Will this help with nord vpn and can I use this config on my merlin router

[Jack-Sparr0w]

In summary, using reneg-sec with a value of 3600 seconds enhances security by limiting the window of opportunity for attackers to exploit key vulnerabilities, while setting it to 0 allows the server to manage key renegotiation times.

 

[ColinTaylor]

NordVPN TLS 1.0 Support
NordVPN has been gradually upgrading its servers to use TLS 1.2 for OpenVPN. However, some of NordVPN's servers still use TLS 1.0 for OpenVPN as of the last update.
This indicates that while NordVPN is moving towards more secure protocols, some servers may still support TLS 1.0 for backward compatibility

When (and where) was that posted? That looks like old information. In any case Asuswrt-Merlin uses OpenVPN 2.6 which by default doesn't support TLS 1.0.

The custom config file has to be entered manually. reneg-sec is 0 by default in the file, I added reneg-sec 3600. The values can be changed with this. I don't see what your getting at

You can change that to 3600 or leave it 0. Either way makes no difference because the server side forces a change every 3600 seconds anyway.

 

[Jack-Sparr0w]

Security Companies are about redundancy. A lot of guides that put this line in don't do it for no reason. With the rise of MITM attacks I do like redundancy.

 

[Jack-Sparr0w]

The disable-occ option in OpenVPN disables the "options consistency check" (OCC), which is useful in configurations that do not use TLS. This option prevents warning messages if option inconsistencies are detected between peers, such as when one peer uses dev tun while the other uses dev tap.

In a server mode setup, if you want to avoid warnings about potential address conflicts, you can use disable-occ to silence these warnings, which might occasionally annoy more experienced users by triggering "false positive" warnings.

Incompatibility issues can arise when router vendors, such as OpenWRT and Tomato Shibby, build their OpenVPN program with the --enable-small configure option, which strips out the OCC (Option Consistency Check) code. This can lead to incompatibility with certain services, like vpngate.net, which claim to use SoftEther VPN.

The --disable-occ option in OpenVPN can impact security by potentially allowing option inconsistencies between peers, such as one peer using --dev tun while the other uses --dev tap. This option is discouraged and provided as a temporary fix for situations where a recent version of OpenVPN must connect to an old version.

However, it's important to note that disabling OCC can lower security or disable features like data-channel offloading. Therefore, it should be used with caution and only when necessary.

To mitigate these issues, it is recommended to avoid using --disable-occ unless absolutely necessary and to ensure compatibility between the OpenVPN client and server configurations.

 

[Viktor Jaep]

Hardened and blackened... that's how I like my chicken!

 

[ColinTaylor]

The disable-occ option in OpenVPN disables the "options consistency check" (OCC), which is useful in configurations that do not use TLS. This option prevents warning messages if option inconsistencies are detected between peers, such as when one peer uses dev tun while the other uses dev tap.

In a server mode setup, if you want to avoid warnings about potential address conflicts, you can use disable-occ to silence these warnings, which might occasionally annoy more experienced users by triggering "false positive" warnings.

However, it's important to note that disabling OCC can lower security or disable features like data-channel offloading. Therefore, it should be used with caution and only when necessary.

You seem to be quoting this from somewhere. I don't know why as it's not part of NordVPN's config and is a depreciated option.

 

[Jack-Sparr0w]

disable-occ was part of a temporary fix.