explore parameters to harden the VPN
comp-lzo replay-window 512 60 tls-version-min 1.2 # Enable with OpenVPN 2.4 or -devel # use good curves ecdh-curve brainpoolP512r1 # some flags for the cert remote-cert-ku 0x00e0 # helps to get the reconnection faster # and applications see it as a lag in the connection persist-key persist-tun # all users get the same key for prevent DDoS attacks tls-client tls-auth [inline] # pin the cypher suit from the client tls-cipher # every TCP packet should follow a certain size # deals with mtu problems mssfix # nail down what the client expects from the server in the subject verify-x509-name # try to don't look like TLS scramble # set a lock for the key material in memory to make sure that can't be swapped mlock # performance improvement for udp explicit-exit-notify # enable selinux, linux only setcon context # non-windows option fast-io # if we want to use tor socks-proxy server [port] [authfile] socks-proxy-retry
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
(from redmine: created on 2016-07-15)