One of the advantages of using OpenVPN is that it has gotten popular enough to where there are third-party packages available to make the process of using OpenVPN easier. One of these packages is the OpenVPN Client Export Utility, which allows a pre-configured OpenVPN Windows client or macOS X's Viscosity configuration bundle to be exported directly from pfSense.
To install the OpenVPN Client Export Utility, navigate to Packages | OpenVPN and click on the Available Packages tab. Scroll down to openvpn-client-export and click on the Install button. The next page will prompt you to confirm installation; click on the Confirm button to complete the process. This will install openvpn-client-export and all its dependencies. The process should take less than a minute.
Installation of the OpenVPN Client Export Utility will result in two additional tabs becoming available when you navigate back to Protocols | OpenVPN: Client Export and Shared Key Export. The Client Export tab allows you to generate configuration files for clients that can be used on various platforms, whereas Shared Key Export is geared towards peer-to-peer connections (for example, connecting two networks with an OpenVPN tunnel). The Client Export tab has a number of options. The Remote Access Server drop-down allows you to choose to which OpenVPN server the client will be connecting. Typically, the only available option will be the OpenVPN server on port 1194 using UDP, but if you have other OpenVPN servers configured on other ports (and possibly using TCP instead of UDP), these servers should appear in the drop-down box.
The Verify Server CN drop-down allows you to select how the server certificate Common Name (CN) is verified. The default selection of Automatic should work in most cases (it is compatible with OpenVPN v.2.3 and most modern clients), but there are other options available for backward compatibility. The Use Random Local Port checkbox allows you to enable using a random local source port, which is likely something you will want to enable, since the client end can send and receive on any port (only the server must send and receive on the same pre-defined port), and enabling this option allows more than one client to run on the same system. There are two options in Certificate Export Options: Microsoft Certificate Storage (instead of local storage) and Password Protect Certificate (for password protecting a certificate when using Viscosity with macOS X).
The Use A Proxy checkbox, if checked, will allow the client to use a proxy to communicate with the OpenVPN server. If this option is enabled, you must select Proxy Type (HTTP or SOCKS), Proxy IP Address, and Proxy Port. You can optionally choose a Proxy Authentication method. The options are None, Basic, and NTLM (NT LAN Manager).
The Use the OpenVPN Manager Management Interface option, if selected, will result in the management interface being activated in the generated configuration, allowing OpenVPN to be used by non-administrator users on Windows systems. Finally, the Advanced configuration options edit box allows you to add any additional options you require, separated by a line break or semicolon.
In the OpenVPN Clients section, there will be download links for different client configurations, assuming that you have added at least one client that uses the same CA as the OpenVPN server. There are configuration files available for Android, iOS, Windows XP and Vista, and Viscosity (both macOS X and Windows).
If you click on the Shared Key Export tab, you can export a shared key configuration. These are generally for site-to-site tunnels with other routers. To generate a shared key configuration, you must select a server in the Shared Key Server drop-down box. You must also select a resolution method in the Host Name Resolution drop-down box, and a hostname/address in the Host Name edit box.
In the Proxy Options section, you can opt to use a proxy to connect to the OpenVPN server and enter the proxy information. If so, you need to check the Use a Proxy edit box, and select a Proxy Type (HTTP or SOCKS), Proxy IP Address, Proxy Port, Authentication Method (again, the choices are None, Basic, and NTLM), and a username/password combination.