diff --git a/configure.ac b/configure.ac
index 93c1dbb97..109ca488f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3531,7 +3531,7 @@ fi
 
 if test "$ENABLED_OPENVPN" = "yes"
 then
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB -DHAVE_EX_DATA"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB -DHAVE_EX_DATA -DWOLFSSL_KEY_GEN"
 fi
 
 
diff --git a/src/internal.c b/src/internal.c
index f207d4d4f..0fb9a36e7 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -39,6 +39,12 @@
  *     and ignoring no signer failures for CA's up the chain to root.
  */
 
+
+#ifdef EXTERNAL_OPTS_OPENVPN
+#error EXTERNAL_OPTS_OPENVPN should not be defined\
+    when building wolfSSL
+#endif
+
 #ifndef WOLFCRYPT_ONLY
 
 #include <wolfssl/internal.h>
@@ -6286,6 +6292,8 @@ void SSL_ResourceFree(WOLFSSL* ssl)
     if (ssl->biord != ssl->biowr)        /* only free write if different */
         wolfSSL_BIO_free(ssl->biowr);
     wolfSSL_BIO_free(ssl->biord);        /* always free read bio */
+    ssl->biowr = NULL;
+    ssl->biord = NULL;
 #endif
 #ifdef HAVE_LIBZ
     FreeStreams(ssl);
diff --git a/src/ssl.c b/src/ssl.c
index bf62c383e..1a5b0086c 100755
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -14766,6 +14766,16 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
             (wr != NULL && wr->type != WOLFSSL_BIO_SOCKET)) {
             ssl->CBIOSend = BioSend;
         }
+
+        /* User programs should always retry reading from these BIOs */
+        if (rd) {
+            /* User writes to rd */
+            BIO_set_retry_write(rd);
+        }
+        if (wr) {
+            /* User reads from wr */
+            BIO_set_retry_read(wr);
+        }
     }
 #endif
 
@@ -39970,6 +39980,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
 
         if ((l = wolfSSL_BIO_get_len(bp)) <= 0) {
     #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX)
+            /* No certificate in buffer */
             WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
     #endif
             return NULL;
@@ -46226,7 +46237,7 @@ unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line,
                 ret = -ret;
             }
 
-            if (ret == ASN_NO_PEM_HEADER)
+            if (ret == -ASN_NO_PEM_HEADER)
                 return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE;
             if (ret != WANT_READ && ret != WANT_WRITE &&
                     ret != ZERO_RETURN && ret != WOLFSSL_ERROR_ZERO_RETURN &&
diff --git a/wolfssl/openssl/err.h b/wolfssl/openssl/err.h
index ae50458d5..cb1acc094 100644
--- a/wolfssl/openssl/err.h
+++ b/wolfssl/openssl/err.h
@@ -22,7 +22,7 @@
 #ifndef WOLFSSL_OPENSSL_ERR_
 #define WOLFSSL_OPENSSL_ERR_
 
-#include <wolfssl/openssl/ssl.h>
+#include <wolfssl/wolfcrypt/logging.h>
 
 /* err.h for openssl */
 #define ERR_load_crypto_strings          wolfSSL_ERR_load_crypto_strings
diff --git a/wolfssl/openssl/rsa.h b/wolfssl/openssl/rsa.h
index 658dc7b46..6db3173b2 100644
--- a/wolfssl/openssl/rsa.h
+++ b/wolfssl/openssl/rsa.h
@@ -26,6 +26,7 @@
 #define WOLFSSL_RSA_H_
 
 #include <wolfssl/openssl/bn.h>
+#include <wolfssl/openssl/err.h>
 #include <wolfssl/wolfcrypt/types.h>
 
 #ifdef __cplusplus
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 060d8a185..e0620a9f9 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -31,6 +31,13 @@
     extern "C" {
 #endif
 
+/* This flag allows wolfSSL to include options.h instead of having client
+ * projects do it themselves. This should *NEVER* be defined when building
+ * wolfSSL as it can cause hard to debug problems. */
+#ifdef EXTERNAL_OPTS_OPENVPN
+#include <wolfssl/options.h>
+#endif
+
 /* Uncomment next line if using IPHONE */
 /* #define IPHONE */