My functioning config. has been done as follows, I create the dir. ccd in /Database/etc ,
then for each user has been created a file , eg. foo
ifconfig-push 192.168.250.10 255.255.255.224
Int this sample, foo is the username , if you use only x509, specify the CN of the client certificate. In command line parameters
you could also add
--ccd-exclusive --remote-cert-eku 'TLS Web Client Authentication'
the first parameter tells to the server accept connections only from clients for which has been created a configuration file in the ccd directory , while the second one accepts connections only clients with certificate with TLS Web Client Authentication as extended key usage , in the client config (the file on the client) also add
remote-cert-eku 'TLS Web Server Authentication'
to avoid the “MITM” warning