This VPN connection type is supported on Android devices.

With Samsung Android 10 and above devices, OpenVPN support has been deprecated by Samsung.

Use the OpenVPN connection type to configure Samsung “OpenVPN net.openvpn.knox.connect” for Samsung Knox devices. This configuration is available only to limited customers as approved by Samsung. Contact Samsung to get the correct OpenVPN package. It is supported only on devices with the Samsung Knox option selected in the VPN setting.

Open VPN is NOT supported with a third-party Open VPN vendor that is not Samsung.

Open VPN is supported with Samsung Knox without using VPN chaining.

Use the following guidelines to configure OpenVPN:

Table 63.  OpenVPN settings




Enter a short phrase that identifies this VPN setting.


Provide a description that clarifies the purpose of these settings.


For macOS only. Select one of the following distribution options:

  • Device channel - the configuration is effective for all users on a device. This is the typical option.
  • User channel - the configuration is effective only for the currently registered user on a device.

Connection Type

Select OpenVPN.

Only fields relevant to OpenVPN are displayed.

Samsung Knox

Always select this option. A Samsung Knox license is required.

A VPN setting with this option selected cannot be successfully applied to a non-Samsung Android device.

This setting is ignored on non-Android devices.

Deploy inside Knox Workspace

Select this option to deploy the VPN client app inside the Knox Workspace (container). Deploying the app inside the container means that the Knox security platform protects the app and its data.

This option is available only if you select the Samsung Knox option.

See Configuring VPN modes when VPN client is outside the Knox container

Package Name

Provide the Android package name of the OpenVPN client app: net.openvpn.knox.connect


Enter the IP address, hostname or URL for the VPN server.


Specify the user name to use. The default value is $USERID$. Use this field to specify an alternate format, such as:


You can use combinations such as the following:



Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant username.

Some enterprises have a strong preference concerning which identifier is exposed.

User Authentication

Click the radio button for Password or Certificate to specify user authentication type.

If you select Password, specify the password to use. The default value is $PASSWORD$. You can specify a custom format, for example, $PASSWORD$_$USERID$. Other password formats available are:

If you select Certificate, specify Password, and then provide the two other settings added to the page:

Identity Certificate (required): Enter the identity certificate number.

CA Certificate (optional): Select the CA Certificate from the list of available certificates.


Specify the password to use (required.) The default value is $PASSWORD$. Include at least one of the following variables:


You can use combinations such as $EMAIL$:$PASSWORD$

Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant password.

VPN Chaining

Select Enable to set up VPN chaining with Tunnel VPN. See "Configuring VPN chaining" in Ivanti Tunnel for Android Guide.

Per-app VPN

When selecting this option, a Samsung Knox license is required.

Proxy Server Port

Enter the port number for the connection. (Required)


Select from drop-down.


Select from drop-down.

Packet Auth Digest

Select from drop-down.