The following two instructions in section "2. PKI" failed for me every time.
Generate a keypair and sign locally for vpnserver
easyrsa --batch build-server-full vpnserver nopass
Generate a keypair and sign locally for vpnclient
easyrsa --batch build-client-full vpnclient nopass
With the errors:
Easy-RSA error:
Unknown cert type 'server'
and
Easy-RSA error:
Unknown cert type 'client'
An April 8, 2016 comment on this page, by user RobertLarsen, says he found a solution: "The x509-types directory needed to be located in the same directory as the 'easyrsa' script."
I found that I could only successfully run those two commands after changing directories into /etc/easy-rsa/x509-types, making a symbolic link to the easyrsa script from that directory, and then running the linked copy (that was thus in the same directory as the x509-types files 'server' and 'client').
So these steps were required before invoking 'easyrsa':
# cd /etc/easy-rsa/x509-types
# ln -s /usr/sbin/easyrsa .
And then I'd run the easyrsa script from within that directory, like so:
./easyrsa --batch build-client-full vpnclient nopass
etc.
After that, the rest of the OpenVPN basic instructions worked well. One unrelated addition to the documentation might be a note for those who are not using ddns or have a static IP that they can skip the whole "# Fetch FQDN from DDNS client" section and just set the variable directly, e.g.:
VPN_SERV="domain_name.com"
Regression:
OpenWrt 18.06.1 insomnia r7258-5eb055306f
Linksys WRT3200ACM
# opkg list-installed | grep easy
openvpn-easy-rsa - 3.0.1-1