Use Mobile VPN with IPSec with an Android Device

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

OpenVPN for Android

Openvpn for Android is an open source client based on the open source OpenVPN project.
It uses the VPNService API of Android 4.0+ and requires neither Jailbreak nor root on your telephone.

Can I get free Internet
No, this app is for connecting to an OpenVPN server.

How to connect
OpenVPN is a client software to connect to an OpenVPN server. It is not an APP selling or provding any VPN services.
It allows to your own/company/university/provider OpenVPN server or to the VPN service of many of the commercial
VPN providers.

What is the difference between all the OpenVPN apps?
For more information about the different OpenVPN clients in the Playstore see this: http://ics-openvpn.blinkt.de/FAQ.html#faq_androids_clients_title

Access to your photos/media (Android older than 6.0)
This app implements a feature to import OpenVPN profiles from the SDCard/internal memory. Google categorizes this access “accessing your media and photos”

TAP Mode
Only tun mode support (Sorry no tap, with Android 4.0 only tun can be supported).

Joining Beta
The beta is open, you can the beta by using the join beta beta. Please note that often a beta is not available since I mostly use the beta function to pretest release candidates.

Translate the app
If you want to help to translate OpenVPN into your native language look at the homepage of this project.

Bug reports
Please report bug/suggestions via email or at the code Google Code project. But please read the FAQ before writing me.

Use Mobile VPN with IPSec with an Android Device

Mobile devices that run Android version 4.x or higher include a native VPN client. In some cases, hardware manufacturers modify the native Android VPN client to add options, or they include their own VPN client on the device.

To make an IPSec VPN connection to a Firebox from an Android device:

  • Your VPN client must operate in Aggressive mode.
  • The Firebox must be configured with Phase 1 and 2 transforms that are supported by the Android device.

Recent versions of the native Android VPN client use Main mode which is not compatible with Mobile VPN with IPSec. You cannot view or change the mode setting on the native Android VPN client. However, if the hardware manufacturer of your Android device modified the native VPN client, you might be able to change this setting.

If you cannot change your device settings to Aggressive mode, we recommend that you try one of these connection methods:

  • If your hardware manufacturer installed its own VPN client on your Android device, try to connect with that client if it can operate in Aggressive mode. For more information, see the documentation from the manufacturer.
  • In the settings for the native Android VPN client, configure the L2TP with IPSec option. Next, enable L2TP on your Firebox. L2TP on the Firebox uses Main mode. For more information about L2TP, see About L2TP User Authentication.
  • Install the OpenVPN SSL client on your Android device. You must manually download the SSL client profile from the SSL Portal on your Firebox. For more information about the client profile, see Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File.

Authentication and Encryption Settings

Android devices have a pre-configured list of supported VPN transforms. Unless the hardware manufacturer of your device modified the native Android VPN client, you cannot view this list or specify different default transforms. Recent Android OS versions have these default transforms:

Phase 1 — SHA2(256)–AES(256)–DH2

Phase 2 — SHA2(256)–AES(256)

Some older versions of Android OS use these default transforms:

Phase 1 — SHA1–AES(256)–DH2

Phase 2 — SHA1–AES(256)

In some cases, the hardware manufacturer of your Android device might specify different default transforms for the native Android VPN client.

To initiate a VPN connection to the Firebox, the Android device sends its default transform set to the Firebox. You must configure the Firebox with transforms supported by Android for the VPN connection to establish. We recommend that you specify the default Android transform set in your Mobile VPN with IPSec settings on the Firebox.

If you specify Firebox transforms different from the default Android transform set, the Android device sends the next transform set on its list. This process repeats until the Android device finds a transform set on its list that match the Firebox settings, or until the Android device reaches a retry limit or has no additional transforms to test.

Configure the Firebox

Before you can connect with the native Android VPN client, you must configure the Mobile VPN with IPSec settings on your Firebox.

