diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml index fe5a7a062..5868f6a61 100755 --- a/main/src/main/res/values/strings.xml +++ b/main/src/main/res/values/strings.xml @@ -7,7 +7,7 @@ Server Address: Server Port: Location - Unable to read directory + Could not read directory Select Cancel No Data @@ -15,71 +15,71 @@ No Certificate Client Certificate Client Certificate Key - PKCS12 File + PKCS 12 File CA Certificate You must select a certificate Source code and issue tracker available at https://github.com/schwabe/ics-openvpn/ - This program uses the following components; see the source code for full details on the licenses + This program uses the following components; the source code has full details on licenses used About Profiles Type - PKCS12 Password + PKCS 12 Password Select… - You must select a file + Select a file Use TLS Authentication TLS Direction - Enter IPv6 Address/Netmask in CIDR Format (e.g. 2000:dd::23/64) - Enter IPv4 Address/Netmask in CIDR Format (e.g. 1.2.3.4/24) + Enter IPv6 address/netmask in CIDR format (e.g. 2000:dd::23/64) + Enter IPv4 address/netmask in CIDR format (e.g. 1.2.3.4/24) IPv4 Address IPv6 Address - Enter custom OpenVPN options. Use with caution. Also note that many of the tun related OpenVPN settings cannot be supported by design of the VPNSettings. If you think an important option is missing contact the author + Enter custom OpenVPN options. Use with caution. Also note that many of the TUN related OpenVPN settings cannot be supported by design of the VPNSettings. Contact the author if you think an important option is missing. Username (leave empty for no auth) Password - For the static configuration the TLS Auth Keys will be used as static keys - Configure the VPN + For the static configuration the TLS auth keys will be used as static keys + Set up the VPN Add Profile - Enter a name identifying the new Profile - Please enter a unique Profile Name + Enter a name identifying the new profile + Please enter a unique profile name Profile Name - You must select a User certificate - You must select a CA certificate or enable peer fingerprint check + You must select a user certificate + You must select a CA certificate or turn on peer fingerprint checks No error found - Error in Configuration - Error parsing the IPv4 address - Error parsing the custom routes - (leave empty to query on demand) + Error in configuration + Could not parse the IPv4 address + Could not parse the custom routes + (leave empty for query on demand) OpenVPN Shortcut Connecting to VPN… - Profile specified in shortcut not found + Could not find profile specified in shortcut Random Host Prefix - Adds 6 random chars in front of hostname - Enable Custom Options + Adds six random characters in front of the hostname + Custom Options Specify custom options. Use with care! Route rejected by Android Disconnect Disconnect VPN - clear log + Clear log Cancel Confirmation Disconnect the connected VPN/cancel the connection attempt? Remove VPN Checks whether the server uses a certificate with TLS Server extensions (--remote-cert-tls server) Expect TLS server certificate - Checks the Remote Server Certificate Subject DN + Verifies the subject DN of the remote server certificate Certificate Hostname Check - Specify the check used to verify the remote certificate DN (e.g. C=DE, L=Paderborn, OU=Avian IP Carriers, CN=openvpn.blinkt.de)\n\nSpecify the complete DN or the RDN (openvpn.blinkt.de in the example) or an RDN prefix for verification.\n\nWhen using RDN prefix \"Server\" matches \"Server-1\" and \"Server-2\"\n\nLeaving the text field empty will check the RDN against the server hostname.\n\nFor more details see the OpenVPN 2.3.1+ manpage under —verify-x509-name + Specify the check used to verify the remote certificate DN (e.g. C=DE, L=Paderborn, OU=Avian IP Carriers, CN=openvpn.blinkt.de)\n\nSpecify the complete DN or the RDN (openvpn.blinkt.de in the example) or an RDN prefix for verification.\n\nWhen using RDN prefix \"Server\" matches \"Server-1\" and \"Server-2\"\n\nLeaving the text field empty will check the RDN against the server hostname.\n\nMore details in the OpenVPN 2.3.1+ manpage under —verify-x509-name Remote certificate subject - Enables the TLS Key Authentication + Turns on TLS Key authentication TLS Auth File Requests IP addresses, routes and timing options from the server. - No information is requested from the server. Settings need to be specified below. + No info was requested from the server. Specify settings below. Pull Settings DNS - Override DNS Settings by Server - Use your own DNS Servers + Override DNS Settings by server + Use your own DNS servers searchDomain - DNS Server to be used. + DNS Server to use. DNS Server - Secondary DNS Server used if the normal DNS Server cannot be reached. + Secondary DNS server used if first cannot be reached. Backup DNS Server Ignore pushed routes Ignore routes pushed by the server. @@ -93,37 +93,37 @@ Allows authenticated packets from any IP Allow floating server Custom Options - Edit VPN Settings - Remove the VPN Profile \'%s\'? - On some custom ICS images the permission on /dev/tun might be wrong, or the tun module might be missing completely. For CM9 images try the fix ownership option under general settings - Failed to open the tun interface + Edit VPN settings + Remove the \"%s\" VPN profile? + On some custom ICS images the /dev/tun permissions might be wrong, or the TUN module might be missing completely. For CM9 images, try fixing ownership in the general settings. + Could not open the TUN interface "Error: " Clear - Opening tun interface: + Opening TUN interface: Local IPv4: %1$s/%2$d IPv6: %3$s MTU: %4$d DNS Server: %1$s, Domain: %2$s Routes: %1$s %2$s Routes excluded: %1$s %2$s VpnService routes installed: %1$s %2$s - Got interface information %1$s and %2$s, assuming second address is peer address of remote. Using /32 netmask for local IP. Mode given by OpenVPN is \"%3$s\". + Got interface info %1$s and %2$s, assuming second address is peer address of remote. Using /32 netmask for local IP. Mode given by OpenVPN is \"%3$s\". Cannot make sense of %1$s and %2$s as IP route with CIDR netmask, using /32 as netmask. Corrected route %1$s/%2$s to %3$s/%2$s - Cannot access the Android Keychain Certificates. This can be caused by a firmware upgrade or by restoring a backup of the app/app settings. Please edit the VPN and reselect the certificate under basic settings to recreate the permission to access the certificate. + Cannot access the Android keychain certificates. This can be caused by a firmware upgrade or by restoring a backup of the app/app settings. Please edit the VPN and reselect the certificate under basic settings to recreate the permission to access the certificate. %1$s %2$s - Send log file + Send logfile Send - ICS OpenVPN log file - Copied log entry to clip board + ICS OpenVPN logfile + Copied log entry to clipboard Tap Mode - Tap Mode is not possible with the non root VPN API. Therefore this application cannot provide tap support - Again? Are you kidding? No, tap mode is really not supported and sending more mail asking if it will be supported will not help. - A third time? Actually, one could write a tap emulator based on tun that would add layer2 information on send and strip layer2 information on receive. But this tap emulator would also have to implement ARP and possibly a DHCP client. I am