To disable specific users from connecting to the VPN you can revoke their certificate.

This assumes you have easy-rsa installed. Basically you need to revoke each certificate according to its CN name (should be same as filename) and recreate the crl.pem file.

First make sure you have

crl-verify /etc/openvpn/EasyRSA-3.1.7/pki/crl.pem

line in your openvpn server.conf. After you add the line restart the server.

Now revoke the cert

/etc/openvpn/EasyRSA-3.1.7# ./easyrsa revoke

and regenerate the crl file

/etc/openvpn/EasyRSA-3.1.7# ./easyrsa gen-crl                                                                                                                                          

You can check the revoked certs via:

/etc/openvpn/EasyRSA-3.1.7# ./easyrsa show-revoke

Now when connecting your client will show this error

 unknown[736292]: Connect timer expired, disconnecting.
 nm-openvpn[736296]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
 nm-openvpn[736296]: TLS Error: TLS handshake failed
 nm-openvpn[736296]: SIGTERM received, sending exit notification to peer

and on server you will see something like

... VERIFY ERROR: depth=0, error=certificate revoked: CN=user1, serial=xxxxxxxxxxxxxxxxxxxxxxx
... OpenSSL: error:0A000086:SSL routines::certificate verify failed
... TLS_ERROR: BIO read tls_read_plaintext error
... TLS Error: TLS object -> incoming plaintext read error
... TLS Error: TLS handshake failed
... SIGUSR1[soft,tls-error] received, client-instance restarting
... CRL: loaded 1 CRLs from file /etc/openvpn/EasyRSA-3.1.7/pki/crl.pem
... TLS Error: Unroutable control packet received from [AF_INET]xxxxxxxxxxxx:41071 (si=3 op=P_CONTROL_V1)

You need to rerun the above steps for each new revoked certificate.

• EasyRSA-3.1.7

• Openvpn installation

• https://serverfault.com/a/1079065/353235