OpenVPN client setup

TL;DR

Here's how to do it:

• locate your easy-rsa directory. In my case, it was located inside /etc/openvpn. Now cd /etc/openvpn/easy-rsa
• run the following command: sudo ./easyrsa build-client-full client1_device nopass. This will create a client1_device.crt file inside /etc/openvpn/easy-rsa/pki/issued and client1_device.key file inside /etc/openvpn/easy-rsa/pki/private
• create a .ovpn file as explained in this answer.
• Import the .ovpn into your VPN client. I use TunnelBlick on my Mac.

Details

A few days ago, I setup pi-hole on my Linode (Ubuntu 16.04) instance. I also installed OpenVPN as my VPN server to route all my home network's Internet traffic through the pi-hole. This meant that both my Mac and iPhone were safe from ads and possible malware.

This all worked smoothly until I started noticing that my VPN connection would drop quite regularly after a few seconds of inactivity.

A few rounds of googling indicated that this could be because I was using the same VPN client config file (.ovpn file) for both my laptop and iPhone. I believe this was because both devices were using the same canonical name (CN) which the VPN server didn't like.

I could remedy this in two ways:

1. include a new flag duplicate-cn in /etc/openvpn/server.conf. This has the advantage of letting me hand out a single VPN client file to others. For example, I could install this VPN on my mom's iPad and safeguard her internet surfing. OpenVPN itself says that duplicate-cn is better suited for test environments. Also, if I had to revoke a single device's client config, I'd have to revoke everyone's client config.

2. create a new client config for each new device. I ended up doing this because I wanted to learn how to roll my own .ovpn files.