not aware of anybody doing any work in this direction. Contact me if you want to start coding on this. + Root access is needed for tap mode via the VPN API. Therefore this program cannot provide tap support + Again? Are you kidding? No, tap mode is really not supported and e-mails about it don\'t help. + A third time? Actually, one could write a tap emulator based on TUN that would add layer2 info upon sending and strip layer2 info on reception. But this tap emulator would also have to implement ARP and possibly a DHCP client. I am not aware of anybody doing any work in this direction. Contact me if you want to start coding on this. FAQ - Copying log entries - To copy a single log entry press and hold on the log entry. To copy/send the whole log use the Send Log option. Use the hardware menu button, if the button is not visible in the GUI. + Copying log entries… + Press and hold a log entry to copy it. Copy/send the whole log using \"Send Log\". Use the physical menu botton if there isn\'t one in the GUI. Shortcut to start - You can place a shortcut to start OpenVPN on your desktop. Depending on your homescreen program you will have to add either a shortcut or a widget. - Your image does not support the VPNService API, sorry :( + You can place a shortcut as a shortcut or a widget to start OpenVPN on your desktop. + Your image does not support the VPNService API. :( Encryption Enter data encryption methods Enter the data encryption cipher algorithms used by OpenVPN separated by : (--data-ciphers). Leave empty to use the default of AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305. @@ -131,35 +131,35 @@ Authentication/Encryption File Explorer Inline File - Error importing File - Could not import File from filesystem + Could not import file + The file was not found in the filesystem [[Inline file data]] - Refusing to open tun device without IP information - Import Profile from ovpn file + Refusing to open TUN device without IP info + Import Profile from OVPN file Import Could not read profile to import - Error reading config file + Could not read config file add Profile - Could not find file %1$s mentioned in the imported config file - Importing config file from source %1$s - Your configuration had a few configuration options that are not mapped to UI configurations. These options were added as custom configuration options. The custom configuration is displayed below: - Done reading config file. + Could not find \"%1$s\" file mentioned in the imported config file + Importing \"%1$s\"config file from source… + Your configuration had a few unmapped configuration options to UI configurations. These were added to the custom configuration displayed below: + Config file read. Do not bind to local address and port No local binding Import configuration file Security considerations - "As OpenVPN is security sensitive a few notes about security are sensible. All data on the sdcard is inherently insecure. Every app can read it (for example this program requires no special sd card rights). The data of this application can only be read by the application itself. By using the import option for cacert/cert/key in the file dialog the data is stored in the VPN profile. The VPN profiles are only accessible by this application. (Do not forget to delete the copies on the sd card afterwards). Even though accessible only by this application the data is still unencrypted. By rooting the telephone or other exploits it may be possible to retrieve the data. Saved passwords are stored in plain text as well. For pkcs12 files it is highly recommended that you import them into the android keystore." + "As OpenVPN is security sensitive a few notes about security are sensible. All data on the SD card is inherently insecure. Every program can read it (for example this program requires no special SD card rights). The data of this program can only be read by the program itself. By using the import option for CA cert/cert/key in the file dialog the data is stored in the VPN profile. The VPN profiles are only accessible by this program. (Do not forget to delete the copies on the SD card afterwards). Even though accessible only by this program the data is still unencrypted. By rooting the device or other exploits it may be possible to retrieve the data. Saved passwords are stored in plaintext too. For PKCS 12 files it is highly recommended that you import them into the Android keystore." Import - Error showing certificate selection - Got an exception trying to show the Android 4.0+ certificate selection dialog. This should never happen as this a standard feature of Android 4.0+. Maybe your Android ROM support for certificate storage is broken + Could not show certificate selection + Got an exception trying to show the Android 4.0+ certificate selection dialog. This should never happen as it is a standard feature of Android 4.0+. Maybe your Android ROM support for certificate storage is broken? IPv4 IPv6 Waiting for state message… imported profile imported profile %d Broken Images - <p>Official HTC images are known to have a strange routing problem causing traffic not to flow through the tunnel (See also <a href="https://github.com/schwabe/ics-openvpn/issues/18">Issue 18</a> in the bug tracker.)</p><p>Older official SONY images from Xperia Arc S and Xperia Ray have been reported to be missing the VPNService completely from the image. (See also <a href="https://github.com/schwabe/ics-openvpn/issues/29">Issue 29</a> in the bug tracker.)</p><p>On custom build images the tun module might be missing or the rights of /dev/tun might be wrong. Some CM9 images need the "Fix ownership" option under "Device specific hacks" enabled.</p><p>Most importantly: If your device has a broken Android image, report it to your vendor. The more people who report an issue to the vendor, the more likely they are to fix it.</p> - PKCS12 File Encryption Key + <p>Official HTC images are known to have a strange routing problem causing traffic not to flow through the VPN tunnel (See also <a href="https://github.com/schwabe/ics-openvpn/issues/18">Issue 18</a> in the bug tracker.)</p><p>Older official SONY images from Xperia Arc S and Xperia Ray have been reported to be missing the VPNService completely from the image. (See also <a href="https://github.com/schwabe/ics-openvpn/issues/29">Issue 29</a> in the bug tracker.)</p><p>On custom build images the tun module might be missing or the rights of /dev/tun might be wrong. Some CM9 images need the "Fix ownership" option under "Device specific hacks" enabled.</p><p>Most importantly: If your device has a broken Android image, report it to your vendor. The more people who report an issue to the vendor, the more likely they are to fix it.