OpenVPN Server. Multiple users/devices set up. Assistance Required

Installing and Using OpenWrt
1

Good Evening All,

Firstly, great software, it's resurrected my old router and allowed me to condense down my network appliances. Money and power saving for the win!

I've configured my TP-Link TL-WDR3600 v1 with LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch and it's all gone well. Got my security and firewall up and running. Access through port forwards to my web servers, DDNS, HTTPS web GUI and locked down my access rules, so all happy there.

I have an internal LAN, which includes the WiFi and Ethernet port 1
I have a DMZ, which is on Ethernet port 2
And my external connection on the WAN port.
Each interface is of course, separated from the others, and firewall rules allow the LAN to contact the DMZ and get external access, but the DMZ can only get external access.

My next goal - which I am struggling with is the setting up of OpenVPN server on the system.

I've gone over the Wiki document a number of times:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup

Makes sense, I can follow that through, but I don't think it's providing the entire functionality I want.

I'm aiming to (and humour me here!):

  • Create an OpenVPN tunnel which I can use on my:
    • Personal iPad (using OpenVPN app from App store)
    • Personal iPhone (using OpenVPN app from App store)
    • Personal Laptop (Using OpenVPN software download)
    • Devices *
    • Devices +
    • Devices -
    • Potentially other devices if needed (* or + or -)

The goal is that each device can connect in (and eventually get a static IP address (once I have configured up that setting)) and depending on what IP address they are, depends on what they can get to. (On previous Firewalls, I could make my rules based on username and group membership based on a local users directory on the firewall).

So my iOS devices and my laptop, each would connect in and have access to all devices on my LAN and DMZ.

Devices of a certain IP address(es) - which I class as "Devices *" above will have access to one internal server on the LAN only (Media Server)
Devices of a certain IP address(es) - which I class as "Devices +" above will have access to one internal server on the DMZ only (Game Server)
Devices of a certain IP address(es) - which I class as "Devices -" above will have access to potentially one internal server on the internal LAN and one internal on DMZ. (Media Server + Game Server)

The instructions in the Wiki I linked earlier, appear to let me create one client set of certificate and key, which I would hand out with the .ovpn file etc. I am of the assumption that the Wiki is for a single user to make a connection back to the OpenVPN server, so there is no need for multiple client certs,

Is it possible to make more than one client set of certificates/keys - for example, each client gets a cert with a common name so that I can work on the extra settings to make them have static IP addresses when they connect to the VPN? If so, how would I go about this based on the guide in the Wiki?

I look forward to your help and once again, great software.

With Kindest Regards,