This version of OpenVPN has mbed TLS support. To enable, follow the instructions below: To build and install, ./configure --with-crypto-library=mbedtls make make install This version requires mbed TLS version >= 2.0.0 or >= 3.2.1. ************************************************************************* Warning: As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license. That license is incompatible with OpenVPN's GPLv2. We are currently in the process of resolving this problem, but for now, if you wish to distribute OpenVPN linked with mbed TLS, there are two options: * Ensure that your case falls under the system library exception in GPLv2, or * Use an earlier version of mbed TLS. Version 2.16.12 is the last release that may be licensed under GPLv2. Unfortunately, this version is unsupported and won't receive any more updates. ************************************************************************* Due to limitations in the mbed TLS library, the following features are missing in the mbed TLS version of OpenVPN: * PKCS#12 file support * --capath support - Loading certificate authorities from a directory * Windows CryptoAPI support * X.509 alternative username fields (must be "CN") Plugin/Script features: * X.509 subject line has a different format than the OpenSSL subject line * X.509 certificate export does not work * X.509 certificate tracking ************************************************************************* Mbed TLS 3 supports the TLS 1.3 protocol, but the implementation is not yet complete. Therefore, using TLS 1.3 in the mbed TLS build of OpenVPN is not yet supported. Nevertheless, here are some pointers to make it work with mbed TLS 3.5.0: * The stock configuration of mbed TLS does not support TLS 1.3. To enable it, uncomment `#define MBEDTLS_SSL_PROTO_TLS1_3` in your mbedtls_config.h before compiling the library. * An OpenVPN client with mbed TLS cannot connect to a server with OpenSSL using TLS 1.3. * An OpenVPN client with OpenSSL *can* connect to a server using mbed TLS with TLS 1.3, but *only* if `#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE` has been uncommented in mbedtls_config.h. Note that none of these limitations apply to TLS 1.2.