</p> + PKCS 12 File Encryption Key Private Key Password Password file icon @@ -167,137 +167,138 @@ Generated Config Settings Tries to set the owner of /dev/tun to system. Some CM9 images need this to make the VPNService API work. Requires root. - Fix ownership of /dev/tun - Shows the generated OpenVPN Configuration File - Editing \"%s\" + Fix /dev/tun ownership + Shows the generated OpenVPN configuration File + Editing \"%s\"… Building configuration… - Turning this option on will force a reconnect if the network state is changed (e.g. WiFi to/from mobile) - Reconnect on network change + Turning this on forces a reconnect if the network state is changed (e.g. Wi-Fi to/from mobile) + Reconnect upon network changes Network Status: %s The CA cert is usually returned from the Android keystore. Specify a separate certificate if you get certificate verification errors. Select No CA Certificate returned while reading from Android keystore. Authentication will probably fail. - Shows the log window on connect. The log window can always be accessed from the notification status. - Show log window + Shows the log window when connecting. It can always be accessed from the notification status. + Show log %10$s %9$s running on %3$s %1$s (%2$s), Android %6$s (%7$s) API %4$d, ABI %5$s, (%8$s) - Error signing with Android keystore key %1$s: %2$s - Error signing with external authenticator app (%3$s): %1$s: %2$s - The VPN connection warning telling you that this app can intercept all traffic is imposed by the system to prevent abuse of the VPNService API.\nThe VPN connection notification (The key symbol) is also imposed by the Android system to signal an ongoing VPN connection. On some images this notification plays a sound.\nAndroid introduced these system dialogs for your own safety and made sure that they cannot be circumvented. (On some images this unfortunately includes a notification sound) + Could not sign with Android keystore key %1$s: %2$s + Could not sign with external authenticator app (%3$s): %1$s: %2$s + The VPN connection warning telling you that this program can intercept all traffic is imposed by the system to prevent abuse of the VPNService API.\nThe VPN connection notification (the key symbol) is also imposed by the Android to signal an ongoing VPN connection. On some images this notification plays a sound.\nAndroid introduced these system dialogs for your own safety and made sure that they cannot be circumvented. (On some images this unfortunately includes a notification sound) Connection warning and notification sound + English translation by Arne Schwabe<arne@rfc2549.org> IP and DNS Basic Routing - Obscure OpenVPN Settings. Normally not needed. + Obscure OpenVPN settings. Normally not needed. Advanced ICS Openvpn Config - No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers. Please also note that Android will keep using your proxy settings specified for your mobile/Wi-Fi connection when no DNS servers are set. - Could not add DNS Server \"%1$s\", rejected by the system: %2$s - Could not configure IP Address \"%1$s\", rejected by the system: %2$s - <p>Get a working config (tested on your computer or download from your provider/organisation)</p><p>If it is a single file with no extra pem/pkcs12 files you can email the file yourself and open the attachment. If you have multiple files put them on your sd card.</p><p>Click on the email attachment/Use the folder icon in the vpn list to import the config file</p><p>If there are errors about missing files put the missing files on your sd card.</p><p>Click on the save symbol to add the imported VPN to your VPN list</p><p>Connect the VPN by clicking on the name of the VPN</p><p>If there are error or warnings in the log try to understand the warnings/error and try to fix them</p> + No DNS servers being used. Name resolution may not work. Consider setting custom DNS servers. Please also note that Android will keep using your proxy settings specified for your mobile/Wi-Fi connection when no DNS servers are set. + Could not add the \"%1$s\" DNS server. It was rejected by the system: %2$s + Could not configure IP address \"%1$s\". It was rejected by the system: %2$s + <p>Get a working config (tested on your computer or download from your provider/organisation)</p><p>If it is a single file with no extra PEM/PKCS 12 files you can e-mail yourself the file and open the attachment. If you have multiple files put them on your SD card.</p><p>Click on the e-mail attachment/use the folder icon in the VPN list to import the config file</p><p>If there are errors about missing files put the missing files on your SD card.</p><p>Click on the save symbol to add the imported VPN to your VPN list</p><p>Connect the VPN by clicking its name</p><p>If there are errors or warnings in the log try to understand and try to fix them</p> Quick Start - Try to load the tun.ko kernel module before trying to connect. Needs rooted devices. - Load tun module - Import PKCS12 from configuration into Android Keystore - Error getting proxy settings: %s + Try to load the tun.ko kernel module before trying to connect. Needs root. + Load TUN module + Import PKCS 12 from configuration into Android keystore + Could not fetch proxy settings: %s Using proxy %1$s %2$s Use system proxy - Use the system wide configuration for HTTP/HTTPS proxies to connect. - OpenVPN will connect the specified VPN if it was active on system boot. Please read the connection warning FAQ before using this option on Android < 5.0. - Connect on boot + Use the system-wide configuration for HTTP/HTTPS proxies to connect. + OpenVPN will connect the specified VPN if it was active when the system started up. Please read the connection warning FAQ before using this option on Android < 5.0. + Connect when starting the system Ignore Restart Configuration changes are applied after restarting the VPN. (Re)start the VPN now? Configuration changed Could not determine last connected profile for editing Duplicate notifications - If Android is under system memory (RAM) pressure, apps and service which are not needed at the moment are removed from active memory. This terminates an ongoing VPN connection. To ensure that the connection/OpenVPN survives the service runs with higher priority. To run with higher priority the application must display a notification. The key notification icon is imposed by the system as described in the previous FAQ entry. It does not count as app notification for purpose of running with higher priority. + If Android is under system memory (RAM) pressure, apps and service not needed at the moment are removed from active memory. This terminates an ongoing VPN connection. To ensure that the connection/OpenVPN survives the service runs with higher priority. To run with higher priority the program must display a notification. The key notification icon is imposed by the system as described in the previous FAQ entry. It does not count as an app notification for the purpose of running with higher priority. No VPN profiles defined. - Use the <img src=\"ic_menu_add\"/> icon to add a new VPN - Use the <img src=\"ic_menu_archive\"/> icon to import an existing (.ovpn or .conf) profile from your sdcard. - Be sure to also check out the FAQ. There is a quick start guide. - Routing/Interface Configuration - The Routing and interface configuration is not done via traditional ifconfig/route commands but by using the VPNService API. This results in a different routing configuration than on other OSes. \nThe configuration of the VPN tunnel consists of the IP address and the networks that should be routed over this interface. Especially, no peer partner address or gateway address is needed or required. Special routes to reach the VPN Server (for example added when using redirect-gateway) are not needed either. The application will consequently ignore these settings when importing a configuration. The app ensures with the VPNService API that the connection to the server is not routed through the VPN tunnel.