This article helps IT admins configure virtual private networks (VPNs) on Android devices. Some older versions of Android don't support all the features mentioned here. To check your Android version, see .
Android VPN options
VPNs allow devices that aren’t physically on a network to securely access the network.
Android includes a built-in (PPTP, L2TP/IPSec, and IPSec) VPN client. Devices running Android 4.0 and later also support VPN apps. You might need a VPN app (instead of built-in VPN) for the following reasons:
-
To configure the VPN using an enterprise mobility management (EMM) console.
-
To offer VPN protocols that the built-in client doesn’t support.
-
To help people connect to a VPN service without complex configuration.
-
To run a separate VPN for the personal profile or work profile.
To get help with the built-in client, see Connect to a virtual private network (VPN) on Android.
EMM config
You can configure many VPNs using an EMM console—confirm that your VPN and EMM combination supports this. Using an EMM means that the people using the devices don’t have to change complex settings. EMMs often support the following config:
-
Disabling the VPN system settings so that somebody using the device can’t change the config.
-
Configuring the VPN network connection settings, including installing authentication certificates.
-
Adding a list of apps that are allowed to use the VPN or a list of apps that can’t use the VPN.
Always-on VPN
Android can start a VPN service when the device boots, and keep it running while the device or work profile is on. This feature is called always-on VPN and is available in Android 7.0or higher. To learn more, see Edit Always-on VPN settings.
Block non-VPN connections
In many EMM consoles (and in the Android Settings app), you can block connections that don’t go through the VPN. To force all network traffic through an always-on VPN, follow these steps on the device:
-
Open your device's Settings app.
-
Tap Network & internet Advanced VPN.
-
Next to the VPN that you want to change, tap Settings.
-
Switch Block connections without VPN to on.
To block non-VPN connections in your EMM console, see your EMM provider’s documentation.
Allow bypassing the VPN
If your VPN supports it, you can allow apps to bypass the VPN and select their own network. Some special-purpose apps might need to use a specific network, such as cellular or Wi-Fi. You can configure this option in your EMM console or directly in the VPN app.
Per-app VPN
Many VPN apps can filter which installed apps are allowed to send traffic through the VPN connection. You can create either an allowed list, or, a disallowed list, but not both. If you don’t create a list, the system sends all network traffic through the VPN.
You normally configure per-app VPN in your EMM console or directly in the VPN app.
Allowed apps
You can choose which apps are allowed to use the VPN using an allowed list. If you allow one or more apps, then only the apps in the list use the VPN. All other apps (that aren’t in the list) use the system networks as if the VPN isn’t running.
When you also turn on Block connections without VPN, then only apps in the allowed list have network access.
Disallowed apps
You can select which apps you don’t want to use the VPN by creating a disallowed list. Network traffic of disallowed apps uses system networking as if the VPN wasn’t running—all other apps use the VPN.
When you also turn on Block connections without VPN, then these disallowed apps lose network access.
Google Play traffic
You might want to explicitly include or exclude Google Play traffic from your VPN if traffic is metered. Here are the Google Play app packages that you’d need to allow or disallow:
-
com.android.packageinstaller
-
com.android.vending
-
com.google.android.gms
-
com.google.android.packageinstaller
Restrict system settings
If your EMM supports it, you can prevent device users from changing system VPN settings. In some versions of Android, this restriction stops an always-on VPN from starting:
Android version | Administration | Behavior when restricted |
---|---|---|
5.0 | Fully managed devices | VPN app doesn’t start. |
6.0 | Fully managed devices and work profile | VPN app doesn’t start. |
7.0 or higher | Fully managed devices and work profile | Always-on VPN app starts if set by device policy controller. Other VPN apps don’t start. |
Related articles and guides
-
Connect to a virtual private network (VPN) on Android
Was this helpful?
How can we improve it?
Need more help?
Try these next steps:
Insights, advice, suggestions, feedback and comments from experts
I am an expert and enthusiast-based assistant. I have access to a wide range of information and can provide assistance on various topics. I can help you with configuring virtual private networks (VPNs) on Android devices, as well as provide information on related concepts mentioned in this article.
Let's dive into the details!
Virtual Private Networks (VPNs) on Android Devices
A virtual private network (VPN) allows devices that are not physically on a network to securely access the network. Android devices have built-in support for VPNs, including the following protocols: PPTP, L2TP/IPSec, and IPSec. Starting from Android 4.0, VPN apps are also supported on Android devices.
Reasons to Use VPN Apps Instead of Built-in VPN
While Android devices have built-in VPN support, there are several reasons why you might want to use a VPN app instead:
- Configuring VPN using an Enterprise Mobility Management (EMM) console: If you need to configure the VPN using an EMM console, a VPN app might be required.
- Offering VPN protocols not supported by the built-in client: VPN apps can provide additional VPN protocols that are not supported by the built-in client.
- Simplifying VPN configuration: VPN apps can help people connect to a VPN service without complex configuration.
- Running a separate VPN for personal or work profiles: VPN apps can enable the use of separate VPNs for personal and work profiles.
Configuring VPNs using an EMM Console
An EMM console allows you to configure many VPNs without requiring users to change complex settings. Some common configurations supported by EMMs include:
- Disabling VPN system settings: This prevents users from changing the VPN configuration on their devices.
- Configuring VPN network connection settings: EMMs can configure the VPN network connection settings, including the installation of authentication certificates.
- Allowing or disallowing specific apps to use the VPN: EMMs can create a list of allowed or disallowed apps that can use the VPN.
Always-on VPN
Android devices running Android 7.0 or higher support an always-on VPN feature. This feature allows the device to start a VPN service when it boots up and keeps it running while the device or work profile is active.
Blocking Non-VPN Connections
In many EMM consoles and in the Android Settings app, you can block connections that don't go through the VPN. To force all network traffic through an always-on VPN, follow these steps on the device:
- Open your device's Settings app.
- Tap on "Network & internet."
- Go to "Advanced" and select "VPN."
- Next to the VPN you want to change, tap on "Settings."
- Switch "Block connections without VPN" to "on".
Allowing Bypassing the VPN
If your VPN supports it, you can allow apps to bypass the VPN and select their own network. This can be configured either in your EMM console or directly in the VPN app.
Per-App VPN
Many VPN apps offer the ability to filter which installed apps are allowed to send traffic through the VPN connection. You can create either an allowed list or a disallowed list, but not both. If you don't create a list, the system sends all network traffic through the VPN. Per-app VPN configuration is typically done in the EMM console or directly in the VPN app.
Restricting System VPN Settings
If your EMM supports it, you can prevent device users from changing system VPN settings. However, it's important to note that in some versions of Android, this restriction can prevent an always-on VPN from starting. The behavior depends on the Android version and the device management level. For example:
- Android 5.0: Fully managed devices with restricted VPN settings will not start the VPN app.
- Android 6.0: Fully managed devices and work profiles with restricted VPN settings will not start the VPN app.
- Android 7.0 or higher: Fully managed devices and work profiles with restricted VPN settings will start the always-on VPN app if set by the device policy controller. Other VPN apps won't start.
These are the main concepts related to configuring VPNs on Android devices. If you have any further questions or need more specific information, feel free to ask!