Hello!
As the person who added that warning in OpenVPN, I can talk a bit about the second half of your e-mail.
=== Note that MbedTLS cannot be updated beyond 2.16 due to this https://github.com/OpenVPN/openvpn/commit/110eee0288cff0720952a2cf16c4fb 191d0bd616 although there is a disagreement on this: Why would the Apache2.0 license be a problem? It is more permissive than GPLv2 and does not have a copy left requirement as the GPL licenses do. It does not require that you redistribute the source code and any modifications that you have made to it, only that you include a description of those changes in any copies of the code that you do distribute. It may be used commercially without any requirement that the rest of the project in which it is used is covered by the same license. ===
My very layman understanding that is absolutely not legal advice: The problem is that if you link a GPLv2-licensed program with a library, you would have to distribute the whole thing under the GPLv2 license. But the Apache2.0 license is not compatible with GPLv2 due to the patent clause. OpenVPN has a special exemption that allows linking with OpenSSL but not for mbed TLS.
However, starting from OpenVPN v2.6.4, an exemption has been added so that under certain conditions, you may link OpenVPN with Apache2.0 libraries. See https://github.com/OpenVPN/openvpn/blob/v2.6.4/COPYING (and as of 2.6.10 I remembered to remove the warning from README.mbedtls)
Of course, now that newer versions of mbed TLS can be licensed under GPLv2 again, you could also just do that.
If you have further questions, you should probably address them to the OpenVPN project.
Best regards, Max Fillinger