With this new version, it seems that the legacy option to check the x509 certificate subject (tls-remote) is no longer accepted : Feb 12 19:29:46 bonobo.bellet.info NetworkManager[1051]: Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: tls-remote (2.4.0) Feb 12 19:29:46 bonobo.bellet.info NetworkManager[1051]: Use --help for more information. Feb 12 19:29:46 bonobo.bellet.info NetworkManager[1051]: <warn> [1486924186.6513] vpn-connection[0x560946b30100,ba9c7938-bd0e-4e3d-b971-5a605ee5811d,"VPN xxx 1194/udp",0]: VPN plugin: failed: connect-failed (1) Feb 12 19:29:46 bonobo.bellet.info NetworkManager[1051]: <warn> [1486924186.6513] vpn-connection[0x560946b30100,ba9c7938-bd0e-4e3d-b971-5a605ee5811d,"VPN xxx 1194/udp",0]: VPN plugin: failed: connect-failed (1) Switching to other options to verify the CN works fine of course, but I think breaking the existing tls-remote option was not the desired behaviour.
I assume you are running openvpn version 2.4? Probably a dupe of bug 1421241.
*** This bug has been marked as a duplicate of bug 1421241 ***