- 100% open source (GPLv2+)
- No ads
- One-click connection (batch mode)
- Supports RSA SecurID and TOTP software tokens
- Keepalive feature to prevent unnecessary disconnections
- Compatible with ARMv7, x86, and MIPS devices
- No root required
- Based on the popular OpenConnect Linux package
- Android 4.0 (ICS) or higher (with working VpnService + tun infrastructure)
- An account on a suitable VPN server
Binaries are attached to this post under the downloads tab.
Google Play: https://play.google.com/store/apps/d...pp.openconnect
Source code: https://github.com/cernekee/ics-openconnect
v1.11 - 2015/02/21 - Fix "Unknown compression type 0" errors when CSTP and DTLS use different compression settings
v1.10 - 2015/02/08 - Fix CSD script problem on Lollipop (bug #1) - Fix IPv6 address display on status window (bug #2) - Enable LZ4 compression support - Identify as a mobile client when Android or iOS is selected - Update to OpenConnect v7.04+, GnuTLS 3.2.21 v1.02 - 2014/09/02 - Fix regression on certificate handling v1.01 - 2014/08/29 - Add Spanish translations (thanks to teosoft) - Fix regression on CSD scripts starting with "#!/bin/sh" - Improve error messages on broken ROMs that throw exceptions when starting a VpnService - Fix intermittent fragment-related crashes on ICS v1.00 - 2014/08/10 - Fix problems storing >8kB certificates on some ROMs - Clean up seldom-used menu items and move some options into General Settings or About - Integrate Xposed module for bypassing the VPN confirmation dialog - Switch to ACRA for problem reporting v0.96 - 2014/07/06 - Force a minimum MTU of 1280 on KK due to bugs in 4.4.3 and 4.4.4 ROMs: https://code.google.com/p/android/issues/detail?id=70916 - Fix navigation anomalies (weird Back button behavior) seen after re-entering OpenConnect from one of the Notifications v0.95 - 2014/06/14 - Show the auth dialog <message> text in case it contains useful information - Add German translations (thanks to Ingo Zansinger <email@example.com>) - Add Chinese translations - Add Advanced options for changing Dead Peer Detection timeout and enabling Perfect Forward Secrecy - Clean up a bunch of lint warnings and unused strings/files - Try to generate a human-readable profile name when adding a new VPN v0.91 - 2014/06/01 - Fix bugs involving saved authgroups - Fix batch mode error handling - Update to GnuTLS 3.2.15 to fix GNUTLS-SA-2014-3 / CVE-2014-3466 v0.9 - 2014/04/26 - Add new "Send feedback" screen - Add new "SecurID info" screen for RSA soft token users - Allow changing settings and using other menu options (about, SecurID, send feedback, etc.) while connected - Update FAQ and provide some links to relevant XDA posts v0.81 - 2014/04/06 - Fix potential issue recognizing certificates stored in VPN profiles created with <= v0.7 v0.8 - 2014/04/02 - Fix hangs after reconnect if DTLS is disabled - Fix incorrect storage of PKCS#12 certificates - Remove unnecessary passphrase prompts on unencrypted certificates - Add a workaround for ASA certificate request quirks - Fix FC when attempting to import an OpenVPN profile v0.7 - 2014/03/08 - Update GnuTLS to address CVE-2014-0092 - Fix FC and other misbehavior on IPv6 connections - Update to libopenconnect 5.99+ - Fix/delete several broken translations - Minor improvements to the auth form UI - Switch curl from OpenSSL to GnuTLS and remove advertising clauses v0.6 - 2014/02/09 - First release in Google Play Store - Change to new "big O" launcher icon - Avoid displaying error alerts if the user terminated the connection - Try to make the libopenconnect build process more robust, and strip *.so files to conserve space v0.5 - 2014/02/01 - Fix "living dead" connections (can't pass data after reconnection due to DTLS parameter mismatches) - Add FAQ tab in response to user feedback - Move log window into a tab - Reorganize action bar so that the most important items (Status/Log/FAQ) are tabs, and less important items (Settings/About) are in the menu - Fix KeepAlive socket errors on KitKat devices - Other UI and documentation fixes - Add split tunnel configuration options - Improve icons v0.2 - 2014/01/18 - Allow SecurID token import via URI or text file - Newly reworked "status" tab with uptime, error alerts, IP addresses, etc. - Fix a couple of bugs involving screen rotation / activity redraw on the log window - Prompt for hostname instead of profile name when adding a new VPN, to help avoid "empty hostname" mistakes - Numerous other UI improvements and fixes - Remove "reconnect on boot" until it works properly - Try to accommodate Linux CSD wrapper scripts starting with "#!/bin/bash"
Q: What is this app used for?
A: OpenConnect is used to access virtual private networks (VPNs) which utilize the Cisco AnyConnect SSL VPN protocol. A typical use case might involve logging into your workplace remotely to check email after hours.
