Security Questions - VPN Server w/ OpenVPN on DS718+. ios12 clients

[iseeker]

On AT&T wifi at work, I successfully connected to my VPN server at home set up on my DS718+ w/ OpenVPN (VPN symbol showed up on the iphone, ios12). I am wondering about security though. A few questions:

1 - Is it safe to allow the OpenVPN app to save the username and password to login to the server? I believe the answer is it is as safe as the passcode on the iphone since if saved, someone could get to my login screen for the DSM, after connecting the vpn.
2 - Follow up to 1 - would they theoreticaly have the username and password too and then use to login in to my DSM? Or would username/pass be really hard to lift from the phone?
3 - I only had to transfer (via iTunes) the .opvn file. Several other files were exported with the .opvn file (ca_bundle.crt and ca.crt). What are these files for?
4 - My opvn file has two certificate numbers: what are both of these? When I first did the export with a self-signed cert, it only gave me the ca.crt file (not the ca_bundle.crt) and, I believe, it only had one cert in the .opvn file. Is there something I can or should do with these files to make the VPN more secure?
5 - Once the VPN was active, I was able to find the login pages to the DSM and the SRM (router interface). However, on the iphone (running the latest ios 12), it said that the connection was not secure (see attached screenshots). (a) is there a way to keep the VPN connection but not allow access through it to the DSM and SRM logins? (b) Should I care about the "not secure" messages from safari? I've read a lot about certificates and keys and SSL but I'm confused.
6 - I do not have the DiskStation firewall enabled. Should I w/ an active VPN? Generally, is the firewall on the router enough, I should I also engage on the diskstation?

My setup:

DSM 6.2.1-23824 Update 1
LAN static IP for DS
Synology 2600 router. DDNS active and used in .opvn for server
self-signed cert on the router. Let'sEncrypt cert on the DS.
Port-fwd on router - besides the DDNS on the router, the only other thing I had to do was fwd port 1194 to my static LAN IP address for the DS. This entry automatically added an entry allowing the same in the router FW.

.opvn file

dev tun
tls-client
remote xxxxxx.synology.me 1194
#float
redirect-gateway def1
#dhcp-option DNS DNS_IP_ADDRESS
pull
proto udp
script-security 2
auth-nocache
reneg-sec 0
cipher AES-256-CBC
auth SHA512
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----

xxxxx

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

xxxxxxx

-----END CERTIFICATE-----

</ca>

[iseeker]

Anyone willing to engage here?

[comphilip]

I am not fully understand all your short words, such as DS718 and DSM. Well I can answer some question.

1. It is safe well it can be better. If your ios device not be hacked or prison break. Then you user name and password will be safe. It is hard to stole from ios device.

2. Is your DSM internal access-able or OPNVPN connection only? If can access to DSM with username and password, of course everyone can access your DSM.

4. OpenVPN connect uses ca_bundle.crt and ca.crt to check OpenVPN server is the one you trust, not a fake server. Those files are needed for earlier version of openvpn client. Now .ovpn file has embeded those .crt files, you can ignore those .crt files.

5. Not found screenshots. I can't answer.

6. It depends on you. The more security you got, the hard to use (if there is a problem, may be hard to found the cause)

[iseeker]

Hi comphilip. DSM is the Synology diskstation manager that manages the Synology NAS. The 718+ is the model of the NAS.
2 - I can get to the login screen when on my LAN or when tunneling in through the VPN, but I've never accessed it externally without the VPN.
4 - cool. I couldn't find anywhere that stated that explicitly, but that is what I thought.
5 - I could figure out how to post them here. I cross posted on the synology forum (no hits there) and have the screen shots there. https://community.synology.com/forum/16/post/120555

Thanks.