Install and configure ocserv with a script to configure nftables on (dis)connection.

Create a self‐signed CA authority for issuing user certificates. User and group are read from the CN and OU certificate subject fields, respectively. To configure VPN groups, define the variable `vpn` as follows:

    "vpn": {
        "network": "<VPN network>"
        "routes": {
            "<group>": [ "<route>", … ]
            …
        }
    }