see app Help FAQ under the section "What is the meaning of the various OpenVPN settings in the iOS Settings App?"

* Support iOS .mobileconfig profiles that contain standard OpenVPN profiles (previously only VPN-On-Demand .mobileconfig profiles were supported). See app Help for detailed instructions on how to create an OpenVPN .mobileconfig profile.

* Allow importing of profiles via iTunes where auth-user-pass directive references an external creds file.

* Added LZ4 compression support.

* Report client app name/version to server via IV_GUI_VER parameter.

Raised minimum required iOS version to 6.1 (iOS 5.1.1 installer will not install Connect, and will delete previous working 1.0.1 install)

Changes between 1.0.1 and 1.0.2:

* Added support for ARM-64 including iPhone 5s and iPad Air.

* Allow password to be saved for static challenge/response profiles.

* Resolved the issue where iOS plugin was not able to fully enumerate the cert chain from Keychain Identities. Note that this solution is still not ideal because the iOS keychain appears unable to import a PKCS#12 file as a bundle. It only imports the leaf cert/key and ignores the rest. So for this fix to be effective, each of the root and intermediate certs in the PKCS#12 file must be manually extracted and separately imported as .crt files.

* Added the capability for server to push proxy options, e.g.:

push "dhcp-option PROXY_HTTP 10.144.5.14 3128"
push "dhcp-option PROXY_HTTPS 10.144.5.14 3128"
push "dhcp-option PROXY_BYPASS www.openvpn.net www.openvpn.org"
push "dhcp-option PROXY_AUTO_CONFIG_URL http://www.openvpn.net/proxy.pac"

Note that this is a separate and distinct feature from the one to connect through an HTTP proxy. This feature allows proxy options to be set for Safari (and possibly other apps as well) for the duration of the VPN session.

These options can be placed directly in the profile, i.e.

--> dhcp-option PROXY_HTTP 10.144.5.14 3128

or pushed by the server:

--> push "dhcp-option PROXY_HTTP 10.144.5.14 3128"

* Updated PolarSSL to 1.2.10. This version of PolarSSL adds support for PKCS#8 private keys.

* Fixed issue where some pushed options were incorrectly persisting across reconnections.

* Fixed core bug that could cause reconnected TCP sessions to lock up with repeating replay errors.

* Fixed core bug where server-pushed keepalive parms (ping, ping-restart) would be ignored.

* "Session invalidated" errors will now explicitly reference a reason code.

* Implemented "client-cert-not-required" directive as an alias for "setenv CLIENT_CERT 0".

* Added core support for tun-mtu directive.

* Fixed options parsing issue if non-aggregate option was specified in profile as well as pushed by server (the pushed version should win).

* Implemented "inactive" directive.

* Relax options parser somewhat and follow OpenVPN 2.x behavior where if more than one instance of an option exists, and a single instance of the option is required, use the last instance. Previously we would raise an exception in this case.

* Added tls-version-min directive, to require server to support a minimum TLS version. For example,

--> tls-version-min 1.2

would require TLS 1.2 or higher for connection with the server. The connection would fail if the server cannot meet this requirement.

* Support "setenv opt" prefix before directives, where its presence indicates that the directive is optional, i.e. if a client doesn't understand the directive, it should simply ignore it.

* Log unused options, i.e. options specified in config file that were unrecognized, ignored, or unused.

This behavior is somewhat different (by design) to 2.x branch, which will raise a fatal exception if an unrecognized option is encountered.

* Added support for ARM-64 including iPhone 5s and iPad Air.

* Allow password to be saved for static challenge/response profiles.

* Resolved the issue where iOS plugin was not able to fully enumerate the cert chain from Keychain Identities. Note that this solution is still not ideal because the iOS keychain appears unable to import a PKCS#12 file as a bundle. It only imports the leaf cert/key and ignores the rest. So for this fix to be effective, each of the root and intermediate certs in the PKCS#12 file must be manually extracted and separately imported as .crt files.

* Added the capability for server to push proxy options, e.g.:

push "dhcp-option PROXY_HTTP 10.144.5.14 3128"
push "dhcp-option PROXY_HTTPS 10.144.5.14 3128"
push "dhcp-option PROXY_BYPASS www.openvpn.net www.openvpn.org"
push "dhcp-option PROXY_AUTO_CONFIG_URL http://www.openvpn.net/proxy.pac"

Note that this is a separate and distinct feature from the one to connect through an HTTP proxy. This feature allows proxy options to be set for Safari (and possibly other apps as well) for the duration of the VPN session.

