Skip to content
Objective-C wrapper for OpenVPN library. Compatible with iOS and macOS.
C++ C XSLT Objective-C++ Python Shell Other
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
Configuration Bump version number Nov 3, 2019
OpenVPNAdapter.xcodeproj Disable Catalyst support Nov 2, 2019
Scripts Add remote host and remote port to the profile template Sep 27, 2018
Sources/OpenVPNAdapter Reset tun without any conditions and drop idea to override remote server Nov 3, 2019
.gitignore Add macOS generated items to the gitignore Oct 12, 2019 Add code of conduct Jan 11, 2018 Fix incorrect link to the Objective-C++ section Jan 11, 2018
LICENSE Create LICENSE (#44) Jan 29, 2018
NOTICE Delete outdated revisions Apr 10, 2019
OpenVPNAdapter.podspec Update version number in the Podfile Nov 3, 2019 Update readme file Nov 3, 2019


Platforms iOS Versions macOS Versions Xcode Version Carthage Compatible License


OpenVPNAdapter is an Objective-C framework that allows to easily configure and establish VPN connection using OpenVPN protocol. It is based on the original openvpn3 library so it has every feature the library has.

The framework is designed to use in conjunction with NetworkExtension framework and doesn't use any private Apple API. Compatible with iOS and macOS and also Swift friendly.



  • iOS 9.0+ or macOS 10.11+
  • Xcode 9.0+


To install OpenVPNAdapter with Carthage, add the following line to your Cartfile.

github "ss-abramchuk/OpenVPNAdapter"

Then run $ carthage update command. For details of the installation and usage of Carthage, visit its project page.


To install OpenVPNAdapter with Cocoapods, add the following lines to your Podfile.

target 'Your Target Name' do
  pod 'OpenVPNAdapter', :git => '', :tag => '0.4.0'

And run $ pod install.


At first, you need to add a Packet Tunnel Provider extension to the project and configure provision profiles for both the container app and the extension. There are official documentation and many tutorials describing how to do it so we won't dwell on this in detail.

Before you can configure and establish VPN connection don't forget to import NetworkExtension.

import NetworkExtension

Then we need to create or load a VPN profile. NETunnelProviderManager is used to configure and control VPN connections provided by a Tunnel Provider extension. Each instance corresponds to a single VPN configuration stored in the Network Extension preferences. Call the following method to load all existing VPN profiles from the system preferences. For the sake of simplicity, we will use only one instance of NETunnelProviderManager assuming that our object has a property named providerManager.

NETunnelProviderManager.loadAllFromPreferences { (managers, error) in
    guard error == nil else {
        // Handle an occurred error

    self.providerManager = managers?.first ?? NETunnelProviderManager()

The next step is to provide VPN settings to the instance of NETunnelProviderManager. Setup the NETunnelProviderProtocol object with appropriate values and save it in preferences.

self.providerManager?.loadFromPreferences(completionHandler: { (error) in
    guard error == nil else {
        // Handle an occurred error

    // Assuming the app bundle contains a configuration file named 'client.ovpn' lets get its
    // Data representation
        let configurationFileURL = Bundle.main.url(forResource: "client", withExtension: "ovpn"),
        let configurationFileContent = try? Data(contentsOf: configurationFileURL)
    else {

    let tunnelProtocol = NETunnelProviderProtocol()

    // If the ovpn file doesn't contain server address you can use this property
    // to provide it. Or just set an empty string value because `serverAddress`
    // property must be set to a non-nil string in either case.
    tunnelProtocol.serverAddress = ""

    // The most important field which MUST be the bundle ID of our custom network
    // extension target.
    tunnelProtocol.providerBundleIdentifier = "com.example.openvpn-client.tunnel-provider"

    // Use `providerConfiguration` to save content of the ovpn file.
    tunnelProtocol.providerConfiguration = ["ovpn": configurationFileContent]

    // Provide user credentials if needed. It is highly recommended to use
    // keychain to store a password.
    tunnelProtocol.username = "username"
    tunnelProtocol.passwordReference = ... // A persistent keychain reference to an item containing the password

    // Finish configuration by assigning tunnel protocol to `protocolConfiguration`
    // property of `providerManager` and by setting description.
    self.providerManager?.protocolConfiguration = tunnelProtocol
    self.providerManager?.localizedDescription = "OpenVPN Client"

    self.providerManager?.isEnabled = true

    // Save configuration in the Network Extension preferences
    self.providerManager?.saveToPreferences(completionHandler: { (error) in
        if let error = error  {
            // Handle an occurred error

Start VPN by calling the following code.

self.providerManager?.loadFromPreferences(completionHandler: { (error) in
    guard error == nil else {
        // Handle an occurred error

    do {
        try self.providerManager?.connection.startVPNTunnel()
    } catch {
        // Handle an occurred error

Packet Tunnel Provider extension uses NEPacketTunnelProvider subclass to configure and establish VPN connection. Therefore, that class is the right place to configure OpenVPNAdapter. The following example shows how you can setup it:

import NetworkExtension
import OpenVPNAdapter

class PacketTunnelProvider: NEPacketTunnelProvider {

    lazy var vpnAdapter: OpenVPNAdapter = {
        let adapter = OpenVPNAdapter()
        adapter.delegate = self

        return adapter

    let vpnReachability = OpenVPNReachability()

    var startHandler: ((Error?) -> Void)?
    var stopHandler: (() -> Void)?

    override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) {
        // There are many ways to provide OpenVPN settings to the tunnel provider. For instance,
        // you can use `options` argument of `startTunnel(options:completionHandler:)` method or get
        // settings from `protocolConfiguration.providerConfiguration` property of `NEPacketTunnelProvider`
        // class. Also you may provide just content of a ovpn file or use key:value pairs
        // that may be provided exclusively or in addition to file content.

