To easily distinguish clients with the same cert.
Server configuration

/etc/openvpn/auth-accept.sh

#!/bin/sh
exit 0

/etc/openvpn/server.conf

duplicate-cn
auth-user-pass-verify /etc/openvpn/auth-accept.sh via-env
auth-user-pass-optional
#username-as-common-name

Client configuration
Create file with username in 1st line, and password in 2nd

/etc/openvpn/devicename

client_A
fakepassword

/etc/opencvpn/client.conf

auth-user-pass /etc/openvpn/devicename

Error: “write to TUN/TAP : Invalid argument (code=22)”.
Cause: one side use LZO compression, second side not.
Solution: “comp-lzo no” on both sides.
Note:
this is a bug: the server pushes out 'comp-lzo' to the client but this is not picked up, because the client does not have 'comp-lzo' configured in the client config (all according to man page). The bug is , that when the client reconnects that it then does honor the 'comp-lzo' pushed out from the server. The client should either consistently refuse 'comp-lzo' or it should consistently accept this option as pushed out by the server.

/etc/rsyslog.d/20-ovpn.conf

if $programname startswith 'ovpn-' then /var/log/openvpn/ovpn.log
& ~

mkdir /var/log/openvpn
chown syslog /var/log/openvpv

/etc/logrotate.d/openvpn

/var/log/openvpn/*.log {
        weekly
        size 100M
        rotate 4
        compress
        delaycompress
        missingok
        notifempty
        create 640 syslog adm
}

openssl pkcs12 -export -in user.crt -inkey user.key -certfile ca.crt -name user -out user.p12