App Support.

We're here to help.


  1. Knowledge Base
  2. Documentation
  3. Connection Settings

Connection Settings

Viscosity provides a connection editor, allowing you to configure the settings for your VPN connection. Below is an outline of what each setting does, tab by tab. Please note, some settings are Mac or Windows specific and will be noted if this is the case.

Tip

The Viscosity connection editor allows you to easily and quickly make changes to your VPN configuration, or to create a new connection.

General


 

  • Name: The display name for your connection. This is how the connection will be identified in Viscosity's menu and windows.
  • Address: The address of the OpenVPN server to connect to. Multiple servers can be entered separated by a comma, and Viscosity will try them as needed. If entering multiple servers that use a different transport protocol (UDP/TCP) or port number, they can be entered using the syntax <server>:<port>:<protocol>, for example 1.2.3.4:1194:udp and vpn.myserver.com:1195:tcp.
  • Port: The port number on the OpenVPN server to connect to. This must match the port the server is listening on.
  • Protocol: The transport protocol (UDP or TCP), and IP version (Automatic, IPv4, or IPv6) to use when connecting to the server. UDP is the most common option for OpenVPN connections, while TCP may be required by some servers or restrictive networks.
  • Device: The type of network interface to use, which is either "tun" (Layer 3 routed networking) or "tap" (Layer 2 bridged networking). Most connections use tun.
  • Enable DHCP: This enables support for IP assignment via DHCP for "tap" connections. This should only be enabled when the VPN server or bridged network provides IP details using DHCP.
  • Enable IPv6: Enabling this option allows IPv6 addresses and routes to be set up for the connection when supported by the server or configuration.

  • Automatically reconnect if disconnected: When enabled, Viscosity will automatically try to reconnect the VPN connection if it becomes disconnected due to a dropout or server interruption.

  • Connect when Viscosity opens: This option is available on all tabs and will cause this connection to begin connecting as soon as Viscosity is launched.

Authentication

The following are common options to all authentication types:

  • Type: The type of authentication setup to use for this connection. This must match the authentication method required by the OpenVPN server. These are described in more depth below.
  • Use Username/Password authentication: Check this if the server you are connecting to requires a username and password in addition to the selected certificate, key, token, or static key authentication.

SSL/TLS Client

This is the most common form of authentication for OpenVPN. It uses at minimum a certificate authority (CA) certificate to verify the server, a client (Cert) certificate, and a client private key (Key) for authentication. A TLS (Tls-Auth) key can also be optionally used for an additional layer of authentication.


 

SSL/TLS:

  • CA: The Certificate Authority file used to verify the server's certificate.
  • Cert: Your client certificate, which is presented to the server during authentication.
  • Key: The private key that matches your client certificate.

Extra:

  • Type: Set an optional extra layer of authentication (TLS-Auth) or authentication and encryption (TLS-Crypt and TLS-Crypt v2) on the VPN connection's control channel. This must match the server configuration and requires a TLS-Auth or TLS-Crypt secret key file.
  • Key: The secret TLS-Auth or TLS-Crypt key file to use.
  • Direction: The direction for TLS authentication, defined by your server. Only used for TLS-Auth, and should normally be left as Default unless your configuration specifies otherwise.

SSL/TLS Client (PKCS11)

PKCS#11 allows you to use a token or smart card for authentication, keeping the private key on the device instead of storing it directly in the VPN configuration. For more information on PKCS#11, please see Using Tokens/Smartcards (PKCS#11).


 

SSL/TLS:

  • CA: The Certificate Authority file used to verify the server's certificate.

PKCS11:

  • Providers: The PKCS#11 provider libraries or drivers that allow Viscosity and OpenVPN to communicate with your token or smart card.
  • Retrieval: You can define a certificate to always use for this connection, or choose to be prompted each time you connect. Prompting can be useful if the token contains multiple certificates, or if certificates are replaced regularly.
  • Name: The name or identifier of the certificate to use on the token or smart card.

Extra:

  • Type: Set an optional extra layer of authentication (TLS-Auth) or authentication and encryption (TLS-Crypt and TLS-Crypt v2) on the VPN connection's control channel. This must match the server configuration and requires a TLS-Auth or TLS-Crypt secret key file.
  • Key: The secret TLS-Auth or TLS-Crypt key file to use.
  • Direction: The direction for TLS authentication, defined by your server. Only used for TLS-Auth, and should normally be left as Default unless your configuration specifies otherwise.

SSL/TLS Client (PKCS12)

PKCS#12 is like the original SSL/TLS client method, except a PKCS#12 file contains the CA, client certificate, and client key bundled into a single .pfx or .p12 file.


 

SSL/TLS:

  • PKCS12: The PKCS#12 file to use for this connection. It should contain the client certificate, client key, and certificate authority (CA) certificate.

Extra:

  • Type: Set an optional extra layer of authentication (TLS-Auth) or authentication and encryption (TLS-Crypt and TLS-Crypt v2) on the VPN connection's control channel. This must match the server configuration and requires a TLS-Auth or TLS-Crypt secret key file.
  • Key: The secret TLS-Auth or TLS-Crypt key file to use.
  • Direction: The direction for TLS authentication, defined by your server. Only used for TLS-Auth, and should normally be left as Default unless your configuration specifies otherwise.

Static Key

Static Key is a legacy pre-shared key method of authentication. It is deprecated in OpenVPN and we recommend you do not use it for new connections, however it is available for older server configurations.


 

  • Secret: The static key file for the connection.
  • Direction: The key direction defined by your server. Both sides of the connection must use complementary directions, or both leave the direction unset.