  1. (Fireware v12.3 or higher) Select VPN > Mobile VPN.
  2. In the IPSec section, select Configure.
    The Mobile VPN with IPSec page appears.
  3. (Fireware v12.2.1 or lower) Select VPN > Mobile VPN with IPSec.
    The Mobile VPN with IPSec page appears.
  4. Click Add.
    The Mobile VPN with IPSec Settings page appears.

Screen shot of the Mobile VPn with IPSec Settings, General tab

  1. In the Name text box, type the name of the authentication group your Android VPN users belong to.

You can type the name of an existing group or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.

  1. From the Authentication Server drop-down list, select an authentication server.

Make sure that this method of authentication is enabled.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.

  1. Type and confirm the Passphrase to use for this tunnel.
  2. In the Firebox IP Addresses section, type the primary external IP address or domain name to which Mobile VPN users in this group can connect.
  3. Select the IPSec Tunnel tab.
    The IPSec Tunnel settings appear.

Screen shot of the mobile VPN with IPSec Settings - IPSec Tunnel tab

  1. Select Use the passphrase of the end user profile as the pre-shared key.
    This is the default setting.
  2. From the Authentication drop-down list, select SHA-2. Select SHA-1 if your Android device does not support SHA-2.
  3. From the Encryption drop-down list, select AES (256-bit). This is the default encryption setting for Android devices.
  4. In the Phase 1 Settings section, click Advanced.
    The Phase 1 Advanced Settings dialog box appears.
  1. Set the SA Life to 1 hour.

The Android VPN client is configured to rekey after 1 hour. If this profile is only used for connections by the Android VPN, set the SA Life to 1 hour to match the client setting.

If you plan to use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. The Android VPN client still uses the smaller rekey value of 1 hour.

  1. From the Key Group drop-down list, select Diffie-Hellman Group 2. This is the default key group for Android devices.
  2. Do not change any of the other Phase 1 advanced settings.

Screen shot of the Mobile VPn with IPSec Settings

  1. Click OK.
  2. In the Phase 2 Settings section, clear the PFS check box.

Screen shot of the Phase 2 Settings PFS check box

  1. In the Phase 2 Settings section, click Advanced.
    The Phase 2 Advanced Settings dialog box appears.

  1. From the Authentication drop-down list, select SHA-2. Select SHA-1 if your Android device does not support SHA-2.
  2. From the Encryption drop-down list, select AES (256-bit), which is the default encryption setting for Android devices.
  3. In the Force Key Expiration settings, set the expiration Time to 1 hours and clear the Traffic check box.
  4. Click OK.
  5. Select the Resources tab.
  6. Select the Allow All Traffic Through Tunnel check box.
    This configures the tunnel for default-route VPN. The Android VPN client does not support split tunneling.
  7. In the Virtual IP Address Pool list, add the internal IP addresses that are used by Mobile VPN users over the tunnel.
    To add an IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.

Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. If a FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

The virtual IP addresses must be on a different subnet than the local networks. The virtual IP addresses cannot be used for anything else on your network.

Screen shot of the Advanced settings

  1. Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53 in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53 as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.

First, use the Mobile VPN with IPSec Wizard to configure the basic settings:

  1. Select VPN > Mobile VPN > IPSec.
    The Mobile VPN with IPSec Configuration dialog box appears.
  2. Click Add.
    The Add Mobile VPN with IPSec Wizard appears.
  3. Click Next.
    The Select a user authentication server page appears.

Screen shot of the Select a user authentication server wizard dialog box

  1. From the Authentication Server drop-down list, select an authentication server.

You can authenticate users to the Firebox (Firebox-DB) or to an Active Directory or RADIUS server. Make sure the authentication method you choose is enabled.

  1. In the Group Name text box, type the name of the authentication group your Android users belong to.

You can type the name of a Mobile VPN group you have already created or type a group name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and tunnel names.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.

