OpenVPN 2.6 includes support for validating self-signed certificates using fingerprints. That allows the user to get all the security benefits of TLS without setting up a full-blown PKI. Combined with support for ECDH, that makes the minimal setup require only a pair of self-signed certs instead of a full set of a CA/DH/server cert/client cert.

Here are the docs: https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst

It seems impossible to pass peer fingerprints from the command line. They can be only in the config, and there are two syntax variants: peer-fingerprint option and pseudo-XML tag <peer-fingerprint>.

There can be multiple fingerprints inside the tag:

<peer-fingerprint>
ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00
99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33
</peer-fingperint>

My proposed syntax is set interfaces openvpn vtunX tls peer-fingerprint .... We can always use the pseudo-XML syntax variant and make it a multi node.