container-openvpn/bin/start_openvpn

#!/usr/bin/env bash
if [ -z "$( ls -A '/opt/data/openvpn' )" ] || [ "${EASY_RSA_REGEN}" == "true" ]; then
    rm -rf /opt/data/openvpn/*
    # -- It should prepare certs with easy-rsa
    /usr/share/easy-rsa/easyrsa init-pki
    # -- Currently only no password
    /usr/share/easy-rsa/easyrsa build-ca nopass
    /usr/share/easy-rsa/easyrsa gen-dh
    `unset EASYRSA_REQ_CN && /usr/share/easy-rsa/easyrsa build-server-full server nopass`
    # -- Generate the CRL for client/server certificates revocation.
    /usr/share/easy-rsa/easyrsa gen-crl
    openvpn --genkey tls-crypt-v2-server "pki/private/${EASYRSA_REQ_CN}.pem"
    openvpn --genkey secret > "ta.key"

else
   echo "Easy RSA config is already prepared, skipping"
fi

cp /opt/data/openvpn/ta.key /etc/openvpn/server
openvpn --config /opt/config/server.conf