diff --git a/openvpn-config/client.conf b/openvpn-config/client.conf
index 7fe63a3..0828569 100644
--- a/openvpn-config/client.conf
+++ b/openvpn-config/client.conf
@@ -31,13 +31,28 @@ tls-client
 # This way people with proper client certificates are unable to impersonate the server
 remote-cert-tls server
 
+### START BLOCK CRYPTOGRAPHY
 # Specific settings regarding TLS, chiphers and hash algorithms
 # DO NOT CHANGE THIS unless you receive explicit instructions to do so
+# These settings need to be identical in client and server configuration!
+
+# Protect data channel with this cipher
 cipher AES-256-GCM
+
+# Authenticate packets in data and control channel using HMAC with this
+# message digest algorithm
 auth SHA256
+
+# Use this specific cipher to secure the control channel
 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
+
+# Only allow TLS version 1.2 and higher
 tls-version-min "1.2"
 
+# Use this elliptic curve for ECDHE within chosen tls-cipher
+ecdh-curve brainpoolP512r1
+### END BLOCK CRYPTOGRAPHY
+
 # Reduce connection timeout so connection problems are visible sooner
 connect-timeout 20
 
diff --git a/openvpn-config/server.conf b/openvpn-config/server.conf
index 521bde9..224ec06 100644
--- a/openvpn-config/server.conf
+++ b/openvpn-config/server.conf
@@ -19,7 +19,8 @@ key inform/aither.inform.hs-hannover.de.key
 tls-server
 
 # Diffie-Hellman parameter file
-dh inform/dh.pem
+# (not needed for TLS cipher with ECDHE instead of DHE)
+dh none
 
 # Certificate revocation list location
 # Make sure this file is always valid, otherwise OpenVPN refuses to (re)start!
@@ -85,15 +86,28 @@ push "route-ipv6 2001:638:614:1743::/64 2001:638:614:1750::1"
 # experimental ipv6 network
 push "route-ipv6 2001:638:614:1744::/64 2001:638:614:1750::1"
 
-# Global settings regarding TLS, chiphers and hash algorithms
-# These settings MUST BE CONGRUENT with client configurations.
-# If you change these, make sure you update the provided client config file
-# and you NOTIFY ALL USERS to update their configuration!
+### START BLOCK CRYPTOGRAPHY
+# Specific settings regarding TLS, chiphers and hash algorithms
+# DO NOT CHANGE THIS unless you receive explicit instructions to do so
+# These settings need to be identical in client and server configuration!
+
+# Protect data channel with this cipher
 cipher AES-256-GCM
+
+# Authenticate packets in data and control channel using HMAC with this
+# message digest algorithm
 auth SHA256
+
+# Use this specific cipher to secure the control channel
 tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
+
+# Only allow TLS version 1.2 and higher
 tls-version-min "1.2"
 
+# Use this elliptic curve for ECDHE within chosen tls-cipher
+ecdh-curve brainpoolP512r1
+### END BLOCK CRYPTOGRAPHY
+
 # Disable cipher negotiation on server side
 ncp-disable