App Support.

We're here to help.



Connection Settings

The Viscosity connection editor allows you to easily and quickly make changes to your OpenVPN configuration, or to create a new connection. Below is an outline of what each setting does, tab by tab. Please note, some settings are Mac or Windows specific and will be noted if this is the case.

General


 

  • Name: The name for your connection. This is your reference for how to identify the connection later.
  • Address: The address for the server you are connecting too. Multiple servers can be entered separated by a comma. If entering multiple servers that use a different transport protocol (udp/tcp) or port number, they can be entered using the syntax "<server>:<port>:<protocol>", for example "1.2.3.4:1194:udp" and "vpn.myserver.com:1195:tcp".
  • Port: The port for the server you are connecting too.
  • Protocol: The protocol type (UDP or TCP), and IP version (Automatic, IPv4, or IPv6) for the connection.
  • Device: The type of network interface to use, which is either "tun" (Layer 3 routed networking) or "tap" (Layer 2 bridged networking). Most connections use tun.
  • Enable DHCP: This enables support for IP assignment via DHCP for "tap" connections.
  • Enable IPv6: Enabling this option allows IPv6 to be setup for the connection.
  • Automatically reconnect if disconnected: When enabled Viscosity will automatically try to reconnect the VPN connection if it becomes disconnected due to a dropout or server interruption.
  • Connect when Viscosity opens: This option is available on all tabs and will cause this connection to begin connecting as soon as Viscosity is launched.

Authentication

The following are common options to all authentication types:

  • Type: The type of authentication setup to use for this connection, these are described more in depth below
  • Use Username/Password authentication: Check this if the server you are connecting to requires a username and password.

SSL/TLS Client

This is the most common form of authentication for OpenVPN. It uses at minimum a server (CA) and user (Cert) certificate and a user key (Key) for authentication. A TLS (Tls-Auth) key can also be optionally used for an additional layer of authentication.


 

SSL/TLS:

  • CA: The Certificate Authority file for the server.
  • Cert: Your user certificate.
  • Key: Your user key.

Extra:

  • Type: Set an optional extra layer of authentication (TLS-Auth) or authentication and encryption (TLS-Crypt and TLS-Crypt v2) on the VPN connection's control channel. Requires a TLS-Auth or TLS-Crypt secret key file.
  • Key: The secret TLS-Auth or TLS-Crypt key file to use.
  • Direction: The direction for TLS authentication, defined by your server. Only used for TLS-Auth.

SSL/TLS Client (PKCS11)

PKCS11 allows you to use a smart key or token to store your keys on and retrieve them directly from the key. For more information on PKCS11, please see Using Tokens/Smartcards (PKCS#11).


 

SSL/TLS:

  • CA: The Certificate Authority file for the server.

PKCS11:

  • Providers: The libraries which allows communication with your token or smart card.
  • Retrieval: You can define a certificate to always use for this connection, or choose to be prompted each time you connect (handy if you regularly receive new certificates).
  • Name: The name of the certificate to use on the token or smart card.

Extra:

  • Type: Set an optional extra layer of authentication (TLS-Auth) or authentication and encryption (TLS-Crypt and TLS-Crypt v2) on the VPN connection's control channel. Requires a TLS-Auth or TLS-Crypt secret key file.
  • Key: The secret TLS-Auth or TLS-Crypt key file to use.
  • Direction: The direction for TLS authentication, defined by your server. Only used for TLS-Auth.

SSL/TLS Client (PKCS12)

PKCS12 is like the original SSL/TLS client method, except a PKCS12 file is your CA, Cert and Key bundled into a single pfx or p12 file.


 

SSL/TLS:

  • PKCS12: The PKCS12 file to use for this connection. It should contain the client certificate, client key, and certificate authority (CA) certificate.

Extra:

  • Type: Set an optional extra layer of authentication (TLS-Auth) or authentication and encryption (TLS-Crypt and TLS-Crypt v2) on the VPN connection's control channel. Requires a TLS-Auth or TLS-Crypt secret key file.
  • Key: The secret TLS-Auth or TLS-Crypt key file to use.
  • Direction: The direction for TLS authentication, defined by your server. Only used for TLS-Auth.

Static Key

Static Key is a very out dated method of authentication which we recommend you do not use but is available for older server configurations.


 

  • Secret: The Secret key for the connection.
  • Direction: The direction for TLS authentication, defined by your server.