These options can be placed directly in the profile, i.e.

--> dhcp-option PROXY_HTTP 10.144.5.14 3128

or pushed by the server:

--> push "dhcp-option PROXY_HTTP 10.144.5.14 3128"

* Updated PolarSSL to 1.2.10. This version of PolarSSL adds support for PKCS#8 private keys.

* Fixed issue where some pushed options were incorrectly persisting across reconnections.

* Fixed core bug that could cause reconnected TCP sessions to lock up with repeating replay errors.

* Fixed core bug where server-pushed keepalive parms (ping, ping-restart) would be ignored.

* "Session invalidated" errors will now explicitly reference a reason code.

* Implemented "client-cert-not-required" directive as an alias for "setenv CLIENT_CERT 0".

* Added core support for tun-mtu directive.

* Fixed options parsing issue if non-aggregate option was specified in profile as well as pushed by server (the pushed version should win).

* Implemented "inactive" directive.

* Relax options parser somewhat and follow OpenVPN 2.x behavior where if more than one instance of an option exists, and a single instance of the option is required, use the last instance. Previously we would raise an exception in this case.

* Added tls-version-min directive, to require server to support a minimum TLS version. For example,

--> tls-version-min 1.2

would require TLS 1.2 or higher for connection with the server. The connection would fail if the server cannot meet this requirement.

* Support "setenv opt" prefix before directives, where its presence indicates that the directive is optional, i.e. if a client doesn't understand the directive, it should simply ignore it.

* Log unused options, i.e. options specified in config file that were unrecognized, ignored, or unused.

This behavior is somewhat different (by design) to 2.x branch, which will raise a fatal exception if an unrecognized option is encountered.

Fixed proxy error "NTLM phase-2 Content-Length is not zero".

Updated PolarSSL to 1.1.6.

Implemented "tls-remote", "route-nopull", "remote-random", "cipher
none", and "auth none" directives.

Support DNS names that resolve to multiple addresses by trying each address in sequence.

At Apple's request, require one-time user confirmation before starting initial VPN connection.

Log invalid server-pushed routes or dhcp-options but don't disconnect.

As device moves between WiFi and cellular networks, proactively reconnect.

Raise an error when unsupported modes are used, such as static key mode.

Support "tcp-client" usage such as this: remote foo.bar 1194 tcp-client

Client will report its protocol as UDPv4 or TCPv4_CLIENT in options
compatibility string even if running over IPv6 transport to maintain
compatibility with OpenVPN 2.x branch.

Support client profiles that use Windows UTF-8 BOM.

Added "Reconnect on wakeup" preference (on by default).

The "key-direction" default has been changed to "bidirectional" for
compatibility with OpenVPN 2.x branch, however the previous default
("1") will be retained for profiles imported with 1.0.0 to avoid
breakage. Note, however, that the previous default cannot be retained
for previously imported VPN-on-Demand profiles, which could potentially
fail to connect if they don't declare a key-direction key/value pair on
the assumption that it defaults to "1". The solution is to explicitly
declare key-direction in VPN-on-Demand profiles if the OpenVPN
configuration file they are derived from declares it as well.

Fixed bug where pushed ifconfig subnet was not routing into the tunnel.

When split-tunnel VPN configuration is used (i.e. not redirect-gateway),
and at least one pushed DNS server is present: (a) route all DNS
requests through pushed DNS server if no added search domains, or (b)
route DNS requests for only specifically added search domains if at
least one added search domain.

Fixed bug where app would crash on startup if device keychain had
certificate with nil subjectSummary.

Fixed issue where "reneg-sec 0" was causing an infinite reconnect loop.

Don't add IPv4 or v6 routes if the ifconfig for the particular IP
protocol is absent.

Added support for "net_gateway" as a route destination. This
effectively excludes the route from the tunnel.

Allow clients to connect without a client certificate or key, if the
server allows it, and if the client profile contains the following
directive: setenv CLIENT_CERT 0

Allow "dhcp-option DOMAIN ..." directives to be pushed with multiple
space-separated domains.

Fixed an issue that prevented an External Certificate profile from also
being an Autologin profile.

Fixed a corner case where profiles with saved passwords that connect to
a server that uses Session ID tokens (such as an Access Server) would
fail to automatically reconnect after long pause periods, such as when
the device is asleep.

Add "OS Event" logging to OpenVPN log file, including: (a) network
available/unavailable and (b) sleep/wakeup.