Install OpenVPN server.

# pkg ins openvpn

Create directory for server.

# mkdir /usr/local/etc/openvpn

Copy sample config for OpenVPN server.

# cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf

Copy directory easy-rsa for build and generate keys and certificates.

# cp -r /usr/local/share/easy-rsa/ /usr/local/etc/openvpn/easy-rsa
# cd /usr/local/etc/openvpn/easy-rsa

Edit file vars for build server certificate.

# vi vars

Find and uncomment next parameters:

set_var EASYRSA_REQ_COUNTRY        "US"
set_var EASYRSA_REQ_PROVINCE       "California"
set_var EASYRSA_REQ_REQ_CITY       "San Francisco"
set_var EASYRSA_REQ_ORG            "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL          "This email address is being protected from spambots. You need JavaScript enabled to view it."
set_var EASYRSA_REQ_OU             "My organizational Unit"

set_var EASYRSA_KEY_SIZE           2048

set_var EASYRSA_CA_EXPIRE          3650

set_var EASYRSA_CERT_EXPIRE        3650

Go to sh shell.

# sh

Install direcotry pki for build certificates and keys.

# ./easyrsa.real init-pki

Create server certificate, password for certificate and specify hostname.

# ./easyrsa.real build-ca

Disable password for server certificate.

# ./easyrsa.real build-server-full openvpn-server nopass

Create client certificate and client password.

# ./easyrsa.real build-client-full f2oclient

Genereate certificate Diffie-Hellman. It may take a long time.

# ./easyrsa.real gen-dh

Create folder keys for keys and certificates.

# mkdir /usr/local/etc/openvpn/keys

Copy certificates and keys.

# cp pki/dh.pem ../keys
# cp pki/ca.crt ../keys
# cp pki/issued/openvpn-server.crt ../keys
# cp pki/private/openvpn-server.key ../keys

Go to OpenVPN directory.

# cd ..

Edit openvpn.conf. 

# vi openvpn.conf

Find and change next parameters:

ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key
dh /usr/local/etc/openvpn/keys/dh.pem

Add next string:

push "route-gateway"      # Specify instead your gateway ip address.
remote-cert-tls client                

Setup logging.

# vi /etc/syslog.conf

Go to the end of file and add before string:


Next strings:

*.* /var/log/openvpn.log

Setup log rotation. Add to the end of file /etc/newsyslog.conf, next string:

/var/log/openvpn.log                                                   600    30        *        @T00    ZC

Enable OpenVPN server.

# echo 'openvpn_enable="YES"' >> /etc/rc.conf
# echo 'openvpn_if="tun"' >> /etc/rc.conf
# service openvpn start

Copy to client machine next certificates: