diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
index 9e4cc6813..6aedc3786 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -1,231 +1,233 @@
### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
# {{ description if description is defined and description is not none }}
#
verb 3
dev-type {{ device_type }}
dev {{ ifname }}
persist-key
{% if protocol == 'tcp-active' %}
proto tcp-client
{% elif protocol == 'tcp-passive' %}
proto tcp-server
{% else %}
proto udp
{% endif %}
{% if local_host is defined and local_host is not none %}
local {{ local_host }}
{% endif %}
{% if mode is defined and mode == 'server' and protocol == 'udp' and local_host is not defined %}
multihome
{% endif %}
{% if local_port is defined and local_port is not none %}
lport {{ local_port }}
{% endif %}
{% if remote_port is defined and remote_port is not none %}
rport {{ remote_port }}
{% endif %}
{% if remote_host is defined and remote_host is not none %}
{% for remote in remote_host %}
remote {{ remote }}
{% endfor %}
{% endif %}
{% if shared_secret_key is defined and shared_secret_key is not none %}
secret /run/openvpn/{{ ifname }}_shared.key
{% endif %}
{% if persistent_tunnel is defined %}
persist-tun
{% endif %}
{% if replace_default_route is defined and replace_default_route.local is defined %}
push "redirect-gateway local def1"
{% elif replace_default_route is defined %}
push "redirect-gateway def1"
{% endif %}
{% if use_lzo_compression is defined %}
compress lzo
{% endif %}
{% if mode == 'client' %}
#
# OpenVPN Client mode
#
client
nobind
{% elif mode == 'server' %}
#
# OpenVPN Server mode
#
mode server
tls-server
{% if server is defined and server is not none %}
{% if server.subnet is defined and server.subnet is not none %}
{% if server.topology is defined and server.topology == 'point-to-point' %}
topology p2p
{% elif server.topology is defined and server.topology is not none %}
topology {{ server.topology }}
{% endif %}
{% for subnet in server.subnet %}
{% if subnet | is_ipv4 %}
server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
{# First ip address is used as gateway. It's allows to use metrics #}
{% if server.push_route is defined and server.push_route is not none %}
{% for route, route_config in server.push_route.items() %}
{% if route | is_ipv4 %}
push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address }} {{ route_config.metric if route_config.metric is defined else "0" }}"
{% elif route | is_ipv6 %}
push "route-ipv6 {{ route }}"
{% endif %}
{% endfor %}
{% endif %}
{# OpenVPN assigns the first IP address to its local interface so the pool used #}
{# in net30 topology - where each client receives a /30 must start from the second subnet #}
{% if server.topology is defined and server.topology == 'net30' %}
ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
{% else %}
{# OpenVPN assigns the first IP address to its local interface so the pool must #}
{# start from the second address and end on the last address #}
ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
{% endif %}
{% elif subnet | is_ipv6 %}
server-ipv6 {{ subnet }}
{% endif %}
{% endfor %}
{% endif %}
{% if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %}
ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }}
{% endif %}
{% if server.max_connections is defined and server.max_connections is not none %}
max-clients {{ server.max_connections }}
{% endif %}
{% if server.client is defined and server.client is not none %}
client-config-dir /run/openvpn/ccd/{{ ifname }}
{% endif %}
{% endif %}
keepalive {{ keep_alive.interval }} {{ keep_alive.interval|int * keep_alive.failure_count|int }}
management /run/openvpn/openvpn-mgmt-intf unix
{% if server is defined and server is not none %}
{% if server.reject_unconfigured_clients is defined %}
ccd-exclusive
{% endif %}
{% if server.name_server is defined and server.name_server is not none %}
{% for nameserver in server.name_server %}
{% if nameserver | is_ipv4 %}
push "dhcp-option DNS {{ nameserver }}"
{% elif nameserver | is_ipv6 %}
push "dhcp-option DNS6 {{ nameserver }}"
{% endif %}
{% endfor %}
{% endif %}
{% if server.domain_name is defined and server.domain_name is not none %}
push "dhcp-option DOMAIN {{ server.domain_name }}"
{% endif %}
{% endif %}
{% else %}
#
# OpenVPN site-2-site mode
#
ping {{ keep_alive.interval }}
ping-restart {{ keep_alive.failure_count }}
{% if device_type == 'tap' %}
{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
{% if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %}
ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }}
{% endif %}
{% endfor %}
{% else %}
{% for laddr in local_address if laddr | is_ipv4 %}
{% for raddr in remote_address if raddr | is_ipv4 %}
ifconfig {{ laddr }} {{ raddr }}
{% endfor %}
{% endfor %}
{% for laddr in local_address if laddr | is_ipv6 %}
{% for raddr in remote_address if raddr | is_ipv6 %}
ifconfig-ipv6 {{ laddr }} {{ raddr }}
{% endfor %}
{% endfor %}
{% endif %}
{% endif %}
{% if tls is defined and tls is not none %}
# TLS options
{% if tls.ca_certificate is defined and tls.ca_certificate is not none %}
ca /run/openvpn/{{ ifname }}_ca.pem
{% endif %}
{% if tls.certificate is defined and tls.certificate is not none %}
cert /run/openvpn/{{ ifname }}_cert.pem
{% endif %}
{% if tls.private_key is defined %}
key /run/openvpn/{{ ifname }}_cert.key
{% endif %}
{% if tls.crypt_key is defined and tls.crypt_key is not none %}
tls-crypt /run/openvpn/{{ ifname }}_crypt.key
{% endif %}
{% if tls.crl is defined %}
crl-verify /run/openvpn/{{ ifname }}_crl.pem
{% endif %}
{% if tls.tls_version_min is defined and tls.tls_version_min is not none %}
tls-version-min {{ tls.tls_version_min }}
{% endif %}
{% if tls.dh_params is defined and tls.dh_params is not none %}
dh /run/openvpn/{{ ifname }}_dh.pem
+{% elif mode == 'server' and tls.private_key is defined %}
+dh none
{% endif %}
{% if tls.auth_key is defined and tls.auth_key is not none %}
{% if mode == 'client' %}
tls-auth /run/openvpn/{{ ifname }}_auth.key 1
{% elif mode == 'server' %}
tls-auth /run/openvpn/{{ ifname }}_auth.key 0
{% endif %}
{% endif %}
{% if tls.role is defined and tls.role is not none %}
{% if tls.role == 'active' %}
tls-client
{% elif tls.role == 'passive' %}
tls-server
{% endif %}
{% endif %}
{% endif %}
# Encryption options
{% if encryption is defined and encryption is not none %}
{% if encryption.cipher is defined and encryption.cipher is not none %}
cipher {{ encryption.cipher | openvpn_cipher }}
{% if encryption.cipher == 'bf128' %}
keysize 128
{% elif encryption.cipher == 'bf256' %}
keysize 256
{% endif %}
{% endif %}
{% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %}
data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
{% endif %}
{% endif %}
{% if hash is defined and hash is not none %}
auth {{ hash }}
{% endif %}
{% if authentication is defined and authentication is not none %}
auth-user-pass {{ auth_user_pass_file }}
auth-retry nointeract
{% endif %}
{% if openvpn_option is defined and openvpn_option is not none %}
#
# Custom options added by user (not validated)
#
{% for option in openvpn_option %}
{% for argument in option.split('--') %}
{% if argument is defined and argument != '' %}
--{{ argument }}
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}