Options


 

  • Ping: Sends an OpenVPN keepalive ping to the remote host every x seconds. This can help keep the connection active through firewalls or routers that close idle UDP sessions.
  • Ping Restart: Restarts the connection if no traffic or keepalive pings are received from the remote host for x seconds.

Please see this article for more information if you are having issues with ping-restarts.

The following persist options only apply if the VPN connection or OpenVPN reconnects without Viscosity disconnecting the connection.

  • Persist Tun: Do not close and recreate the VPN network adapter if the connection restarts.
  • Persist Key: Don't re-read key files if the connection restarts.
  • Persist Local IP: Do not change the local IP address and port settings if the connection restarts.

  • Persist Remote IP: Do not change the remote IP address and port settings if the connection restarts.

  • Require certificate was signed for server use: Require that the server certificate was signed for server use (and not client use) only. This adds an extra layer of protection against MITM attacks.

  • Compression: Compression options for the connection. This must match what the server allows. Compression is not recommended for modern VPN configurations unless required by the server.

  • No Bind: Use a dynamic port for the local end of the connection. This is recommended for most client connections, and can help avoid local port conflicts when multiple VPN connections are used.

  • Pull Options: Allow the server to push connection options such as routes, DNS settings, and keepalive settings. This should normally be enabled for client connections.
  • Compatibility: This setting allows you to set the base OpenVPN version the connection should be compatible with. The available options are 2.3, 2.4, 2.5, and Latest. For example, choosing 2.3 should allow you to connect to an OpenVPN server running version 2.3 or later. Compatibility modes may enable legacy ciphers, digests, compression, or TLS behaviour needed by older servers. For more information please see the Adjust the Compatibility Setting section.

Networking


 

All Traffic

This drop down offers the following options and controls whether all traffic is sent over the VPN connection.

  • Automatic (Set by server): Allows All Traffic to be set by the server. All traffic is sent over the VPN connection if the server pushes an option to do so, otherwise only traffic matching routes set in your configuration or pushed by the server is sent over the VPN tunnel.
  • Send all traffic over VPN connection: All IPv4 and IPv6 traffic is sent over the VPN connection if it is supported. If IPv4 or IPv6 is not supported by the VPN connection a warning will be displayed in the log.
  • Send all IPv4 traffic over VPN connection: All IPv4 traffic is sent over the VPN connection if it is supported.
  • Send all IPv6 traffic over the VPN connection: All IPv6 traffic is sent over the VPN connection if it is supported.

Routing

  • Default Gateway: The default gateway for routes using this connection. This should be left blank in most scenarios so Viscosity and OpenVPN can determine the correct gateway automatically.

Routes for the connection can be defined by pressing the +. Routes determine which networks or IP addresses are sent through the VPN connection. For more information on routing, please see Routing Traffic For Websites & Applications.

DNS

For more information on DNS setup, as well as troubleshooting help, please see Configuring DNS and WINS settings.

  • Mode: The DNS Mode for the connection. This controls how DNS settings are applied while the VPN connection is active. Please see Configuring DNS and WINS settings for more information.
  • Servers: DNS servers to be used for this connection. Servers defined here are used first. Multiple servers can be added separated by a comma.
  • Domains: DNS domains to be used for this connection. Domains defined here are used first. Multiple domains can be added separated by a comma.
  • Ignore DNS settings sent by the VPN server: Any DNS Servers, Domains, or WINS servers pushed by the server will not be used.

Other

  • Shaper: A value in B/s (bytes per second) can be defined here to throttle outgoing VPN traffic.
  • Fragment: Defines the maximum size of a UDP packet in bytes. This should generally only be used when troubleshooting MTU or packet fragmentation problems.
  • Tun MTU: The MTU (Maximum Transmission Unit) for the VPN network interface. Lowering this value may help with connection stability when the network path cannot handle the default packet size.
  • Inactive: Disconnect if no VPN tunnel traffic is sent or received after x seconds. OpenVPN keepalive pings are not counted as activity. Leaving this value blank will disable this option.

Transport

If you normally connect to the Internet through a proxy, you can set the details here so that OpenVPN can also connect to the VPN server through your proxy server.


 

  • Connect using proxy: Connect to the VPN server through an HTTP or SOCKS proxy server instead of connecting directly. This only affects how the VPN connection reaches the VPN server: it does not turn the VPN connection into a proxy for your other network traffic.
  • Type: The type of proxy you connect through. If Systemwide is specified, Viscosity will attempt to retrieve proxy details from your system.
  • Address: The address of the proxy server.
  • Port: The port of the proxy server.
  • Auth: The authentication type for the proxy server. If the proxy requires a username and password, Viscosity will prompt for or use the required credentials.

Obfuscation can be used to make your VPN connection harder to detect or block. For more information please refer to the Setting up an Obfuscation server with Obfsproxy and Viscosity article.

  • Method: The obfuscation method to use. This must match the method being used by the obfuscation server.
  • Key: If the obfuscation method requires a key, it can be entered here.

Advanced


 

Scripting

Scripts can be defined here to run before connecting, after the connection is established, or after the connection disconnects. For more information on scripting, please see our articles for Mac or Windows.

Extra Commands

Extra OpenVPN commands can be defined here for settings that are not available in the rest of the connection editor. Each command should be entered on its own line. For more information please see Advanced Configuration Commands.

  • Don't create a network adapter for this connection (Windows Only): Do not create a network adapter for this connection. This is an extremely advanced option for users who want to manage the network adapter their connection uses completely manually. For normal operation, never use this option. If you do not wish for a network adapter to be created for each connection, please see Single Adapter Mode (Windows).