  1. Click Next.
    The Select a tunnel authentication method page appears.

Screen shot of the Select a tunnel authentication method wizard dialog box

  1. Select Use this passphrase. Type and confirm the passphrase.
  2. Click Next.
    The Direct the flow of Internet traffic page appears.

Screen shot of the Directo the flow of Internet traffic wizard dialog box

  1. Select Yes, force all Internet traffic to flow through the tunnel..
    This configures the tunnel for default-route VPN. The Android VPN client does not support split tunneling.
  2. Click Next.
    The Create the virtual IP address pool page appears.

Screen shot of the Create the virtual IP address pool wizard dialog box

  1. Click Next and Finish.
  2. For a default-route VPN configuration, the configuration automatically allows access to all network IP addresses and the Any-External alias.

Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. If a FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

The virtual IP addresses must be on a different subnet than the local networks. The virtual IP addresses cannot be used for anything else on your network.

  1. Click Next.
  2. To add users to the new Mobile VPN with IPSec group, select the Add users check box.
  3. Click Finish.
    The Mobile VPN configuration you created appears in the Mobile VPN with IPSec Configuration dialog box.

Screen shot of the Mobile VPN with IPSec Configuration dialog box

Next, you must edit the VPN Phase 1 and Phase 2 settings to match the settings for the Android VPN client.

  1. In the Mobile VPN with IPSec Configuration dialog box, select the configuration you just added.
  2. Click Edit.
    The Edit Mobile VPN with IPSec dialog box appears.
  3. Select the IPSec Tunnel tab.

Screen shot of the Edit Mobile VPN with IPSec dialog box, IPsec Tunnel tab

  1. From the Authentication drop-down list, select SHA2-256. Select SHA-1 if your Android device does not support SHA-2.
  2. From the Encryption drop-down list, select AES (256-bit), which is the default encryption setting for Android devices.
  3. Click Advanced.
    The Phase 1 Advanced Settings dialog box appears.

Screen shot of the Phase1 Advanced Settings dialog box

The Android VPN client is configured to rekey after 1 hour. If this profile is only used for connections by the Android VPN , set the SA Life to 1 hour to match the client setting.

If you want to use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. The Android VPN client still uses the smaller rekey value of 1 hour.

  1. From the Key Group drop-down list, select Diffie-Hellman Group 2.
  2. Do not change any of the other Phase 1 Advanced Settings.
  3. Click OK.
  4. In the Edit Mobile VPN with IPSec dialog box, click Proposal.

Screen shot of the Phase2 Proposal dialog box

  1. From the Authentication drop-down list, select SHA2-256. Select SHA-1 if your Android device does not support SHA-2.
  2. From the Encryption drop-down list, select AES (256-bit), which is the default encryption setting for Android devices.
  3. In the Force Key Expiration settings, set the expiration Time to 1 hour, and clear the Traffic check box.
  4. Click OK.
  5. In the Edit Mobile VPN with IPSec dialog box, clear the PFS check box.
    Perfect Forward Secrecy is not supported by the Android VPN client.

Screen shot of the IPSec Tunnel tab with PFS check box cleared

Finally, configure the DNS settings.

  1. Click the Advanced tab.
  2. Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53 in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53 as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.

  1. Click OK.
  2. Save the configuration file to your Firebox.

To authenticate from the Android VPN client, Android VPN users must be members of the authentication group you specified in the Add Mobile VPN with IPSec Wizard.

  • For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.
  • If you use a third-party authentication server, use the instructions provided in your vendor documentation.

Configure the Native Android VPN Client

After you configure the Firebox, users in the authentication group you specified in the Mobile VPN with IPSec profile on the Firebox can use the native Android VPN client to connect. To use the native Android VPN client, the user must manually configure the VPN client settings to match the settings configured on the Firebox.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

For Android devices with Android version 12 or higher, we recommend you configure a mobile VPN with IKEv2 connection with the free StrongSwan app. For more information, see Configure Android Devices for Mobile VPN with IKEv2.

