OK I figured out what I needed to do for the VPN system to start generating VPN clients properly:
- Disable VPN permission for all groups
- Disable the VPN service under System Admin
- Remove all VPN clients
Run the following commands from the CLI:
rm -rf /etc/openvpn/clients/*
rm -rf /etc/openvpn/client/*
rm -rf /etc/openvpn/ccd/*
rm -rf /etc/openvpn/sysadmin_*
rm -rf /etc/openvpn/ipp.txt
/etc/openvpn/easyrsa3/easyrsa init-pki
At this point you can reenable the VPN and it will recreate the CA and certificates. You can then reset your group permission to auto-assign VPN clients and then you can assign them to phones.
The original bug of creating VPN clients for every single user in the system when dealing with a single user is still a problem though.