My functioning config. has been done as follows, I create the dir. ccd in /Database/etc ,
mkdir /Database/etc/ccdthen for each user has been created a file , eg. foo
vi /Database/etc/ccd/foothat contains
ifconfig-push 192.168.250.10 255.255.255.224Int this sample, foo is the username , if you use only x509, specify the CN of the client certificate. In command line parameters
--client-config-dir /Database/etc/ccdyou could also add
--ccd-exclusive --remote-cert-eku 'TLS Web Client Authentication'the first parameter tells to the server accept connections only from clients for which has been created a configuration file in the ccd directory , while the second one accepts connections only clients with certificate with TLS Web Client Authentication as extended key usage , in the client config (the file on the client) also add
remote-cert-eku 'TLS Web Server Authentication'to avoid the “MITM” warning
greetings