Options


 

  • Ping: Pings the remote host every x seconds to maintain a connection.
  • Ping Restart: Restarts the connection if no traffic or pings have passed in x seconds.

Please see this article for more information if you are having issues with ping-restarts.

The following persist options only apply if the VPN connection or OpenVPN reconnects without Viscosity disconnecting the connection.

  • Persist Tun: Do not reset the network adapter if the connection restarts.
  • Persist Key: Don't re-read key files if the connection restarts.
  • Persist Local IP: Do not change local IP settings if the connection restarts.
  • Persist Remote IP: Do no change remote IP settings if the connection restarts.
  • Require certificate was signed for server use: Require that the server certificate was signed for server use (and not client use) only. This adds an extra layer of protection to mitigate MITM attacks.
  • Compression: Compression options for the connection. This must match with what the server allows.
  • No Bind: Use a dynamic port for the local end of the connection, this is recommended.
  • Pull Options: Pull options from the server when connecting.
  • Compatibility: This setting allows you to set the base OpenVPN version the connection should be compatible with. The available options are 2.3, 2.4, 2.5, and Latest. For example, choosing 2.3 should allow you to connect to an OpenVPN server running version 2.3 or later. For more information please see the Adjust the Compatibility Setting section.

Networking


 

All Traffic

This drop down offers the following options and controls whether all traffic is sent over the VPN Connection.

  • Automatic (Set by server): Allows All Traffic to be set by the server. All traffic is sent over the VPN Connection if the server pushes an option to do so, otherwise no traffic is sent over the VPN Tunnel except by routes which are set in your configuration or pushed by the server.
  • Send all traffic over VPN connection: All IPv4 and IPv6 traffic is sent over the VPN connection if it is supported. If IPv4 or IPv6 is not supported by the VPN Connection a warning will be displayed in the log.
  • Send all IPv4 traffic over VPN connection: All IPv4 traffic is sent over the VPN connection if it is supported.
  • Send all IPv6 traffic over the VPN connection: All IPv6 traffic is sent over the VPN connection if it is supported.

Routing

  • Default Gateway: The default gateway for the connection, this should be left blank in most scenarios.

Routes for the connection can be defined by pressing the +. For more information on routing, please see Routing Traffic For Websites & Applications.

DNS

For more information on DNS setup, as well as troubleshooting help, please see Configuring DNS and WINS settings.

  • Mode: The DNS Mode for the connection, please see Configuring DNS and WINS settings for more information.
  • Servers: DNS Servers to be used for this connection. Servers defined here are used first. Multiple servers can be added separated by a comma.
  • Domains: DNS Domains to be used for this connection. Domains defined here are used first. Multiple domains can be added separated by a comma.
  • Ignore DNS settings sent by the VPN server: Any DNS Servers, Domains, or WINS servers pushed by the server will not be used.

Other

  • Shaper: A value in B/s (bytes per second) can be defined here to throttle the upload speed for the VPN connection.
  • Fragment: Defines the max size of a UDP packet in bytes.
  • Tun MTU: The MTU (Maximum Transmission Unit) for the VPN network interface. Lowering this value may help with connection stability.
  • Inactive: Disconnect if no traffic is sent or received after x seconds. Leaving this value blank will disable this option.

Transport

If you normally connect to the Internet through a Proxy, you can set the details here so that OpenVPN can also connect through your proxy server.


 

  • Connect using proxy: Enable or disable this feature.
  • Type: The type of proxy you connect through. If Systemwide is specified, Viscosity will attempt to retrieve proxy details from your system.
  • Address: The address of the proxy server.
  • Port: The port of the proxy server.
  • Auth: The authentication type for the proxy server.

Obfuscation can be used to prevent your VPN connection being detected and/or blocked. For more information please refer to the Setting up an Obfuscation server with Obfsproxy and Viscosity article.

  • Method: The obfuscation method to use. This must match the method being used by the obfuscation server.
  • Key: If the obfuscation method requires a key, it can be entered here.

Advanced


 

Scripting

Scripts can be defined here. For more information on scripting, please see our articles for Mac or Windows.

Extra Commands

Extra commands can be defined here that are not available in the rest of the connection editor. For more information please see Advanced Configuration Commands.

  • Don't create a network adapter for this connection (Windows Only): Do not create a network adapter for this connection. This is an extremely advanced command for users who want to manage the network adapter their connection uses completely manually. For normal operation, never use this option. If you do not wish for a network adapter to be created for each connection, please see Single Adapter Mode (Windows).