\nThe VPNService API does not allow specifying networks that should not be routed via the VPN. As a workaround the app tries to detect networks that should not be routed over tunnel (e.g. route x.x.x.x y.y.y.y net_gateway) and calculates a set of routes that excludes this routes to emulate the behaviour of other platforms. The log windows shows the configuration of the VPNService upon establishing a connection.\nBehind the scenes: Android 4.4+ does use policy routing. Using route/ifconfig will not show the installed routes. Instead use ip rule, iptables -t mangle -L - Do not fallback to no VPN connection when OpenVPN is reconnecting. - Persistent tun + Use the <img src=\"ic_menu_add\"/> icon to add a new VPN. + Use the <img src=\"ic_menu_archive\"/> icon to import an existing (.ovpn or .conf) profile from your SD card. + Do check out the FAQ and its quick-start guide. + Routing/interface Configuration + This is not done via traditional ifconfig/route commands, but by using the VPNService API. This results in a different routing configuration than on other OSs. \nThe configuration of the VPN tunnel consists of the IP address and the networks to route over this interface. Especially, no peer partner address or gateway address is needed or required. Special routes to reach the VPN Server (for example added when using redirect-gateway) are not needed either. The program will consequently ignore these settings when importing a configuration. The program uses the VPNService API to ensure the connection to the server is not routed through the VPN tunnel.\nThe VPNService API does not allow specifying networks to not route via the VPN. As a workaround the app tries to detect networks to not route over the VPN tunnel (e.g. route x.x.x.x y.y.y.y net_gateway) and calculates a set of routes that excludes this routes to emulate the behaviour of other platforms. The log windows shows the configuration of the VPNService upon establishing a connection.\nBehind the scenes: Android 4.4+ does use policy routing. Using route/ifconfig will not show the installed routes. Instead use this IP rule: \"iptables -t mangle -L\" + Do not fall back to no VPN connection when OpenVPN is reconnecting. + Persistent TUN OpenVPN Log Import OpenVPN configuration Battery consumption - In my personal tests the main reason for high battery consumption of OpenVPN are the keepalive packets. Most OpenVPN servers have a configuration directive like \'keepalive 10 60\' which causes the client and server to exchange keepalive packets every ten seconds. <p> While these packets are small and do not use much traffic, they keep the mobile radio network busy and increase the energy consumption. (See also <a href="https://developer.android.com/training/efficient-downloads/efficient-network-access.html#RadioStateMachine">The Radio State Machine | Android Developers</a>) <p> This keepalive setting cannot be changed on the client. Only the system administrator of the OpenVPN can change the setting. <p> Unfortunately using a keepalive larger than 60 seconds with UDP can cause some NAT gateways to drop the connection due to an inactivity timeout. Using TCP with a long keep alive timeout works, but tunneling TCP over TCP performs extremely poorly on connections with high packet loss. (See <a href="http://sites.inka.de/bigred/devel/tcp-tcp.html">Why TCP Over TCP Is A Bad Idea</a>) - The Android Tethering feature (over WiFi, USB or Bluetooth) and the VPNService API (used by this program) do not work together. For more details see the <a href=\"https://github.com/schwabe/ics-openvpn/issues/34\">issue #34</a> + In my personal tests the main reason for high battery consumption of OpenVPN are the keepalive packets. Most OpenVPN servers have a configuration directive like \"keepalive 10 60\" which causes the client and server to exchange keepalive packets every ten seconds. <p> While these packets are small and do not use much traffic, they keep the mobile radio network busy and increase the energy consumption. (See also <a href="https://developer.android.com/training/efficient-downloads/efficient-network-access.html#RadioStateMachine">The Radio State Machine | Android Developers</a>) <p> This keepalive setting cannot be changed on the client. Only the system administrator of the OpenVPN can change the setting. <p> Unfortunately using a keepalive larger than 60 seconds with UDP can cause some NAT gateways to drop the connection due to an inactivity timeout. Using TCP with a long keep alive timeout works, but tunneling TCP over TCP performs extremely poorly on connections with high packet loss. (See <a href="http://sites.inka.de/bigred/devel/tcp-tcp.html">Why TCP Over TCP Is A Bad Idea</a>) + The Android Tethering feature (over Wi-Fi, USB or Bluetooth) and the VPNService API (used by this program) do not work together. More details in <a href=\"https://github.com/schwabe/ics-openvpn/issues/34\">issue #34</a> VPN and Tethering Connection retries Reconnection settings Number of seconds to wait between connection attempts. Seconds between connections OpenVPN crashed unexpectedly. Please consider using the send Minidump option in the main menu - Send Minidump to developer - Sends debugging information about last crash to developer - OpenVPN - %s - %1$s - %2$s - %1$s - %3$s, %2$s - Connecting - Waiting for server reply + Send minidump to developer + Sends debugging info about last crash to the developer + OpenVPN — %s + %1$s — %2$s + %1$s — %3$s, %2$s + Connecting… + Waiting for server reply… Authenticating - Getting client configuration - Assigning IP addresses - Adding routes + Getting client configuration… + Assigning IP addresses… + Adding routes… Connected Disconnect - Reconnecting - Exiting + Reconnecting… + Exiting… Not running - Resolving host names - Connecting (TCP) + Resolving hostnames… + Connecting (via TCP)… Authentication failed - Waiting for usable network - Waiting for Orbot to start - ↓%2$s %1$s - ↑%4$s %3$s + Waiting for usable network… + Waiting for Orbot to start… + ↓%2$s %1$s — ↑%4$s %3$s Not connected - Connecting to VPN %s - Connecting to VPN %s - Some versions of Android 4.1 have problems if the name of the keystore certificate contains non alphanumeric characters (like spaces, underscores or dashes). Try to reimport the certificate without special characters + Connecting to \"%s\" VPN… + Connecting to \"%s\" VPN… + Some versions of Android 4.1 have problems if the name of the keystore certificate contains non alphanumeric characters (like spaces, underscores or dashes). Try to reimport the certificate without those. Encryption ciphers Packet authentication Enter packet authentication method built by %s - debug build - official build - Copy into profile + Debug build + Official build + Copy to profile Crashdump Add Send config file Complete DN - Your imported configuration used the old DEPRECATED tls-remote option which uses a different DN format. + Your imported configuration used the old DEPRECATED \"tls-remote\" option which uses a different DN format. RDN (common name) RDN prefix - tls-remote (DEPRECATED) - You can help translating by visiting https://crowdin.net/project/ics-openvpn/invite + \"tls-remote\" (DEPRECATED) + Help translate the app on https://hosted.weblate.org/projects/openvpn-for-android/ %1$s attempts to control %2$s - By proceeding, you are giving the application permission to completely control OpenVPN for Android and to intercept all network traffic.Do NOT accept unless you trust the application. Otherwise, you run the risk of having your data compromised by malicious software." - I trust this application. - No app allowed to use external API + You are granting the app complete control over OpenVPN for Android and to intercept all network traffic.Do NOT accept unless you trust it. Otherwise, you run the risk of having your data compromised by malicious software." + I trust this program. + No apps are allowed to use the external API Allowed apps: %s - Clear list of allowed external apps?