Android smartphone displaying a VPN connected screen, with a coral shield and padlock icon overlapping the lower-right corner of the phone, on a dark navy background.

How to Set Up a VPN on Android: The Complete 2026 Guide

by

Last updated: June 07, 2026 · 18 min read

Android is the most common VPN platform in the world, and setting one up correctly takes less time than most guides suggest. This article covers three practical paths for consumer users — a provider app, a manual WireGuard configuration, and a manual OpenVPN configuration — plus a fourth method for enterprise and IT-provisioned connections.

If you are new to VPNs and want to understand how they work before setting one up, start with our guide to how VPNs work, then return here. This guide assumes you have already decided you want one.

Scope: All steps in this guide apply to Android 10 and above, which covers more than 90% of active Android devices as of 2026. One note on older protocols: Google deprecated PPTP and L2TP/IPsec in Android’s built-in VPN client starting with Android 12 and they became non-functional by Android 13. Neither protocol is covered here — IKEv2/IPsec is the only protocol available for new built-in VPN connections on modern Android.

Choose Your Setup Method

Before the steps, use this table to find the right method for your situation.

Method Setup effort Protocol Best for
Provider app Lowest — install and tap Connect WireGuard or proprietary equivalent Most users — fastest path to a working connection
WireGuard manual Medium — import a config or scan a QR code WireGuard Self-hosted servers; providers supplying .conf files or QR codes
OpenVPN manual Medium — import an .ovpn file OpenVPN Providers supplying .ovpn config files
Android built-in (IKEv2) High — manual server credentials required IKEv2/IPsec Enterprise IT-provisioned connections only
Diagram showing four methods to set up a VPN on Android: Official Provider App (recommended), WireGuard manual configuration via QR code or .conf file, OpenVPN manual configuration via .ovpn file, and Android built-in IKEv2 for enterprise use only. All four paths converge into a single Active VPN Tunnel endpoint at the bottom of the diagram.
All four setup methods end at the same place — an active encrypted tunnel
on Android. The method you choose affects setup effort, not the quality of
protection at the end.

Not sure which protocol to choose? WireGuard is the right default for most users in 2026 — it delivers significantly higher throughput than OpenVPN, substantially lower battery consumption, and near-instant reconnection times. For a full technical comparison, see our WireGuard vs OpenVPN guide.

Method 1: Official Provider App (Recommended for Most Users)

If you are using a commercial VPN provider — ProtonVPN, Mullvad, IVPN, NordVPN, or similar — their official app is the fastest and most reliable path to a working connection. No config files, no key generation, no manual field entry.

Step-by-Step Installation

  1. Open the Google Play Store (or F-Droid if you prefer open-source app distribution) and search for your provider by name.
  2. Tap Install and open the app once it completes.
  3. Create an account or log in with your existing credentials.
  4. Tap Connect to use the app’s recommended server, or select a specific country or city first.
  5. On your first connection, Android will show a VPN permission dialog — this is expected. Tap OK to allow the app to manage your VPN connection.
  6. Confirm the connection is active — a key icon will appear in your status bar.

Provider Notes

  • ProtonVPN — Offers a free tier with no data cap and no speed limit. WireGuard and Stealth are available on all plans including free (free servers may be more congested due to fewer locations). The app includes an always-on VPN shortcut in its settings.
  • Mullvad — No email address required. Login uses an account number only. WireGuard is the default protocol. One of the strongest no-log track records in the industry.
  • IVPN — Account ID login, no email required. WireGuard default. Offers multi-hop routing on paid plans.
  • NordVPN — Uses NordLynx (WireGuard with a double NAT layer for privacy) as its default since 2020. Strong performance on Android.

Protocol Selection

Most provider apps default to WireGuard or a WireGuard-based protocol and select it automatically. If your app has a protocol toggle in its settings, keep WireGuard selected unless you have a specific reason to change it — such as being on a network that blocks WireGuard’s UDP traffic, in which case OpenVPN over TCP is a reliable fallback.

