Stumped as to why Blue Iris Android app via OpenVPN will not connect


Getting the hang of it
Dec 25, 2019
I got my Blue Iris PC set up over a year ago and had been successfully connecting to my Blue Iris PC using OpenVPN for Android with the OpenVPN server on my Synology RT2600AC. I've been going through a ridiculous run around with Synology support regarding my router OpenVPN server not working due to an expired certificate (that I could not connect to get renewed) problem for 6 weeks. Long story short, I finally was able to get a new Let's Encrypt certificate, re-exported my VPNconfig.ovpn file, and can connect to my network via OpenVPN for Android. When I connect, I get the little key icon, can verify data incoming and outgoing, and can even see the hit on the firewall on the router page. I haven't changed anything in my Blue Iris android app since I last was able to use it before this fiasco. Blue Iris and UI3 both connect while I am on the local network. Once I turn off wireless data or leave home and connect the VPN, neither the Blue Iris app nor the UI3 page will load. The app says it is unable to reach the server. The LAN and WAN are both set to which is the local static IP for my Blue Iris box.

I took a screenshot a year ago of my firewall rules in case they were to ever inadvertently get erased, and confirm that they are exactly the same as when I was successfully connecting to Blue Iris via VPN. In the OpenVPN for android setting under allowed apps, I have it set to "VPN is used for only for selected apps," and I have Blue Iris checked.

I am out of ideas to try to figure out why the Blue Iris app won't connect when on VPN. I even pinged the Blue Iris PC while the VPN is connected and the Bitdefender firewall on the camera PC is seeing the hits. I have the Blue Iris folder excluded from the Bitdefender antivirus. I tried turning off the Bitdefender firewall and still cannot connect while using VPN.

Any ideas are appreciated.
Last edited:
Last edited:
Let's Encrypt certificates expire every 3 months I understand. Have you automated that process? because renewing it that often manually will be painful .

Seems you have set it up overly complex. Can you not use self signed certificates ?
Maybe consider Android phone "power settings tweaks" as mentioned by Randy here and detailed here ?
I tried your idea of removing battery optimization from the VPN for Android app but unfortunately I'm still a no go.

Let's Encrypt certificates expire every 3 months I understand. Have you automated that process? because renewing it that often manually will be painful .

Seems you have set it up overly complex. Can you not use self signed certificates ?

I tried with their tech support to use self signed certificates and it simply would not work. The tech said there is a bug in their firmware that they are supposed to be working on to fix this at some point.

The Let's Encrypt are supposed to automatically renew but for some reason they stopped doing so
Can you access other services and computers while connected to the VPN? Have you tried to ping the PC from your phone with the VPN connected?

I have OpenVPN set to just run everything on my phone through the VPN. If you edit the VPN Config (the pencil icon next to the Profile), go to routing and make sure Use default route is set for IPv4 and IPv6. I want to say this made the difference for me.
Can you access other services and computers while connected to the VPN? Have you tried to ping the PC from your phone with the VPN connected?

I have OpenVPN set to just run everything on my phone through the VPN. If you edit the VPN Config (the pencil icon next to the Profile), go to routing and make sure Use default route is set for IPv4 and IPv6. I want to say this made the difference for me.

Problem solved. Thank you. I was able to ping my camera PC which is really what had me puzzled. I never had to check those routing boxes before and could find no mention of that anywhere. When I ticked both boxes, viola, the Blue Iris app connects. I went ahead in the VPN config under allowed apps and excluded Chrome as I would rather have it just pull from the LTE as that is noticeably faster.
I was just going to say I had to create a route to my local lan otherwise you'd only have access to the router only and not the other IPs on your lan.

Also with the certificate being expired you can create an exception in your browser to disregard the certificate being expired. In firefox I had to go in the about:config first to config firefox to me to set the exemption. By default firefox doesn't let you make expemptions unless you tell it to allow them. There is no danger here because you control the server and thus know its secure.
I was just going to say I had to create a route to my local lan otherwise you'd only have access to the router only and not the other IPs on your lan.

Also with the certificate being expired you can create an exception in your browser to disregard the certificate being expired. In firefox I had to go in the about:config first to config firefox to me to set the exemption. By default firefox doesn't let you make expemptions unless you tell it to allow them. There is no danger here because you control the server and thus know its secure.

I see under the OpenVPN for Android config routing a custom routes option. Could I just put the IP of the Blue Iris desktop there instead of checking the use default route Ipv4 and IP6 boxes?

I wasn't aware you could get Firefox to ignore the expired certificate, but wouldn't that only work for the Ui3 page? I don't see how that would effect the Blue Iris app.
I have an Asus RT-AX88U router and I'm running OpenVPN and DDNS on it. DDNS offers the option to certify your domain name so I'm also using "Let's Encrypt" on my router to certify my network. I'm assuming you'll have to put your router IP there because your Blue Iris IP is an internal IP. Are you using DDNS?
I have an Asus RT-AX88U router and I'm running OpenVPN and DDNS on it. DDNS offers the option to certify your domain name so I'm also using "Let's Encrypt" on my router to certify my network. I'm assuming you'll have to put your router IP there because your Blue Iris IP is an internal IP. Are you using DDNS?
I am using the free DDNS service provided by Synology