\nCurrent list of allowed apps:\n\n%s - Pause VPN when screen is off and less than 64 kB transferred data in 60s. When the \"Persistent Tun\" option is enabled pausing the VPN will leave your device with NO network connectivity. Without the \"Persistent Tun\" option the device will have no VPN connection/protection. - Pause VPN connection after screen off + Clear list of allowed external apps?\nCurrently allowed:\n\n%s + Pause VPN when the screen is off and less than 64 kB transferred data in 60 s. When \"Persistent TUN\" is on pausing the VPN leaves your device with NO network connectivity. Without the \"Persistent TUN\" option the device will have no VPN connection/protection. + Pause VPN when screen is off Pausing connection in screen off state: less than %1$s in %2$ss - Warning: Persistent tun not enabled for this VPN. Traffic will use the normal Internet connection when the screen is off. + Warning: Persistent tUN is off for this VPN. Traffic will use the normal Internet connection when the screen is off. Save Password Pause VPN Resume VPN VPN pause requested by user - VPN paused - screen off + VPN paused — screen off Device specifics Hacks - Cannot display certificate information - Application behaviour + Cannot display certificate info + Program behaviour VPN behaviour Allow changes to VPN Profiles Hardware Keystore: - Icon of app trying to use OpenVPN for Android - "Starting with Android 4.3 the VPN confirmation is guarded against \"overlaying apps\". This results in the dialog not reacting to touch input. If you have an app that uses overlays it may cause this behaviour. If you find an offending app contact the author of the app. This problem affect all VPN applications on Android 4.3 and later. See also <a href=\"https://github.com/schwabe/ics-openvpn/issues/185\">Issue 185<a> for additional details" - Vpn Confirmation Dialog - Alternatively you can send me a donation with the Play Store: + Icon of the app trying to use OpenVPN for Android + "From Android 4.3 the VPN confirmation is protected against \"overlaying apps\". The dialog does not react to touch input. If you have an app that uses overlays it may cause this behaviour. If you find an offending app contact the app author. This problem affects all VPN apps on Android 4.3 and onwards. More info in <a href=\"https://github.com/schwabe/ics-openvpn/issues/185\">Issue 185<a> for additional details" + VPN Confirmation Dialog + Alternatively donate via the Play store: Thanks for donating %s! Log cleared. Show password @@ -313,26 +314,26 @@ Unhandled exception: %1$s\n\n%2$s %3$s: %1$s\n\n%2$s If you have rooted your Android device you can install the <a href=\"http://xposed.info/\">Xposed framework</a> and the <a href=\"http://repo.xposed.info/module/de.blinkt.vpndialogxposed\">VPN Dialog confirm module</a> at your own risk" - Full licenses - Networks directly connected to the local interfaces will not be routed over the VPN. Deselecting this option will redirect all traffic intented for local networks to the VPN. + Full libre licenses + Networks directly connected to the local interfaces will not be routed over the VPN. Deselecting this redirects all traffic intented for local networks to the VPN. Bypass VPN for local networks Username/Password file [Imported from: %s] - Some files could not be found. Please select the files to import the profile: - To use this app you need a VPN provider/VPN gateway supporting OpenVPN (often provided by your employer). Check out https://community.openvpn.net/ for more information on OpenVPN and how to setup your own OpenVPN server. + Some files could not be found. Please select the files to import the profile from: + To use this app you need a VPN provider/VPN gateway supporting OpenVPN (often provided by your employer).\nCheck out https://community.openvpn.net/ for more info on OpenVPN and how to set up your own OpenVPN server. Import log: - Vpn topology \"%3$s\" specified but ifconfig %1$s %2$s looks more like an IP address with a network mask. Assuming \"subnet\" topology. - The MSS override value has to be a integer between 0 and 9000 - The MTU override value has to be a integer between 64 and 9000 - Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed this number of bytes. (default is 1450) - Override MSS value of TCP payload + VPN topology \"%3$s\" specified, but \"ifconfig %1$s %2$s\" looks more like an IP address with a network mask. Assuming \"subnet\" topology. + The MSS override value has to be a whole number between 0 and 9000 + The MTU override value has to be a whole number between 64 and 9000 + Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed this number of bytes. (The default is 1450) + MSS value to override the TCP payload with Set MSS of TCP payload Client behaviour Clear allowed external apps Loading… Allowed VPN apps: %1$s Disallowed VPN apps: %1$s - Package %s is no longer installed, removing it from app allow/disallow list + Removing the no longer install \"%s\" package from app allow/disallow list VPN is used for all apps but exclude selected VPN is used for only for selected apps Allow apps to bypass the VPN @@ -341,30 +342,30 @@ Delete Add new remote Use connection entries in random order on connect - You need to define and enable at least one remote server. + Define and connect to at least one remote server. Server List Allowed Apps Advanced Settings Payload options TLS Settings - No remote defined + No remote server defined Duplicate VPN profile Duplicating profile: %s Show log - Multiple OpenVPN clients for Android exist. The most common ones are OpenVPN for Android (this client), OpenVPN Connect and OpenVPN Settings.<p>The clients can be grouped into two groups: OpenVPN for Android and OpenVPN Connect use the official VPNService API (Android 4.0+) and require no root and OpenVPN Settings which uses root.<p>OpenVPN for Android is an open source client and developed by Arne Schwabe. It is targeted at more advanced users and offers many settings and the ability to import profiles from files and to configure/change profiles inside the app. The client is based on the community version of OpenVPN. It is based on the OpenVPN 2.x source code. This client can be seen as the semi officially client of the community. <p>OpenVPN Connect is non open source client that is developed by OpenVPN Technologies, Inc. The client is indented to be general use client and more targeted at the average user and allows the import of OpenVPN profiles. This client is based on the OpenVPN C++ reimplementation of the OpenVPN protocol (This was required to allow OpenVPN Technologies, Inc to publish an iOS OpenVPN app). This client is the official client of the OpenVPN technologies <p> OpenVPN Settings is the oldest of the clients and also a UI for the open source OpenVPN. In contrast to OpenVPN for Android it requires root and does not use the VPNService API. It does not depend on Android 4.0+ + Multiple OpenVPN clients for Android exist. The most common ones are OpenVPN for Android (this client), OpenVPN Connect and OpenVPN Settings.