One Required Step: Exempt the App From Battery Optimization

Android’s battery management will aggressively kill background apps — including your VPN — causing silent disconnections with no warning. This is the most common reason VPNs appear to stop working on Android. Fix it once during setup:

Settings → Apps → [your VPN app] → Battery → Unrestricted

Setting this to Unrestricted tells Android not to kill the app in the background. This is a one-time step, not a troubleshooting measure — do it immediately after your first successful connection.

Method 2: WireGuard App — Manual Configuration

Use this method if you are connecting to a self-hosted WireGuard server, or if your provider supplies a .conf file or QR code for manual configuration. Mullvad and ProtonVPN both offer manual WireGuard config downloads from their web dashboards.

Step-by-Step

  1. Install the WireGuard app from Google Play. This is the official app maintained by the WireGuard project (Jason Donenfeld) — open-source, with the underlying WireGuard protocol formally verified through symbolic and computational proofs.
  2. Tap the + button and choose your import method:
    • Scan from QR code — fastest. Log in to your provider’s web dashboard, navigate to manual WireGuard config, generate a configuration, and display the QR code. Scan it with the app. The tunnel is configured instantly with no manual typing.
    • Create from file or archive — download a .conf file from your provider and import it directly.
    • Create from scratch — manual entry of all fields. Use this for self-hosted servers where you control the key pairs.
  3. Toggle the tunnel name to connect.
  4. Confirm the key icon appears in the status bar.

Config file naming: Before importing a .conf file, rename it to remove any spaces or special characters. The WireGuard Android app uses the filename (minus the .conf extension) as the tunnel name, and tunnel names only accept alphanumeric characters, dashes, and underscores. A filename with spaces will produce an “Invalid name” error on import. Example: rename my vpn config.conf to myvpnconfig.conf before importing.

Key Fields for Manual Entry

If you are configuring a self-hosted server from scratch, here are the fields and what they expect:

[Interface]

  • Private Key — generate with wg genkey on your server, or tap Generate in the app
  • Address — your assigned IP within the VPN subnet (e.g., 10.0.0.2/32)
  • DNS — your VPN provider’s DNS server address
  • MTU — leave blank for auto (1420 default), or set manually if you encounter connection issues (see Troubleshooting)

[Peer]

  • Public Key — your server’s public key
  • Allowed IPs0.0.0.0/0, ::/0 for a full tunnel that routes all traffic through the VPN
  • Endpoint — your server’s IP address and port (e.g., 203.0.113.1:51820)

Method 3: OpenVPN for Android — Manual Configuration

Use this method if your provider supplies .ovpn configuration files. Some providers offer both WireGuard and OpenVPN configs — if so, the WireGuard path in Method 2 is preferable for most users.

  1. Install OpenVPN for Android from Google Play. This is the open-source client by Arne Schwabe, preferred in the privacy community over the commercial OpenVPN Connect app.
  2. Download the .ovpn configuration file from your provider’s website. Most providers have a dedicated “manual configuration” or “config files” section in their dashboard.
  3. Open OpenVPN for Android, tap the folder icon in the top right, and select your downloaded .ovpn file.
  4. If your provider requires separate credentials (username and password separate from the config file), enter them when prompted.
  5. Tap your profile name to connect and accept the VPN permission dialog.
  6. Confirm the key icon in the status bar.

OpenVPN Connect vs OpenVPN for Android: Both apps accept the same .ovpn files and are functionally equivalent for most users. OpenVPN for Android (Arne Schwabe) is open-source and auditable. OpenVPN Connect is the official commercial client from OpenVPN Inc. Either works — the difference is transparency, not performance.

Method 4: Android Built-in VPN Client — IKEv2/IPsec

Important: This method is designed for enterprise and IT-provisioned connections. Consumer VPN providers — ProtonVPN, Mullvad, NordVPN, IVPN, and virtually all others — do not support this method in 2026. If you are setting up a commercial VPN service, use Method 1 or Method 2 instead. This section is for users connecting to a corporate or self-hosted IKEv2 server.

