diff --git a/.github/workflows/hitch.yml b/.github/workflows/disabled/hitch.yml
similarity index 100%
rename from .github/workflows/hitch.yml
rename to .github/workflows/disabled/hitch.yml
diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
index e691433d8f..8d1f4a9951 100644
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -599,6 +599,7 @@ WOLFSSL_CLANG_TIDY
 WOLFSSL_COMMERCIAL_LICENSE
 WOLFSSL_CONTIKI
 WOLFSSL_CRL_ALLOW_MISSING_CDP
+WOLFSSL_CUSTOM_CONFIG
 WOLFSSL_DILITHIUM_ASSIGN_KEY
 WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM
 WOLFSSL_DILITHIUM_NO_ASN1
diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c
index a7dd0ad2f9..7173963cf8 100644
--- a/examples/echoclient/echoclient.c
+++ b/examples/echoclient/echoclient.c
@@ -24,10 +24,10 @@
     #include <config.h>
 #endif
 
-#include <wolfssl/wolfcrypt/settings.h>
 #ifndef WOLFSSL_USER_SETTINGS
     #include <wolfssl/options.h>
 #endif
+#include <wolfssl/wolfcrypt/settings.h>
 
 /* Force enable the compatibility macros for this example */
 #undef TEST_OPENSSL_COEXIST
diff --git a/mcapi/crypto.c b/mcapi/crypto.c
index aa5e430199..0a5dc85017 100644
--- a/mcapi/crypto.c
+++ b/mcapi/crypto.c
@@ -24,6 +24,9 @@
 #ifdef HAVE_CONFIG_H
     #include "config.h"
 #endif
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
 #include <wolfssl/wolfcrypt/settings.h>
 
 #ifdef MICROCHIP_MPLAB_HARMONY
diff --git a/mcapi/mcapi_test.c b/mcapi/mcapi_test.c
index 16d929749b..d92640fbbd 100644
--- a/mcapi/mcapi_test.c
+++ b/mcapi/mcapi_test.c
@@ -27,9 +27,12 @@
     #include <config.h>
 #endif
 
-/* mc api header */
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
 #include <wolfssl/wolfcrypt/settings.h>
 
+/* mc api header */
 #include "crypto.h"
 
 /* sanity test against our default implementation, wolfssl headers  */
diff --git a/src/internal.c b/src/internal.c
index f8d014b30d..8f5babacfb 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -92,12 +92,6 @@
  *      pair
  */
 
-
-#ifdef EXTERNAL_OPTS_OPENVPN
-#error EXTERNAL_OPTS_OPENVPN should not be defined\
-    when building wolfSSL
-#endif
-
 #ifndef WOLFCRYPT_ONLY
 
 #include <wolfssl/internal.h>
diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c
index de586f9595..f8f8cb6c54 100644
--- a/sslSniffer/sslSnifferTest/snifftest.c
+++ b/sslSniffer/sslSnifferTest/snifftest.c
@@ -24,6 +24,9 @@
     #include <config.h>
 #endif
 
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/wolfcrypt/types.h>
 #include <wolfssl/wolfcrypt/logging.h>
diff --git a/tests/srp.c b/tests/srp.c
index 649a86efca..36fe93e80f 100644
--- a/tests/srp.c
+++ b/tests/srp.c
@@ -24,6 +24,9 @@
     #include <config.h>
 #endif
 
+#ifndef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/options.h>
+#endif
 #include <wolfssl/wolfcrypt/settings.h>
 
 #include <tests/unit.h>
diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c
index 186a4f9e50..b85ddf66d7 100644
--- a/testsuite/testsuite.c
+++ b/testsuite/testsuite.c
@@ -24,10 +24,10 @@
     #include <config.h>
 #endif
 
-#include <wolfssl/wolfcrypt/settings.h>
 #ifndef WOLFSSL_USER_SETTINGS
     #include <wolfssl/options.h>
 #endif
+#include <wolfssl/wolfcrypt/settings.h>
 
 #undef TEST_OPENSSL_COEXIST /* can't use this option with this example */
 #undef OPENSSL_COEXIST /* can't use this option with this example */
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index d5459ae3b9..4879680436 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -28,6 +28,8 @@
  *
  *   ./configure CFLAGS="-DFEATURE_FLAG_TO_DEFINE -UFEATURE_FLAG_TO_CLEAR [...]"
  *
+ *   To build using a custom configuration method, define WOLFSSL_CUSTOM_CONFIG
+ *
  *   For more information see:
  *
  *   https://www.wolfssl.com/how-do-i-manage-the-build-configuration-of-wolfssl/
@@ -317,6 +319,12 @@
     #endif
 #endif
 
+#if (defined(BUILDING_WOLFSSL) && defined(WOLFSSL_USE_OPTIONS_H)) || \
+    (defined(BUILDING_WOLFSSL) && defined(WOLFSSL_OPTIONS_H) &&      \
+     !defined(EXTERNAL_OPTS_OPENVPN))
+    #error wolfssl/options.h included in compiled wolfssl library object.
+#endif
+
 #ifdef WOLFSSL_USER_SETTINGS
     #include "user_settings.h"
 #elif defined(USE_HAL_DRIVER) && !defined(HAVE_CONFIG_H)
@@ -326,6 +334,12 @@
     /* NOTE: cyassl_nucleus_defs.h is akin to user_settings.h */
     #include "nucleus.h"
     #include "os/networking/ssl/lite/cyassl_nucleus_defs.h"
+#elif !defined(BUILDING_WOLFSSL) && !defined(WOLFSSL_OPTIONS_H) && \
+      !defined(WOLFSSL_CUSTOM_CONFIG)
+    /* This warning indicates that the settings header may not be included before
+     * other wolfSSL headers. If you are using a custom configuration method,
+     * define WOLFSSL_CUSTOM_CONFIG to override this error. */
+    #warning "No configuration for wolfSSL detected, check header order"
 #endif
 
 #include <wolfssl/wolfcrypt/visibility.h>
diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
index 5fb14b88a3..4b6dbfd744 100644
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@@ -34,6 +34,10 @@ decouple library dependencies with standard string, memory and so on.
     #include <wolfssl/wolfcrypt/settings.h>
     #include <wolfssl/wolfcrypt/wc_port.h>
 
+    #if defined(EXTERNAL_OPTS_OPENVPN) && defined(BUILDING_WOLFSSL)
+    #error EXTERNAL_OPTS_OPENVPN should not be defined in compiled wolfssl library files.
+    #endif
+
     #ifdef __APPLE__
         #include <AvailabilityMacros.h>
     #endif