How I generated the pki stuff:

$ nix-shell -p easyrsa
$ easyrsa init-pki # creates ./pki, which following commands use
$ easyrsa build-ca
$ easyrsa gen-dh
$ easyrsa build-server-full <name> nopass
$ easyrsa build-client-full <name> nopass

Invoke the last command to add new clients

Lastly, the openvpn.key file was generated with

$ openvpn --genkey --secret openvpn.key