OpenVPN: New Client Configuration

The changes brought up by OpenVPN v2.5 and above, required an adaption to the 1NCE VPN Service client configuration. Through the 1NCE Portal, only the new configuration files are available. The changed files are fully backward compatible and existing configuration files with OpenVPN versions prior to v2.5 will remain working.

The changed VPN parameters are listed in the table below. The full documentation can be found in VPN Client File guide.

Config ParameterExplanation
keepalive 5 30
Simplification of –ping and –ping-restart. Checks the current connection state by ICMP PING. Settings are <Interval Timeout>.
Changed from 1 5 to 5 30.
Don't re-read key files across SIGUSR1 or --ping-restart.
Enabled persist-key option.
An important security precaution to protect against a man-in-the-middle attack. Prevented by having clients verify the server certificate. Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.
Enabled persist-tun option.
remote-cert-tls server
Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.
Changed from deprecated ns-cert-type to remote-cert-tls.