OpenVPN 2.6 includes support for validating self-signed certificates using fingerprints. That allows the user to get all the security benefits of TLS without setting up a full-blown PKI. Combined with support for ECDH, that makes the minimal setup require //only// a pair of self-signed certs instead of a full set of a CA/DH/server cert/client cert.
Here are the docs: https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/example-fingerprint.rst
It seems impossible to pass peer fingerprints from the command line. They can be only in the config, and there are two syntax variants: `peer-fingerprint` option and pseudo-XML tag `<peer-fingerprint>`.
There can be multiple fingerprints inside the tag:
```
```