Since 2.4.0, OpenVPN has official support for elliptic curve crypto. Elliptic curves are an alternative to RSA for asymmetric encryption. Elliptic curve crypto ('ECC') can be used for the ('TLS') control channel only in OpenVPN; the data channel (encrypting the actual network traffic) uses symmetric encryption. ECC can be used in TLS for authentication (ECDSA) and key exchange (ECDH). Key exchange (ECDH) ------------------- OpenVPN 2.4.0 and newer automatically initialize ECDH parameters. When ECDSA is used for authentication, the curve used for the server certificate will be used for ECDH too. When autodetection fails (e.g. when using RSA certificates) OpenVPN lets the crypto library decide if possible, or falls back to the secp384r1 curve. An administrator can force an OpenVPN/OpenSSL server to use a specific curve using the --ecdh-curve option with one of the curves listed as available by the --show-curves option. Clients will use the same curve as selected by the server. Note that not all curves listed by --show-curves are available for use with TLS; in that case connecting will fail with a 'no shared cipher' TLS error. Authentication (ECDSA) ---------------------- Since OpenVPN 2.4.0, using ECDSA certificates works 'out of the box'. Which specific curves and cipher suites are available depends on your version and configuration of the crypto library. The crypto library will automatically select a cipher suite for the TLS control channel. Support for generating an ECDSA certificate chain is available in EasyRSA (in spite of it's name) since EasyRSA 3.0. The parameters you're looking for are '--use-algo=ec' and '--curve='. See the EasyRSA documentation for more details on generating ECDSA certificates.