Path: Settings → Network & Internet → VPN → tap + (Add VPN)

Configuration Fields

  • Name — a label for the connection (e.g., “Work VPN”)
  • Type — select your authentication method: IKEv2/IPsec MSCHAPv2 (username/password), IKEv2/IPsec PSK (pre-shared key), or IKEv2/IPsec RSA (certificate)
  • Server address — your VPN server’s hostname or IP address
  • IPsec identifier / Remote ID — usually matches the server address; see the note below if you encounter handshake failures
  • Credentials — username, password, pre-shared key, or certificate depending on your auth type

Installing Digital Certificates (RSA Authentication)

If your configuration uses certificate-based authentication, install the certificate before creating the VPN profile — not after. Android’s credential store requires the certificate to exist before it can be referenced during profile setup.

Path: Settings → Security → Credential Storage → Install a Certificate → VPN & app user certificate

Supported formats are .p12 (PKCS#12, contains both certificate and private key) and .crt (certificate only). Your IT department or server administrator will supply the correct file.

IKEv2 Handshake Failures — Remote ID

If the connection fails immediately after attempting to connect, the Remote ID field is a common culprit. IKEv2 is strict about ID matching — a mismatch between what the client sends as the Remote ID and what the server expects causes an authentication failure with minimal diagnostic information. If you are seeing immediate connection failures, try setting the Remote ID to the server’s IP address rather than its DNS hostname. This resolves the most common class of IKEv2 handshake mismatches across Android devices.

Security Hardening

Getting a VPN connected is step one. These four settings determine whether it actually protects you consistently.

Always-On VPN

Path: Settings → Network & Internet → VPN → tap the gear icon next to your VPN profile → enable Always-on VPN

With this toggle enabled, Android automatically reconnects your VPN if the connection drops — due to a network switch, a brief server interruption, or your device waking from sleep. Without it, there is a gap between the dropout and the reconnect where your traffic travels unprotected. Enable this for every VPN profile you use regularly.

Block Connections Without VPN (Lockdown Mode)

In the same gear icon menu, enable Block connections without VPN. This is Android’s system-level kill switch: when active, Android refuses all network traffic if the VPN is not connected. There is no fallback to your bare internet connection — either the VPN is up, or nothing goes through.

For a full explanation of how VPN kill switches work, how to test yours, and when to use them, see our VPN kill switch guide.

What Lockdown Mode breaks — and how to handle it:

Local network devices: Printers, NAS drives, smart TVs, and Chromecast become unreachable because all traffic must route through the VPN tunnel. Check your VPN app’s settings for a “LAN access” or “exclude private IPs” option — some apps can route local network traffic correctly even with Lockdown Mode active.

Captive portals: Android’s built-in captive portal detection is designed to bypass Lockdown Mode automatically, so Wi-Fi login pages at hotels and airports should still appear. If the portal page does not load, temporarily disable “Block connections without VPN,” authenticate on the Wi-Fi network, then re-enable it.

Note: Always-on VPN and Block connections without VPN are set per VPN profile in Android Settings — not inside the provider app. Some apps surface their own kill switch toggle in their settings, but the system-level control in Settings is the authoritative one. Enable both.

Per-App VPN (Split Tunneling)

Most major VPN apps include a split tunneling feature — typically labelled “split tunneling,” “per-app VPN,” or “app exclusions” — in their settings. This lets you route specific apps outside the VPN tunnel. A practical example: route your banking app directly using your real IP address to avoid fraud flags from VPN exit nodes, while every other app on your device stays inside the tunnel. Look for this option inside your VPN app’s settings, not in Android’s system VPN menu. For a full explanation of how split tunneling works, its risks, and when to use it, see our split tunneling guide.

Private DNS — Fix the Potential Leak

Android 9 and above includes a Private DNS setting (DNS-over-TLS). When Private DNS is set to a specific provider hostname — sometimes called “strict mode” — it can override your VPN app’s configured DNS server. The result: your DNS queries go to the DoT provider instead of your VPN’s resolver, which means the domains you visit are visible to that provider even while the VPN is active.

