Back to the two remaining warnings, starting with the relatively unimportant one (auth-nocache), the only way that I could get it to take effect was to put it in the .ovpn. YMMV.
On "remote-cert-tls server," I can't connect when it's in server.conf. It requires that "peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules," which I'm guessing isn't the case.
I later found that "To use this feature, you will need to generate your server certificates with the nsCertType field set to "server". The build-key-server script in the easy-rsa folder will do this."
And there's more about it here:
https://openvpn.net/index.php/open-sour ... .html#mitm
My guess is that whatever script is used in Gargoyle to generate the certificates might need to be tweaked.