If in doubt, check with your I.T. administrator to see if a suitable service is available.
Q: How do I get started?
A: In most cases, you'll just need to create a profile and enter the hostname of the VPN gateway. The other fields in the profile are all optional and should be left alone unless there is a specific need to change them.
Once you've set up the profile, select the VPN entry and OpenConnect will attempt to establish a new session. If this fails, the "Log" tab may provide helpful diagnostic information.
Q: How do I authenticate using an SSL client certificate?
A: Copy your certificate files to Android's external storage directory (nominally /sdcard or the Downloads folder), then edit the VPN profile and make the following changes:
P12 or PFX file: select "User certificate", pick the file from the list, then touch "select". Leave "Private key" blank.
Single PEM/CRT/CER file: same as above.
Separate PEM/CRT/CER and KEY files: populate "User certificate" with the certificate file, and "Private key" with the key file.
When finished, delete the certificate files from external storage so they cannot be stolen by other apps.
If you are generating your own keys (e.g. for use with your ocserv gateway), some basic CA setup instructions are posted here.
Q: Will OpenConnect work with non-AnyConnect VPNs?
A: Unfortunately the software design is tied very closely to the AnyConnect requirements and the libopenconnect interfaces. Therefore it only works with Cisco AnyConnect and ocserv gateways.
Q: Will OpenConnect work with Cisco IPsec VPNs running on an ASA?
A: OpenConnect supports SSL VPN (CSTP + DTLS) only.
Q: How do I import a SecurID software token?
A: If you have an URL that starts with "com.rsa.securid.iphone://" or "http://127.0.0.1/securid/" in your email, click on it and tell OpenConnect to add it to the desired VPN profile. If you just have a raw token string then write it to a text file, copy it under /sdcard, click "Token string" in the VPN profile editor, then select the filename.
If you have an "sdtid" XML file, copy it to /sdcard and then import it.
Q: Is it possible to skip all login prompts when connecting?
A: If you have saved your username, password, or other credentials, or if you are using SecurID or certificate authentication, you can try enabling "Batch Mode" in the VPN profile to skip the login dialogs. If you need to change your saved password later or have trouble connecting, just disable batch mode.
The VPN warning dialog is a security feature built into the Android OS. It cannot be bypassed by OpenConnect, but if your device is rooted, you can try installing the Xposed Framework and then activating the Auto VPN Dialog Confirm module. Some notes on this are posted here.
Due to the user interaction required by these dialogs, it is not always possible to reliably start up the VPN in the background. So a "start-on-boot" feature is not currently provided.
Q: How do I improve battery life while the VPN is up?
A: One option is to select "Pause when asleep" under Settings. The downside is that VPN access will be temporarily stopped when the screen is off. Also, ASA gateways sometimes get annoyed with constant reconnections and may prematurely terminate your session after a few days.
Another option is to contact your server administrator and request that they disable dead peer detection (DPD), increase the idle timeout to >1hr, and increase the keepalive interval to ~5min or so.
Q: How do I use OpenConnect with AFWall+?
A: There are a few caveats to keep in mind when using an Android firewall with VPN:
* If you run KitKat, use Android 4.4.2 or higher and AFWall 1.2.8 or higher. Android 4.4 and 4.4.1 have a serious TCP MSS bug which causes stalled connections and/or poor performance. AFWall <=1.2.7 does not have the extra logic needed to handle the routing changes in KitKat.
* Always allow traffic from the VPN app on all interfaces. In particular, you should whitelist VPN traffic from OpenConnect, as OpenConnect sends DNS requests over the VPN interface every few minutes to help keep the connection from timing out.
Q: Are any apps incompatible with VPN?
A: Apps which perform their own DNS resolution, such as Firefox, may have issues picking up the latest system DNS settings when connecting to the VPN. This can be a problem if your system DNS servers are not accessible over the VPN's routes, or if you are trying to look up hostnames that do not have public (internet) DNS entries.
Q: Under what circumstances will OpenConnect request root?
A: There are two root-only features shown under Settings; both are disabled by default. One setting works around a ROM bug in CM9 which sets incorrect permissions on /dev/tun, preventing VpnService from passing traffic to the tunnel interface; the other setting loads tun.ko on ROMs that neglect to load it by default.
Based on user feedback and testing, future releases may autodetect these conditions.
Q: How do I send a problem report?
A: Navigate to Log -> (menu) -> Send log file. Please be sure to furnish a complete, accurate description of the issue you are seeing, as the logs do not always show a smoking gun.
- Translations - I will set up the necessary infrastructure if there are volunteers
- Compatibility testing
- Add x509 certificate parsing/validation in the profile editor
- Enable Android keystore support
- Proxy support
- Split tunnel DNS?
Using OpenConnect + ocserv (on a VPS) to bypass China's Great Firewall (GFW): link
OpenConnect, App for the Android General
Source Code: https://github.com/cernekee/ics-openconnect
Last Updated 2015-02-21