• Put clien configuration into /etc/openvpn/client.conf
• Enable autostart ALL or specified configs in /etc/default/openvpn
• Generate systemd services from openvon configs

  systemctl daemon-reload

• Start openvpn services

  systemct start openvpn

To easily distinguish clients with the same cert.
Server configuration

/etc/openvpn/auth-accept.sh

#!/bin/sh
exit 0

/etc/openvpn/server.conf

duplicate-cn
auth-user-pass-verify /etc/openvpn/auth-accept.sh via-env
auth-user-pass-optional
#username-as-common-name

Client configuration
Create file with username in 1st line, and password in 2nd

/etc/openvpn/devicename

client_A
fakepassword

/etc/opencvpn/client.conf

auth-user-pass /etc/openvpn/devicename

Error: “write to TUN/TAP : Invalid argument (code=22)”.
Cause: one side use LZO compression, second side not.
Solution: “comp-lzo no” on both sides.
Note:
this is a bug: the server pushes out 'comp-lzo' to the client but this is not picked up, because the client does not have 'comp-lzo' configured in the client config (all according to man page). The bug is , that when the client reconnects that it then does honor the 'comp-lzo' pushed out from the server. The client should either consistently refuse 'comp-lzo' or it should consistently accept this option as pushed out by the server.

Error: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13).
Exiting due to fatal error
Use persist-key and persist-tun.

Cause: on VPS platform /dev/net/tun has only root permisstion. So openvpn should be started as root user.

/etc/rsyslog.d/20-ovpn.conf

if $programname startswith 'ovpn-' then /var/log/openvpn/ovpn.log
& ~

mkdir /var/log/openvpn
chown syslog /var/log/openvpv

/etc/logrotate.d/openvpn

/var/log/openvpn/*.log {
        weekly
        size 100M
        rotate 4
        compress
        delaycompress
        missingok
        notifempty
        create 640 syslog adm
}

openssl pkcs12 -export -in user.crt -inkey user.key -certfile ca.crt -name user -out user.p12