        // In our case we need providerConfiguration dictionary to retrieve content
        // of the OpenVPN configuration file. Other options related to the tunnel
        // provider also can be stored there.
            let protocolConfiguration = protocolConfiguration as? NETunnelProviderProtocol,
            let providerConfiguration = protocolConfiguration.providerConfiguration
        else {

        guard let ovpnFileContent: Data = providerConfiguration["ovpn"] as? Data else {

        let configuration = OpenVPNConfiguration()
        configuration.fileContent = ovpnFileContent
        configuration.settings = [
            // Additional parameters as key:value pairs may be provided here

        // Add this line if you want to keep TUN interface active during pauses or reconnections
        configuration.tunPersist = true

        // Apply OpenVPN configuration
        let properties: OpenVPNProperties
        do {
            properties = try vpnAdapter.apply(configuration: configuration)
        } catch {

        // Provide credentials if needed
        if !properties.autologin {
            // If your VPN configuration requires user credentials you can provide them by
            // `protocolConfiguration.username` and `protocolConfiguration.passwordReference`
            // properties. It is recommended to use persistent keychain reference to a keychain
            // item containing the password.

            guard let username: String = protocolConfiguration.username else {

            // Retrieve a password from the keychain
            guard let password: String = ... {

            let credentials = OpenVPNCredentials()
            credentials.username = username
            credentials.password = password

            do {
                try vpnAdapter.provide(credentials: credentials)
            } catch {

        // Checking reachability. In some cases after switching from cellular to
        // WiFi the adapter still uses cellular data. Changing reachability forces
        // reconnection so the adapter will use actual connection.
        vpnReachability.startTracking { [weak self] status in
            guard status != .notReachable else { return }
            self?.vpnAdapter.reconnect(interval: 5)

        // Establish connection and wait for .connected event
        startHandler = completionHandler

    override func stopTunnel(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) {
        stopHandler = completionHandler

        if vpnReachability.isTracking {



extension PacketTunnelProvider: OpenVPNAdapterDelegate {

    // OpenVPNAdapter calls this delegate method to configure a VPN tunnel.
    // `completionHandler` callback requires an object conforming to `OpenVPNAdapterPacketFlow`
    // protocol if the tunnel is configured without errors. Otherwise send nil.
    // `OpenVPNAdapterPacketFlow` method signatures are similar to `NEPacketTunnelFlow` so
    // you can just extend that class to adopt `OpenVPNAdapterPacketFlow` protocol and
    // send `self.packetFlow` to `completionHandler` callback.
    func openVPNAdapter(_ openVPNAdapter: OpenVPNAdapter, configureTunnelWithNetworkSettings networkSettings: NEPacketTunnelNetworkSettings?, completionHandler: @escaping (OpenVPNAdapterPacketFlow?) -> Void) {
        // In order to direct all DNS queries first to the VPN DNS servers before the primary DNS servers
        // send empty string to NEDNSSettings.matchDomains  
        networkSettings?.dnsSettings?.matchDomains = [""]

        // Specify the network settings for the current tunneling session.
        setTunnelNetworkSettings(settings) { (error) in
            completionHandler(error == nil ? self.packetFlow : nil)

    // Process events returned by the OpenVPN library
    func openVPNAdapter(_ openVPNAdapter: OpenVPNAdapter, handleEvent event: OpenVPNAdapterEvent, message: String?) {
        switch event {
        case .connected:
            if reasserting {
                reasserting = false

            guard let startHandler = startHandler else { return }

            self.startHandler = nil

        case .disconnected:
            guard let stopHandler = stopHandler else { return }

            if vpnReachability.isTracking {

            self.stopHandler = nil

        case .reconnecting:
            reasserting = true


    // Handle errors thrown by the OpenVPN library
    func openVPNAdapter(_ openVPNAdapter: OpenVPNAdapter, handleError error: Error) {
        // Handle only fatal errors
        guard let fatal = (error as NSError).userInfo[OpenVPNAdapterErrorFatalKey] as? Bool, fatal == true else {

        if vpnReachability.isTracking {

        if let startHandler = startHandler {
            self.startHandler = nil
        } else {

    // Use this method to process any log message returned by OpenVPN library.
    func openVPNAdapter(_ openVPNAdapter: OpenVPNAdapter, handleLogMessage logMessage: String) {
        // Handle log messages


// Extend NEPacketTunnelFlow to adopt OpenVPNAdapterPacketFlow protocol so that
// `self.packetFlow` could be sent to `completionHandler` callback of OpenVPNAdapterDelegate
// method openVPNAdapter(openVPNAdapter:configureTunnelWithNetworkSettings:completionHandler).
extension NEPacketTunnelFlow: OpenVPNAdapterPacketFlow {}


Any contributions and suggestions are welcome! But before creating a PR or an issue please read the Contribution Guide.


Special thanks goes to @JonathanDowning for great help in development of this project and bug fixing.


OpenVPNAdapter is available under the AGPLv3 license. See the LICENSE file for more info. Also this project has a few dependencies:

See the NOTICE file for more info about their licenses and copyrights.

You can’t perform that action at this time.