To finalise this issue, in my opinion this is a bug, as Zentyal does not act as advertised on the web-interface.
To solve the problem I had to make an adjustment to the stub/mason file:
sudo mkdir /etc/zentyal/stubs
sudo mkdir /etc/zentyal/stubs/openvpn
sudo cp /usr/share/zentyal/stubs/openvpn/openvpn.conf.mas /etc/zentyal/stubs/openvpn/
sudo nano /etc/zentyal/stubs/openvpn/openvpn.conf.mas
then change the line
verify-x509-name <% $tlsRemote %> name
into:
verify-x509-name <% $tlsRemote %> name-prefix
After this restart the VPN service from the dashboard, and things are good to go.
[The reason why behind this]
This way I can make seperate certificates for different users, preventing them from connecting to other OpenVPN server instances that are running on my server.
So I have two OpenVPN servers:
Then I create certificates for the users:
vpn-client.user1
vpn-client.user2
vpn-client.user3
and
vpn-lan2lan.remotelan1
vpn-lan2lan.remotelan2
Now I can enforce that vpn-client users cannot connect to the vpn-lan2lan service, and still revoke individual certificates.