The default “Automatic” mode is less likely to cause this conflict and is usually safe to leave in place. If you experience DNS leaks while a VPN is active — confirmed with a DNS leak test — check this setting first:

Settings → Network & Internet → Private DNS

Set it to Off or Automatic. If it is set to a specific hostname (strict mode), that is the likely source of the leak. For the full DNS leak test methodology and fixes, see our DNS leak guide.

Version-Specific Issues — Android 15 and 16

Android 15: Private Space Does Not Inherit Your VPN

Android 15 introduced Private Space — a sandboxed profile designed to isolate sensitive apps (a secondary account, banking apps, anything you want separated from your main profile). Private Space behaves as an independent Android profile with its own network routing. A VPN configured and connected on your main profile does not extend into Private Space.

In practice: if you are running apps inside Private Space while your main-profile VPN is connected, those apps are connecting through your bare ISP connection with no VPN protection. There is no indicator of this in the UI — the key icon in your status bar reflects your main profile’s VPN status only.

Fix: Open Private Space → install your VPN app inside the Private Space sandbox → connect to the VPN independently from within Private Space. The VPN connections on each profile operate separately and must both be active for full coverage.

Android 16: Network Stack Corruption Bug

A documented bug in Android 16 causes VPN connections to fail silently after a VPN app is updated via Google Play while the tunnel is active. The update process corrupts Android’s network stack at the system level. The VPN appears connected — the key icon remains in the status bar — but traffic stops flowing through the tunnel.

This bug has been reported and confirmed by Proton VPN, Mullvad, TunnelBear, and WireGuard developers, and is tracked on Google’s Issue Tracker. It remained unpatched as of April 2026.

Workaround and fix:

  • Step 1 — Reboot the device: A full device reboot often resolves the network stack corruption and is the simplest first step. Restart your phone, reconnect the VPN, and verify traffic is flowing correctly.
  • Step 2 — Reinstall if reboot does not resolve it: Restarting the VPN app alone does not fix the issue. If a device reboot does not restore normal VPN behaviour, a full reinstall of the VPN app is the reliable fix — uninstall, reinstall from Google Play, reconnect.
  • Preventive measure: Disable automatic Play Store updates for your VPN app to prevent the bug from occurring during active sessions. Open Google Play → your VPN app’s page → three-dot menu → Disable auto-updates. Update the app manually when not actively using the VPN tunnel.

Verify Your Connection

Once connected, take two minutes to confirm the VPN is working correctly on both sides.

  1. Before connecting: Visit an IP-check site (such as whatismyipaddress.com or ipleak.net) and note your real IP address and location.
  2. After connecting: Refresh the page. Your IP address should now show the VPN server’s address and the server’s location — not your real one. If it still shows your real IP, the VPN is not routing traffic correctly.
  3. DNS leak check: On the same page (ipleak.net shows both), confirm that all DNS servers listed belong to your VPN provider. If your ISP’s DNS servers appear, you have a DNS leak — return to the Private DNS section above.

