Page MenuHomeVyOS Platform

Add support for peer-fingerprint to OpenVPN
Closed, ResolvedPublic


OpenVPN 2.6 includes support for validating self-signed certificates using fingerprints. That allows the user to get all the security benefits of TLS without setting up a full-blown PKI. Combined with support for ECDH, that makes the minimal setup require only a pair of self-signed certs instead of a full set of a CA/DH/server cert/client cert.

Here are the docs:

It seems impossible to pass peer fingerprints from the command line. They can be only in the config, and there are two syntax variants: peer-fingerprint option and pseudo-XML tag <peer-fingerprint>.

There can be multiple fingerprints inside the tag:


My proposed syntax is set interfaces openvpn vtunX tls peer-fingerprint .... We can always use the pseudo-XML syntax variant and make it a multi node.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)