To manually configure the native VPN client on the Android device, in Android 8.0 (Oreo):

  1. Tap Settings > Network & Internet > VPN.
  2. Tap the + button.
    The Edit VPN profile dialog box appears.
  3. In the Name text box, type a descriptive name for the VPN connection.
  4. From the Type drop-down list, select IPSec Xauth PSK.
  5. In the Server address text box, type the external IP address of the Firebox.
  6. In the IPSec identifier text box, type the group name you specified in the Mobile VPN with IPSec configuration on the Firebox.
  7. Drag the slider down to see more settings.
  8. In the IPSec pre-shared key text box, type the tunnel passphrase you specified in the Mobile VPN with IPSec configuration on the Firebox.
  9. In the Username text box, type the username for a user in the specified authentication group.
    Specify the user name only. Do not preface the user name with a domain name and do not specify an email address.
  10. In the Password text box, type the password for a user in the specified authentication group.

Screen shot of the Edit VPN Profile dialog box in Android

  1. Click Save.
    The VPN connection you created is saved to the VPN list.

Screen shot of the list of VPN connections in Android

  1. To connect, click the VPN connection you created.
    The Connect To dialog box appears.

To verify your connection was successful and that the VPN tunnel is active, browse to a website that shows your IP address such as www.whatismyip.com. If your Android device is connected through the VPN, your IP address is the external IP address of the Firebox.

If your device has a later version of Android, the steps you must follow to configure the native VPN client might be different. For instructions that apply to your Android version, see the documentation from your device manufacturer.

You can configure the native VPN client for Android versions 8.0 (Oreo) to Android 11. For Android versions 12 and higher, we recommend you configure a mobile VPN with IKEv2 connection. For more information, see Configure Android Devices for Mobile VPN with IKEv2.

See Also

© 2023 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.

Connecting to Access Server with Android

The OpenVPN protocol is not one that is built into the Android operating system for Android devices. Therefore a client program is required that can handle capturing the traffic you wish to send through the OpenVPN tunnel, and encrypting it and passing it to the OpenVPN server. And of course, the reverse, to decrypt the return traffic. So a client program is required, and there are some options here. We do not intend to limit our customers and cause a type of vendor lock-in situation. We try to keep connectivity and the choice of client software open, although we do recommend the official OpenVPN Connect client of course.

Official OpenVPN Connect app

On the Google Play Store, the client you can download and install for free there is called OpenVPN Connect. This program supports only one active VPN tunnel at a time. Trying to connect to two different servers at the same time is a function we did not build into our official OpenVPN Connect app, and it is also not possible because the underlying operating system does not allow this. The OpenVPN Connect app is able to remember multiple different servers, but only one can be active at a time.

To obtain the OpenVPN Connect app, go to the Google Play Store on your Android device, or open the link below to the Google Play Store. On the Google Play Store on your device, look for the words “openvpn connect” and the application will show up in the search results. You can install it from there. Once installed an icon will be placed on your home screen where you can find the app. Once you have it open you can use the Access Server option to start the import process. You can use the option to import directly from the web interface of the Access Server or use the import from file option. If you use the web interface import option you need to enter the address of your Access Server’s web interface here, along with username and password. If your server is on an unusual port (not the default HTTPS port TCP 443), specify the port here. Once the import has completed, you are ready to use the app.

  • Official OpenVPN Connect app on the Google Play Store
  • Frequently asked questions

OpenVPN open source OpenVPN for Android app

OpenVPN for Android is an open source client and developed by Arne Schwabe. It is targeted at more advanced users and offers many settings and the ability to import profiles from files and to configure/change profiles inside the app. The client is based on the community version of OpenVPN. It is based on the OpenVPN 2.x source code. This client can be seen as the semi-official client of the OpenVPN open source community.

Other clients

There may be other OpenVPN clients available on the Google Play Store as well, but we have no information on them here.

| | 0 Comments