Page MenuHomeVyOS Platform

Make OpenVPN `tls dh-params` optional
Closed, ResolvedPublic


Historically, OpenVPN server setup required a file with a prime for the Diffie-Hellman key exchange algorithm. Recent OpenVPN versions support Elliptic Curve Diffie-Hellman (ECDH) and you can set dh none to enable it.

This option will be especially useful for the new TLS "site-to-site" mode where it can save the user setup time.

From a quick test, ECDH doesn't require the certs to use EC — at least OpenVPN doesn't complain on startup and connection gets up. We can probably just relax the validation and default to dh none if it's not set.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Improvement (missing useful functionality)