Navigate to VPN → OpenVPN → Servers.

Click on Wizard.

• Select Local User Access.

Now create the CA, as a necessary parameter we must enter a Descriptive name that will allow us to identify it, while all the other parameters can be left by default.

• Key length: 2048 bit.
• Lifetime: 3650. (10 years).

Create the Server Certificate to be associated with our VPN server, as per the CA will require a Descriptive name and leave the other default parameters.

• Key length: 2048 bit.
• Lifetime: 3650. (10 years).

• Click Next.

Now Create the actual VPN server configuration.

General OpenVPN Server Information:

• Interface: WAN. Or select the interface on which we want our service to listen. If we have more than one WAN interface choose the one you want to dedicate to the service. Later we can select multiple interfaces for greater redundancy.
• Protocol: UDP on IPv4 only.
• Local Port: 1194. Remember the port that is used for the VPN must be open on the listening interface. Therefore it will be necessary to configure the Firewall to open this port.
• Description: Choose the name to identify the server.

Cryptographic Settings:

• TLS Authentication: Checked.
• Generate TLS Key: Checked,
• DH Parameters Length: 2048.
• Encryption Algorithm: AES-128-CBC (128 bit key, 128 bit block).
• Auth Digest Algorithm: SHA256 (256-bit).
• Hardware Crypto: Intel RDRAND engine - RAND.

Tunnel Settings:

• Tunnel Network: 10.20.30.0/24.
• Redirect Gateway: Not Checked.
• Local Network: 192.168.1.0/24. If there are multiple LAN networks to which we want to give access, you can enter them by separating them with a comma.
• Concurrent Connections: <blank>. Can set this to the maximum number of client to allow access in.
• Compression: Omit Preferences (Use OpenVPN Default).
• Type-of-Service: Not Checked.
• Inter-Client-Communication: Not Checked.
• Duplicate Connections: Not Checked.

Client Settings:

• Dynamic IP: Checked.
• Topology: Subnet - One IP address per client in a common subnet.
• Netbios Node Type: None.
• Click Next.

Wizard Firewall Rule Setup

• Firewall Rule: Checked.
• OpenVPN Rule: Checked.
• Click Next.

Create the users we want to connect to in VPN.

Navigate to System → User Manager → Users.

• Username: Peter.
• Password: Password.
• Certificate: Checked. Click to create a user certificate.
• Descriptive name: Peter-cert.
• Certificate authority: Internal_CA.
• Key length: 2048 bits.
• Lifetime: 3650.

In this way we will have created both the user and the associated certificate in a single operation

Navigate to System → Package Manager → Available Packages.

Search for openvpn-client-export.

Install the Package.

Under Remote Access Server we select our created VPN server.

In the Client Connection Behavior section we will enter the parameters with which the .ovpn configuration file will be generated for the user, in particular we recommend configuring as follows:

• Host Name Resolution: Other.
• Host Name: Enter the Public IP address of the network.
• Verify Server CN: Automatic - Use verify-x509-name (OpenVPN 2.3+) where possible. If there are problems set it to Do not verify the CN server.

Once the parameters are configured, we can export our users configuration file to be installed on the clients.

To do this we have various choices, the most recommended below:

• Most Clients: Generates an .ovpn file containing both the configuration and the certificates and the easily imported keys, compatible with clients: OpenVPN for Windows, Tunnelblick for OS X.
• OpenVPN Connect: Generates an .ovpn file compatible with OpenVPN Connect Apps for Android and iOS.
• Archive: Compatible with Windows, generates an archive containing, in 3 separate files, the configuration (.ovpn), certificates (.p12) and the key (.key).
• Under the Current Windows Installer section we can generate self-installing and pre-configured files for Windows clients.

https://www.firewallhardware.it/en/pfsense-and-openvpn-guide-to-creating-and-configuring-a-road-warrior-vpn-server/