Thanks for getting in touch, @barryjump. This thread investigates a similar issue and might be worth looking at. The most notable point being:
“As long as the CA certificate which signed the VPN’s server certificate (set via an env var on the VPN service) matches the one delivered by the API then it should be good.”
Please try this out and let us know the results! If there was any context we’ve missed or helpful info you want to add to this thread, feel free as well!