[Note: This post is a work in progress.]
pkg_add -r openvpn
mkdir -p /usr/local/etc/openvpn
cp -R /usr/local/share/doc/openvpn/easy-rsa .
[Edit the vars file to reflect your details. This will save you the trouble of having to type your organisation's details every time you generate a certificate. You may also need to change your shell to sh to execute the scripts. I also had to do a chmod +x * in that directory.]
[Generate Server Key named server1]
[Generate Keys for clients]
[Generate Diffie-Hellman keys]
#The following keys have been copied from /usr/local/etc/openvpn/easy-rsa/2.0/keys
Now, edit openvpn.conf (on the server-end) as follows. Substitute IP addresses as required.
[OpenVPN Server Config]
#Configuration of OpenVPN Server
server 10.0.0.0 255.255.255.0
client-config-dir ccd #Client specific settings, e.g. Fixed IP Addresses
client-to-client #Allow clients to communicate with each other
push "route 192.168.0.0 255.255.0.0"
keepalive 60 120
Copy the generated client keys to /etc/openvpn/. You will need to copy, for example, acerlaptop.crt, acerlaptop.key and ca.crt and mentioned them in openvpn.conf on the client as follows.
[OpenVPN Client Config]
#Configuration of OpenVPN Client
remote openvpn.dyndns.org 1194 #public ip address and port of vpn server
Add the following in /etc/rc.conf on the server.
If not already present, also add the following knob in /etc/rc.conf to allow the server to route between your LAN and VPN subnets.
Note: Some documentation propose adding if_tun_load="YES" to /boot/loader.conf. I found that is not necessary. Openvpn will start the required device drivers automatically. You can try adding it, if openvpn fails to start or dynamically start it at a prompt by issuing kldload if_tun.
The OpenVPN documentation provides more in depth explanation. It can be viewed at : http://openvpn.net/index.php/open-source/documentation/howto.html.