To begin server configuration, click on the Server tab, and from there, click on the Add button below the table (listing already configured servers). The first option on the configuration page, the Disable checkbox, allows you to disable the server entry without removing it if checked. The Server mode drop-down box allows you to choose between several modes:

• Peer-to-Peer (SSL/TLS): Either side can initiate the connection. A certificate will be used for authentication.
• Peer-to-Peer (Shared Key): Either side can initiate the connection. A shared key is used for authentication.
• Remote Access (SSL/TLS): The remote client initiates the connection. A certificate is used for authentication.
• Remote Access (User Auth): The remote client initiates the connection. User authentication is through a username/password combination.
• Remote Access (SSL/TLS + User Auth): The remote client initiates the connection. User authentication involves both a certificate and username/password.

In the Protocol drop-down box, you can choose the protocol for this connection; both UDP and TCP are supported, as well as UDP6 and TCP6 for IPv6 connections. The Device mode drop-down box allows you to choose between Tun and Tap. A TAP device is a virtual Ethernet adapter; a TUN device is a virtual point-to-point IP link. This setting must match on both sides of the connection.

The Local port edit box lets you set the port for this OpenVPN connection. The default port for OpenVPN is 1194. You may also enter a brief non-parsed description in the Description edit box.

Under Cryptographic Settings, you can configure a number of options for certificates. There are two checkboxes: Use a TLS key and Automatically generate a TLS key. If the latter is unchecked, a textbox will appear in which you can enter a TLS key. Peer Certificate Authority will allow you to choose from any defined certificate authorities. Similarly, if any certificate revocation lists have been created, you can choose one at the Peer Certificate Revocation list. The DH Parameter Length drop-down list allows you to set the size of the Diffie-Hellman key (or to use ECDH instead). You can also select the Encryption Algorithm and Auth (entication) digest algorithm (although you should leave the latter set to SHA1, since SHA1 is the default for OpenVPN). You can enable hardware crypto acceleration in the Hardware Crypto drop-down box (the only option currently supported seems to be BSD cryptodev engine).

pfSense 2.4 has seen the addition of several new options for OpenVPN server configuration. One of these options is ECDH Curve. To enable use of ECDH, select ECDH only in the DH Parameter Length drop-down box. ECDH stands for Elliptic-curve Diffie-Hellman. Whereas standard Diffie-Hellman performs a modulus operation on a group of multiplicative integers in order to compute the secret key, ECDH uses a group of multiplicative points on a curve. The Default option uses the curve either from the server certificate or secp384r1, but you can choose from a variety of different curves in the drop-down box.

Another new option is the Enable NCP checkbox. NCP stands for Negotiable Cryptographic Parameters; when both peers support NCP and have it enabled, NCP overrides the algorithm set in Encryption Algorithm. Instead, the algorithm is chosen from the list of Allowed NCP Algorithms, which in turn is a subset of the Available NCP Algorithms. The Available NCP Algorithms and the Allowed NCP Algorithms textboxes are adjacent to each other and are below the Enable NCP checkbox. If one peer supports NCP and the other peer does not, pfSense will attempt to establish a connection using the algorithm requested by the non-NCP peer, so long as it is on the list of Available NCP Algorithms. 

You can select the Certificate Depth as well; pfSense will not accept certificate-based logins from clients whose certificates are below the set depth. The certificate depth is the maximum number of intermediate certificate issuers that are allowed to be followed when verifying the client certificate. If the depth is set to 0, then only self-signed certificates will be allowed. If the depth is set to 1, the certificate may be self-signed or signed by a CA known to the system. Setting the certificate depth to a number higher than 1 allows for more intermediate certificate issuers.

Tunnel Settings determines what happens to the OpenVPN clients once they are authenticated. The IPv4 Tunnel Network and IPv6 Tunnel Network allow you to set the IPv4 and IPv6 virtual networks that will provide the address pools for the clients. For example, an IPv4 Tunnel Network setting of 192.168.3.0/24 will result in clients being assigned addresses of 192.168.3.1, 192.168.3.2, and so on. Redirect Gateway, if checked, will force all client-generated traffic through the VPN tunnel. The IPv4 Local network(s) and IPv6 Local networks allow you to set what local networks will be accessible from the remote end. These should be expressed as comma-separated lists of one or more CIDR ranges. IPv4 Remote network(s) and IPv6 Remote network(s) allow you to set what remote networks will be accessible from the remote end of the VPN.

The Concurrent connections edit box allows you to specify the maximum  number of clients allowed to connect to the server concurrently. The Compression drop-down box allows you to set the compression option for this channel; the choices are: No Preference, Disabled (no compression), Enabled with Adaptive Compression (dynamically disable compression for a time if OpenVPN determines compression is not being done efficiently), or Enabled without Adaptive Compression (compression always on). Disable IPv6 will result in IPv6 traffic not being forwarded.

The Advanced Configuration section has two options. In the Custom options listbox, you can enter any additional options to add to the OpenVPN server. The Verbosity level drop-down box allows you to select the logging level (2 through 11, with 5 outputting R and W characters to the console for each read and write, and 6 through 11 providing debugging info) for OpenVPN. When you are done making changes, click on the Save button at the bottom of the page and the Apply Changes button on the main OpenVPN page.