<p>The clients can be grouped into two groups: OpenVPN for Android and OpenVPN Connect use the official VPNService API (Android 4.0+) and require no root and OpenVPN Settings which uses root.<p>OpenVPN for Android is an open source client and developed by Arne Schwabe. It is targeted at more advanced users and offers many settings and the ability to import profiles from files and to configure/change profiles inside the app. The client is based on the community version of OpenVPN. It is based on the OpenVPN 2.x source code. This client can be seen as the semi officially client of the community. <p>OpenVPN Connect is non open source client that is developed by OpenVPN Technologies, Inc. The client is indented to be general use client and more targeted at the average user and allows the import of OpenVPN profiles. This client is based on the OpenVPN C++ reimplementation of the OpenVPN protocol (This was required to allow OpenVPN Technologies, Inc to publish an iOS OpenVPN app). This client is the official client of the OpenVPN technologies <p> OpenVPN Settings is the oldest of the clients and also a UI for OpenVPN. In contrast to OpenVPN for Android it requires root and does not use the VPNService API. It does not depend on Android 4.0+ Differences between the OpenVPN Android clients Ignoring multicast route: %s - Android supports only CIDR routes to the VPN. Since non-CIDR routes are almost never used, OpenVPN for Android will use a /32 for routes that are not CIDR and issue a warning. - Tethering works while the VPN is active. The tethered connection will NOT use the VPN. + Android supports only CIDR routes to the VPN. Since non-CIDR routes are almost never used, OpenVPN for Android will use a /32 IP block for non-CIDR routes and issue a warning. + Tethering works while the VPN is active. The tethered connection will NOT use the VPN tunnel. Early KitKat version set the wrong MSS value on TCP connections (#61948). Try to enable the mssfix option to workaround this bug. Android will keep using your proxy settings specified for the mobile/Wi-Fi connection when no DNS servers are set. OpenVPN for Android will warn you about this in the log.

When a VPN sets a DNS server Android will not use a proxy. There is no API to set a proxy for a VPN connection.

- VPN apps may stop working when uninstalled and reinstalled again. For details see #80074 - The configured client IP and the IPs in its network mask are not routed to the VPN. OpenVPN works around this bug by explicitly adding a route that corrosponds to the client IP and its netmask - Opening a tun device while another tun device is active, which is used for persist-tun support, crashes the VPNServices on the device. A reboot is required to make VPN work again. OpenVPN for Android tries to avoid reopening the tun device and if really needed first closes the current TUN before opening the new TUN device to avoid to crash. This may lead to a short window where packets are sent over the non-VPN connection. Even with this workaround the VPNServices sometimes crashes and requires a reboot of the device. + VPN apps may stop working when uninstalled and reinstalled again. More info in #80074 + The configured client IP and the IPs in its network mask are not routed to the VPN tunnel. OpenVPN works around this bug by explicitly adding a route corresponding to the client IP and its netmask + Opening a TUN device while another is active, which is used for persistent TUN support, crashes the VPNServices on the device. Reboot to make VPN work again. OpenVPN for Android tries to avoid reopening the TUN device and if really needed first closes the current TUN before opening the new TUN device to avoid a crash. This may lead to a short window where packets are sent over the non-VPN connection. Even with this workaround the VPNServices sometimes crashes and requires a device reboot. VPN does not work at all for secondary users. - "Multiple users report that the mobile connection/mobile data connection is frequently dropped while using the VPN app. The behaviour seems to affect only some mobile provider/device combination and so far no cause/workaround for the bug could be identified. " - Only destination can be reached over the VPN that are reachable without VPN. IPv6 VPNs does not work at all. - Non CIDR Routes + "Multiple users report the mobile connection/mobile data connection dropping frequently while using the VPN app. It seems to affect only some mobile provider/device combination and so far no cause/workaround has been found." + Only destinations reachable without the VPN can be reached with it. VPNs over IPv6 does not work at all. + Non-CIDR Routes Proxy behaviour for VPNs Reinstalling VPN apps %s and earlier @@ -372,139 +373,139 @@ Route to the configured IP address Wrong MSS value for VPN connection Secondary tablet users - Specify custom connection specific options. Use with care + Specify custom connection specific options. Use with care. Custom Options Remove connection entry Random disconnects from mobile network Remote networks not reachable - Persist tun mode + Persistent TUN mode %s and later - Connections fails with SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure - Newer OpenVPN for Android versions (0.6.29/March 2015) use a more secure default for the allowed cipher suites (tls-cipher \"DEFAULT:!EXP:!PSK:!SRP:!kRSA\"). Unfortunately, omitting the less secure cipher suites and export cipher suites, especially the omission of cipher suites that do not support Perfect Forward Secrecy (Diffie-Hellman) causes some problems. This usually caused by an well-intentioned but poorly executed attempt to strengthen TLS security by setting tls-cipher on the server or some embedded OSes with stripped down SSL (e.g. MikroTik).\nTo solve this problem the problem, set the tls-cipher settings on the server to reasonable default like tls-cipher \"DEFAULT:!EXP:!PSK:!SRP:!kRSA\". To work around the problem on the client add the custom option tls-cipher DEFAULT on the Android client. - This profile has been added from an external app (%s) and has been marked as not user editable. + Connections fail with a SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure + Newer OpenVPN for Android versions (0.6.29/March 2015) use a more secure default for the allowed cipher suites (tls-cipher \"DEFAULT:!EXP:!PSK:!SRP:!kRSA\"). Unfortunately, omitting the less secure cipher suites and export cipher suites, especially the omission of cipher suites that do not support Perfect Forward Secrecy (Diffie-Hellman) causes some problems. This usually caused by an well-intentioned but poorly executed attempt to strengthen TLS security by setting tls-cipher on the server or some embedded OSes with stripped down SSL (e.g. MikroTik).