The initial set of configuration files is a good starting point for a client/server deployment. However, for a production-level system, we want to add more security. Security can be enhanced in two ways:
By checking the extended key usage attributes of the certificates used
In the client/server mode, OpenVPN will attempt to establish a TLS control channel for each client that tries to connect. Setting up a TLS control channel is resource consuming, which makes OpenVPN susceptible to denial-of-service attacks: an attacker could launch a multitude of misconfigured clients that all try to connect to the OpenVPN server. For each of these, the OpenVPN server would attempt to set up a TLS connection, which will effectively lead to a denial of service for well-configured clients. This is especially true when OpenVPN is running using
proto udp (the recommended default). UDP traffic is connectionless, which means that for each new UDP...