Very useful if you need to distinguish usernames for clients with multiple
certificates and/or want to verify more than just CN without having to call
a --tls-verify script or full-fledged module for that:

     --x509-username-field args
            Fields in the X.509 certificate subject to be used as the username
            (default CN). If multiple fields are specified their values will
            be concatenated into the one username using _ symbol as a
            separator.
     [...]
            When this option is used, the --verify-x509-name option will match
            against the chosen fieldname instead of the Common Name.

Works great in my setup;  I have not tested mbedtls.

OK?


Index: Makefile
===================================================================
RCS file: /cvs/ports/net/openvpn/Makefile,v
diff -u -p -r1.133 Makefile
--- Makefile	3 Apr 2025 11:49:31 -0000	1.133
+++ Makefile	17 Apr 2025 11:14:18 -0000
@@ -1,6 +1,7 @@
 COMMENT=	easy-to-use, robust, and highly configurable VPN
 
 DISTNAME=	openvpn-2.6.14
+REVISION=	0
 
 CATEGORIES=	net security
 
@@ -24,7 +25,8 @@ CONFIGURE_STYLE= gnu
 
 CONFIGURE_ENV=	CPPFLAGS="-I${LOCALBASE}/include" \
 		LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}"
-CONFIGURE_ARGS+=--with-openssl-engine=no
+CONFIGURE_ARGS= --enable-x509-alt-username \
+		--with-openssl-engine=no
 
 DEBUG_PACKAGES=	${BUILD_PACKAGES}