\nTo solve this problem the problem, set the tls-cipher settings on the server to reasonable default like tls-cipher \"DEFAULT:!EXP:!PSK:!SRP:!kRSA\". Circumvent the problem on the client by adding the custom option \"tls-cipher DEFAULT\" on the Android client. + This profile has been added from an external app (%s) and was marked as non-editable for users. Certificate Revocation List - Restarting OpenVPN Service (App crashed probably crashed or killed for memory pressure) - Importing the config yielded an error, cannot save it + Restarting OpenVPN Service… (The app probably crashed or was killed due to memory pressure) + Could not save the imported configuration Search - (Last dump is %1$d:%2$dh old (%3$s)) - Clear log on new connection + (The last dump is %1$d:%2$dh old (%3$s)) + Clear log upon new connection Connect Timeout No allowed app added. Adding ourselves (%s) to have at least one app in the allowed app list to not allow all apps - OpenVPN for Android can try to discover the missing file(s) on the sdcard automatically. Tap this message start the permission request. + OpenVPN for Android can try to auto-discover the missing file(s) on the SD card. Tap this message start the permission request. Protocol - Enabled - VPN permission revoked by OS (e.g. other VPN program started), stopping VPN - Push Peer info - Send extra information to the server, e.g. SSL version and Android version + On + VPN permission revoked by the OS (e.g. other VPN program started). Stopping VPN… + Push peer info + Send extra details to the server, e.g. SSL- and Android version Need %1$s - Please enter the password for profile %1$s + Please enter the password for the \"%1$s\" profile Use inline data Export configuration file - tls-auth file is missing - Missing user certificate or user certifcate key file - Certifcate Revoke List (optional) + tls-auth file missing + Missing user certificate or user certifcate keyfile + Certificate revocation list (optional) Reread (%d) log items from log cache file - Even though Samsung phones are among the most selling Android phones, Samsung\'s firmware are also among the most buggy Android firmwares. The bugs are not limited to the VPN operation on these devices but many of them can be workarounded. In the following some of these bugs are described.\n\nDNS does not work unless the DNS server in the VPN range.\n\nOn many Samsung 5.x devices the allowed/disallowed apps feature does not work.\nOn Samsung 6.x VPN is reported not to work unless the VPN app is exempted from Powersave features. - Samsung phones + Even though Samsung is a top Android phone distributor, Samsung\'s firmware are also among the most buggy. The bugs are not limited to the VPN operation on these devices but many of them can be circumvented. In the following some of these bugs are described.\n\nDNS does not work unless the DNS server in the VPN range.\n\nOn many Samsung 5.x devices the allowed/disallowed apps feature does not work.\nOn Samsung 6.x VPN is reported not to work unless the VPN app is exempted from battery optimization features. + Samsung devices No VPN selected. Default VPN - VPN used in places where a default VPN needed. These are currently on boot, for Always-On and the Quick Settings Tile. - Currently selected VPN: \'%s\' + VPN used in places where a default VPN is needed. These are currently: when starting up the device, for \"Always on\" and the \"Quick Settings\" tile. + Currently selected VPN: \"%s\" Reconnect Toggle VPN Connect to %s Disconnect %s - Enter the maximum time between connection attempts. OpenVPN will slowly raise its waiting time after an unsuccessful connection attempt up to this value. Defaults to 300s. - Maximum time between connection attempts - Waiting %ss seconds between connection attempt - Networks more .. -> VPNS]]> + Enter the max time between connection attempts. OpenVPN will slowly raise its waiting time after an unsuccessful connection attempt up to this value. Defaults to 300 s. + Max time between connection attempts + Waiting %ss seconds between connection attempts + Connection to OpenVPN closed (%s) Change sorting Sort - Profiles sorted by last recently used - Profiles sorted by name - Config uses option tls-remote that was deprecated in 2.3 and finally removed in 2.4 + Most recently used profiles shown + Profiles A-Z + The configuration uses the \"tls-remote\" option deprecated in OpenVPN 2.3 and finally removed in 2.4 Behaviour on AUTH_FAILED Graph Use logarithmic scale Not enough data Average per hour Average per minute - Last 5 minutes + Last five minutes In Out %.0f bit/s %.1f kbit/s %.1f Mbit/s %.1f Gbit/s - <p>Starting with OpenSSL version 1.1, OpenSSL rejects weak signatures in certificates like - MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.</p><p> - You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the + <p>Starting with OpenSSL v 1.1, OpenSSL rejects weak signatures in certificates like MD5. + Additionally with the OpenSSL 3.0 signatures with SHA-1 are also rejected.</p><p> + You should update the VPN certificates as soon as possible as SHA-1 will also no longer work on other platforms in the near future.</p> - <p>If you really want to use old and broken certificates select "insecure" for the TLS security profile under Authentication/Encryption of the profile</p> + <p>If you really want to use old and broken certificates select \"insecure\" for the TLS security profile under \"Authentication/Encryption\" of the profile</p> %.0f B %.1f kB %.1f MB %.1f GB - Connection statistics + Connection stats Ongoing statistics of the established OpenVPN connection Connection status change Status changes of the OpenVPN connection (Connecting, authenticating,…) Weak (MD5) hashes in certificate signature (SSL_CTX_use_certificate md too weak) OpenSSL Speed Test OpenSSL cipher names - OpenSSL Crypto Speed test + OpenSSL crypto-speed test OpenSSL returned an error Running test… Test selected algorithms An external app tries to control %s. The app requesting access cannot be determined. Allowing this app grants ALL apps access. - The OpenVPN 3 C++ implementation does not support static keys. Please change to OpenVPN 2.x under general settings. - Using PKCS12 files directly with OpenVPN 3 C++ implementation is not supported. Please import the pkcs12 files into the Android keystore or change to OpenVPN 2.x under general settings. + The OpenVPN 3 C++ implementation does not support static keys. Please change to OpenVPN 2.x in the general settings. + Using PKCS 12 files directly with OpenVPN 3 C++ implementation is not supported. Please import the PKCS 12 files into the Android keystore or change to OpenVPN 2.x in the general settings. Proxy None Tor (Orbot) - OpenVPN 3 C++ implementation does not support connecting via Socks proxy - Orbot application cannot be found. Please install Orbot or use manual Socks v5 integration. + OpenVPN 3 C++ implementation does not support connecting via a SOCKS proxy + Orbot application cannot be found. Please install Orbot or use manual SOCKS v5 integration. Remote API - OpenVPN for Android supports two remote APIs, a sophisticated API using AIDL (remoteEXample in the git repository) and a simple one using Intents. <p>Examples using adb shell and the intents. Replace profilname with your profile name<p><p> adb shell am start-activity -a android.intent.action.MAIN de.blinkt.openvpn/.api.DisconnectVPN<p> adb shell am start-activity -a android.intent.action.MAIN -e de.blinkt.openvpn.api.profileName Blinkt de.blinkt.openvpn/.api.ConnectVPN + OpenVPN for Android supports two remote APIs, a sophisticated API using AIDL (remoteEXample in the Git repository) and a simple one using intents. <p>Examples using ADB shell and the intents. Replace profile name with your profile name<p><p> adb shell am start-activity -a android.intent.action.MAIN de.blinkt.openvpn/.api.DisconnectVPN<p> adb shell am start-activity -a android.intent.action.MAIN -e de.blinkt.openvpn.api.profileName Blinkt de.blinkt.openvpn/.api.ConnectVPN Enable Proxy Authentication Cannot use extra http-proxy-option statement and Orbot integration at the same time - Info from server: \'%s\' + Info from server: \"%s\" User interaction required - OpenVPN connection requires a user input, e.g. two factor - authentification + OpenVPN connection requires a user input, e.g. two-factor + authentication Open URL to continue VPN authentication Answer challenge to continue VPN authentication - Authentication pending + Authentication pending… External Authenticator Configure - External Authenticator not configured - Block non VPN connection (\"Killswitch\") - It is often desired to block connections without VPN. Other apps often use markting terms like \"Killswitch\" or \"Seamless tunnel\" for this feature. OpenVPN and this app offer persist-tun, a feature to implement this functionality.