To begin server configuration, click on the Server tab, and click on the Add button. The first option on the server configuration page is the Disable checkbox. This, if checked, allows you to disable a server entry without removing it. The Server Mode drop-down box allows you to choose between several modes. The two Peer to Peer options allow either side of the connection to Keyinitiate the connection. If Remote Access is selected, only the remote client can initiate the connection. SSL/TLS, Shared, and User Auth are the authentication options. SSL/TLS uses a certificate for authentication; Shared Key uses a shared key, and User Auth uses a username/password combination.

In the Protocol drop-down box, you can set the protocol. Both UDP and TCP are supported, as well as UDP6 and TCP6, for IPv6 connections. The Device mode option allows you to chose between Tun (a virtual point-to-point link) and Tap (a virtual Ethernet adapter).

The Local port field lets you choose the port for the connection (the default is 1194). You may also enter a description in the Description field.

If you need to configure options for certificates, you can do this under Cryptographic Settings. You can enable Use a TLS key and enter your own TLS key, or enable this option as well as Automatically generate a TLS key, and let pfSense generate a key. Peer Certificate Authority is where you can choose from defined certificate authorities. You can choose a revocation list under Peer Certificate Revocation list, if one has been created. You can set the size of the Diffie Hellman key at DH Parameter Length (or use ECDH). You can also select the Encryption Algorithm and Auth digest algorithm. It is recommended, however, that you keep this value set to the default for OpenVPN, which is SHA1. The Hardware Crypto checkbox allows you to enable hardware crypto.

pfSense 2.4 has seen the addition of several new OpenVPN options, especially under server configuration. One of these is ECDH Curve; to enable the use of this curve, select ECDH only in the DH Parameter Length drop-down box. ECDH, or Elliptic-curve Diffie-Hellman, uses a different algorithm than standard Diffie-Hellman when calculating the secret key.

Standard Diffie-Hellman performs a modulus operation on a group of multiplicative integers. ECDH uses a group of multiplicative points on a curve to calculate the key. The Default option for ECDH uses the curve from either the server certificate or secp384r1. You can, however, choose from a variety of different curves in the drop-down box.

Enable NCP is also a new option. NCP, or Negotiable Cryptographic Parameters, allows you to override the algorithm selected in Encryption Algorithm. Instead, the algorithm will be chosen from the list of Allowed NCP Algorithms. This, in turn, is a subset of Available NCP Algorithms. These two textboxes are next to each other, and below the Enable NCP checkbox. If one peer supports NCP and the other peer does not, pfSense will attempt to establish a connection using the algorithm requested by the non-NCP peer. The algorithm must be on the Available NCP Algorithms list, however.

You can use the Certificate Depth drop-down box to select the certificate depth. pfSense will not accept any certificate-based logins from clients that are below the depth set here. Certificate depth is the maximum number of intermediate certificate issuers that are allowed to be followed during certificate verification. A depth of 0 means that only self-signed certificates are permitted. A depth of 1 means that the certificate may be self-signed, or signed by a CA known to pfSense.

The next section is Tunnel Settings. The IPv4 Tunnel Network and IPv6 Tunnel Network edit boxes allow you to set the IPv4/IPv6 virtual networks that provide address pools for the clients. The Redirect Gateway option allows you to force all client-generated traffic through the VPN tunnel. The IPv4 Remote network(s) and IPv6 Remote network(s) fields are where you can enter the remote networks that will be accessible from the remote end of the VPN.

Concurrent connections is where you can specify the maximum number of clients allowed to connect to the server concurrently. The Compression option gives you the ability to set the compression option for the channel. The options are No Preference, Disabled (no compression), Enabled with Adaptive Compression, or Enabled without Adaptive Compression. The Disable IPv6 option allows you to prevent IPv6 traffic from being forwarded.

The next section is Advanced Configuration. This section has two options. The Custom options box is where you can enter additional options to add to the OpenVPN server. The Verbosity level drop-down box allows you to set the logging level (2 through 11, with higher numbers offering greater levels of verbosity). When you are done making changes, click on the Save button, and then click on Apply Changes.