OpenVPN 2.6 includes support for validating self-signed certificates using fingerprints. That allows the user to get all the security benefits of TLS without setting up a full-blown PKI. Combined with support for ECDH, that makes the minimal setup require only a pair of self-signed certs instead of a full set of a CA/DH/server cert/client cert.
Here are the docs: https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst
It seems impossible to pass peer fingerprints from the command line. They can be only in the config, and there are two syntax variants: peer-fingerprint option and pseudo-XML tag <peer-fingerprint>.
There can be multiple fingerprints inside the tag:
<peer-fingerprint> ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00 99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33 </peer-fingperint>
My proposed syntax is set interfaces openvpn vtunX tls peer-fingerprint .... We can always use the pseudo-XML syntax variant and make it a multi node.