<p>The problem with all these methods offered by apps is that they can only provide best effort and are no complete solutions. On boot, app crashing and other corner cases the app cannot ensure that this block of non VPN connection works. Thus giving the user a false sense of security.<p>The <b>only</b> reliable way to ensure non VPN connections are blocked is to use Android 8.0 or later and use the \"block connections without VPN\" setting that can be found under Settings > Network & Internet > Advanced/VPN > OpenVPN for Android > Enable Always ON VPN, Enable Block Connections without VPN + External two-factor app not configured + Block non-VPN connections (\"Killswitch\") + It is often desired to block connections without VPN. Other apps often use marketing terms like \"Killswitch\" or \"Seamless tunnel\" for this feature. OpenVPN and this app similarly offers persistent TUN.<p>The problem with all these methods offered by apps is that they can only provide best effort and are not complete solutions. Upon starting the device, app crashing and other corner cases happen because the app cannot ensure this block of non-VPN connection works. Thus the user is given a false sense of security.<p>The <b>only</b> reliable way to ensure non VPN connections are blocked is to use Android 8.0 or later and use the \"Block connections without VPN\" setting that can be found in Settings → Network and Internet → Advanced/VPN > OpenVPN for Android > Enable Always ON VPN, Enable Block Connections without VPN This option instructs Android to not allow protocols (IPv4/IPv6) if the VPN does not set any IPv4 or IPv6 addresses. Block IPv6 (or IPv4) if not used by the VPN Install new certificate AS servername Server URL - Request autologin profile - Import Profile from Remote Server - Default VPN not set. Please set the Default VPN before enabling this option. + Request auto-login profile + Import profile from remote server + Default VPN not set. Please set one before turning this on. Internal WebView - There are some variation of this message depending on the exact situation. They all have in common that server and client could not agree on a common cipher. The main reasons are: <ul><li> You are still relying on the fact that OpenVPN 2.4 and older allowed BF-CBC in the default configuration (if no --cipher was set). OpenVPN 2.5 does not allow it per default anymore since it is a <a href="https://community.openvpn.net/openvpn/wiki/SWEET32">broken/outdated cipher</a>.</li><li>The server runs OpenVPN 2.3 (or even older) with --enable-small (at least 4-5 year old OpenVPN)</li><li></ul>Broken configuration (e.g., mismatching data-ciphers on client and server)</li> <p> The <a href=\"https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst\">OpenVPN manual section on cipher negotiation</a> explains the different scenarios of cipher negotiation very well and what to do in these situation.<p>TP-Link devices use a at least 5 year old OpenVPN 2.3.x version (possibly older) on their devices, even in the 2019/2020 models.<p>Last but not least, there is a popular VPN provider that has a broken server that always says it is using \'BF-CBC\' because its developer thought it would be a good idea to create a proprietary cipher negotiation patch that is incompatible with standard OpenVPN.<p>In summary: all sane configurations should not get these errors. But (apart from the broken VPN provider\'s server) the client can be persuaded to still connect (fixing the sympton and not the real problem). When connecting to older servers the comaptiblity mode option in the basic settings of a VPN should be able to address most of the common compatiblity problems. + There are some variation of this message depending on the exact situation. They all have in common that server and client could not agree on a common cipher. The main reasons are: <ul><li> You are still relying on the fact that OpenVPN 2.4 and older allowed BF-CBC in the default configuration (if no --cipher was set). OpenVPN 2.5 does not allow it per default anymore since it is a <a href="https://community.openvpn.net/openvpn/wiki/SWEET32">broken/outdated cipher</a>.</li><li>The server runs OpenVPN 2.3 (or even older) with --enable-small (at least 4-5 year old OpenVPN)</li><li></ul>Broken configuration (e.g., mismatching data-ciphers on client and server)</li> <p> The <a href=\"https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst\">OpenVPN manual section on cipher negotiation</a> explains the different scenarios of cipher negotiation very well and what to do in these situation.<p>TP-Link devices use a at least 5 year old OpenVPN 2.3.x version (possibly older) on their devices, even in the 2019/2020 models.<p>Last but not least, there is a popular VPN provider that has a broken server that always says it is using \"BF-CBC\" because its developer thought it would be a good idea to create a proprietary cipher negotiation patch that is incompatible with standard OpenVPN.<p>In summary: all sane configurations should not get these errors. But (apart from the broken VPN provider\'s server) the client can be persuaded to still connect (fixing the sympton and not the real problem). When connecting to older servers the comaptiblity mode option in the basic settings of a VPN should be able to address most of the common compatiblity problems. Check peer certificate fingerprint - (Enter the SHA256 fingerprint of the server certificate(s)) + (Enter the SHA-256 fingerprint of the server certificate(s)) HTTP Proxy: %1$s %2$d - Please use the Always-On Feature of Android to enable VPN at boot time. + Please use the \"Always on\" Feature of Android to turn on VPN when starting the device. Open VPN Settings - Press here open a window to enter additional required authentication + Press here to open a window allowing entry of additional required authentication Compatibility Mode Compatibility mode Load OpenSSL legacy provider - Profiles uses BF-CBC which depends on OpenSSL legacy provider (not enabled). - Allow community contributed translations - Allows the app to be translated with translations contributed by the community. Requires a restart of the app to activate. + Profiles uses BF-CBC which depends on OpenSSL legacy provider (off). + Contributed translations + Employs contributed translations after restarting the app. TLS Security Profile