Troubleshooting

Problem Likely cause Fix
VPN keeps disconnecting silently with no error message Battery optimization killing the VPN app in the background Settings → Apps → [VPN app] → Battery → Unrestricted
Key icon disappears and reappears repeatedly No Always-on VPN set — Android is not reconnecting automatically Settings → Network & Internet → VPN → gear icon → enable Always-on VPN
DNS leak test showing ISP DNS servers Private DNS (DoT) in strict mode overriding VPN DNS Settings → Network & Internet → Private DNS → set to Off or Automatic (not a specific hostname)
“Could not connect” on WireGuard — connection times out UDP port 51820 blocked on restrictive networks (hotel, airport, corporate Wi-Fi) Switch to an alternate port in your WireGuard config if your provider offers one, or use your provider’s app (Method 1) which typically handles port fallback automatically
Banking or payment app blocks you or triggers fraud alerts App detects the VPN exit node IP as a fraud signal Use your VPN app’s split tunneling feature (labelled “split tunneling,” “per-app VPN,” or “app exclusions” in the app’s settings) to route the banking app outside the VPN tunnel
OpenVPN authentication failed Stale or incorrect credentials in the .ovpn config Re-download a fresh .ovpn config from your provider’s dashboard and reimport; verify username and password are correct
Always-on VPN option is greyed out and cannot be toggled A work or MDM profile is active on the device, restricting VPN settings MDM policies from an employer or institution can prevent changes to VPN settings — contact your IT administrator
Cannot reach local printer, NAS, or Chromecast while VPN is on Lockdown Mode (Block connections without VPN) active — all non-VPN traffic blocked including LAN Check your VPN app for a “LAN access” or “exclude private IPs” setting; if unavailable, temporarily disable Lockdown Mode to access local devices
Traffic stops entirely but VPN key icon is still showing MTU/fragmentation mismatch on a restrictive cellular network; or Android 16 network stack corruption after a VPN app update MTU: In WireGuard, edit your tunnel → Interface → set MTU to 1300 (or 1280 on very restrictive networks). Android 16 bug: Reinstall the VPN app entirely — restarting the app does not fix the network stack corruption
IKEv2 (built-in) handshake fails immediately at connection System clock desynchronised — IKEv2 certificate validation fails when device time is significantly off; or Remote ID mismatch Clock: Settings → General Management → Date and Time → enable Automatic date and time. Remote ID: Try changing the Remote ID field from a DNS hostname to the server’s IP address

Frequently Asked Questions

Does Android have a built-in VPN?

Yes. Android includes a built-in VPN client at Settings → Network & Internet → VPN. It supports IKEv2/IPsec connections and is designed for enterprise IT-provisioned servers. Consumer VPN providers — ProtonVPN, Mullvad, NordVPN, and others — do not support this method. For commercial VPN services, use the provider’s app (Method 1) or the WireGuard app (Method 2).

How do I set up a VPN on Android without an app?

Android’s built-in IKEv2/IPsec client (Method 4 above) works without a third-party app, but requires a server address, authentication credentials, and — for certificate-based setups — a digital certificate file from your provider or IT department. Very few consumer VPN providers support this method in 2026. If your provider does not list IKEv2 manual configuration in their documentation, this path will not work with their service.

How do I enable Always-on VPN on Android?

Go to Settings → Network & Internet → VPN → tap the gear icon next to your VPN profile → toggle Always-on VPN on. This menu also contains the “Block connections without VPN” (Lockdown Mode) toggle. Both are set per VPN profile in Android Settings — not inside the provider app. Full steps are in the Security Hardening section above.

Why does my VPN keep disconnecting on Android?

The most common cause is Android’s battery optimization — the OS kills the VPN app in the background to save power, causing silent disconnections with no error message. Fix it by going to Settings → Apps → [your VPN app] → Battery → Unrestricted. After applying this, also enable Always-on VPN in Settings so Android automatically reconnects if the tunnel drops for any other reason.

Does a VPN slow down Android?

WireGuard-based connections — used by Mullvad, IVPN, and NordLynx — have minimal overhead on modern Android hardware. For a detailed breakdown of how VPN protocols affect performance and battery life on mobile, see our VPN battery drain guide.

Is the WireGuard app on Android safe?

Yes. The WireGuard Android app is developed by the WireGuard project (Jason Donenfeld) and is open-source. The underlying WireGuard protocol has been formally verified through symbolic and computational proofs — making it one of the most rigorously analysed VPN protocols available. For a full technical comparison of WireGuard against OpenVPN and other protocols, see our WireGuard vs OpenVPN guide.

Does a VPN protect apps running in Android Private Space?

No — and this is one of the most important things to know if you use Android 15’s Private Space feature. A VPN connected on your main profile does not extend into Private Space, which operates as an independent Android profile with its own network routing. Apps inside Private Space connect through your bare ISP connection even when your main-profile VPN is active and showing a connected status. To protect Private Space traffic, install your VPN app inside Private Space and connect to it independently. Full details are in the Version-Specific Issues section above.