This article shows how to define the TLS options for the OpenVPN client in IGEL OS. Under TLS (Transport Layer Security) Options, you can customize the options for the OpenVPN protocol (tunnel). TLS is the successor to SSL (Secure Sockets Layer). It is a standard consisting of several protocols that can transmit encrypted data between authenticated communication partners over potentially insecure IP networks such as the Internet.


Menu path: Setup > Network > VPN > OpenVPN > [OpenVPN Connection] > TLS Options

TLS Options for OpenVPN Client in IGEL OS:

Subject match:

The Subject match accept/reject the server connection based on a custom test of the server certificate's embedded X509 subject details. The formatting of these fields changed into a more standardized format. It now looks like: C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com.

See also: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

Remote peer certificate TLS type:

Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.

This is a useful security option for clients, to ensure that the host they connect to is a designated server. Or the other way around; for a server to verify that only hosts with a client certificate can connect.

  • Do not verify*: no remote certificate check

  • Check for server certificate: The --remote-cert-tls server option is equivalent to --remote-cert-ku --remote-cert-eku "TLS Web Server Authentication"

  • Check for client certificate: The --remote-cert-tls client option is equivalent to --remote-cert-ku --remote-cert-eku "TLS Web Client Authentication"


This is an important security precaution to protect against a man-in-the-middle attack, where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --remote-cert-tls, --verify-x509-name, or --tls-verify.

Key file for additional TLS authentication:

As the path enter relative to /wfs/OpenVPN or select using the file selection. This adds an additional HMAC legitimization level above the TLS control channel in order to prevent DDOS attacks.

tls-auth (Key Direction) / tls-crypt:

  • None*: No key direction
  • tls-auth 0: If the default option is not used, one side of the connection should use Direction 0 and the other Direction 1.
  • tls-auth 1: If the default option is not used, one side of the connection should use Direction 0 and the other Direction 1.
  • tls-crypt: In contrast to tls-auth, setting a key direction is not required. Use this option if the version of the OpenVPN server is 2.4 or higher. For more information on tls-crypt, see e.g., Reference manual for OpenVPN 2.4.


*IGEL OS system defaults