1. Update Port Collection
   portsnap fetch update
   if it is the first time,
   portsnap fetch extract
2. Install OpenSSL
   cd /usr/ports/security/openssl
   make install clean
3. Edit /etc/make.conf, and add
   DEFAULT_VERSIONS+=ssl=openssl
4. Install OpenVPN, easyrsa
   cd /usr/ports/security/easy-rsa
   make install clean
   cd /usr/ports/security/openvpn
   make install clean
5. Create Configuration directory and copy sample configuration file
   mkdir -p /usr/local/etc/openvpn/easy-rsa
   mkdir /usr/local/etc/openvpn/server
   cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server/
   cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/
   
6. Edit  /usr/local/etc/openvpn/easy-rsa/vars and set your information for SSL
   set_var EASYRSA_REQ_COUNTRY     "HK"
   set_var EASYRSA_REQ_PROVINCE    "Kowloon"
   set_var EASYRSA_REQ_CITY        "San Po Kong"
   set_var EASYRSA_REQ_ORG         "Laws Cloud Infrastructure Limited"
   set_var EASYRSA_REQ_EMAIL       "demo@example.com"
   set_var EASYRSA_REQ_OU          "VPN Department"
   set_var EASYRSA_KEY_SIZE 2048
   set_var EASYRSA_CA_EXPIRE 3650
   set_var EASYRSA_CERT_EXPIRE 3650
   
7. Initialize PKI
   cd /usr/local/etc/openvpn/easy-rsa
   sh ./easyrsa.real init-pki
8. Build CA Certificate, key, certificate file
   sh ./easyrsa.real build-ca
   sh ./easyrsa.real build-server-full server nopass
   sh ./easyrsa.real build-client-full client nopass
   sh ./easyrsa.real gen-dh
   openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
   cp -r /usr/local/etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /usr/local/etc/openvpn/server/

1. Edit /usr/local/etc/openvpn/server/server.conf
   port 1194
   proto udp
   dev tun
   ca /usr/local/etc/openvpn/server/ca.crt
   cert /usr/local/etc/openvpn/server/issued/server.crt
   key /usr/local/etc/openvpn/server/private/server.key  # This file should be kept secret
   dh /usr/local/etc/openvpn/server/dh.pem
   topology subnet
   server 192.168.101.0 255.255.255.0
   ifconfig-pool-persist ipp.txt
   push "redirect-gateway def1 bypass-dhcp"
   push "dhcp-option DNS 208.67.222.222"
   push "dhcp-option DNS 208.67.220.220"
   duplicate-cn
   keepalive 10 120
   tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
   cipher AES-256-CBC
   compress lz4-v2
   push "compress lz4-v2"
   ;comp-lzo
   max-clients 100
   user nobody
   group nobody
   persist-key
   persist-tun
   status /var/log/openvpn/openvpn-status.log
   log-append  /var/log/openvpn/openvpn.log
   verb 3
   explicit-exit-notify 1
   auth sha512
   remote-cert-tls client
2. Create log directory
   mkdir /var/log/openvpn/
3. Edit /etc/rc.conf and enable OpenVPN
   firewall_enable="YES"
   firewall_type="open"
   gateway_enable="YES"
   natd_enable="YES"
   natd_interface="em1"
   natd_flags="-dynamic -m"
   openvpn_enable=YES
   openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"
     **em1 is the outgoing network adapter. If you are not sure, check the line that bind your IP
   ifconfig_em1="inet 10.10.10.10 netmask 255.255.255.0"
   Network adapter name is the string after ifconfig_ (and before = )

1. Set up client ovpn profile
   client
   tls-client
   pull
   dev tun
   proto udp
   remote IP-address-of-your-VPN 1194
   resolv-retry infinite
   nobind
   dhcp-option DNS 1.1.1.1
   user nobody
   group nogroup
   persist-key
   persist-tun
   key-direction 1
   tls-auth ta.key 1
   compress
   verb 3
   auth SHA512
   remote-cert-tls server
   <ca>
   content of /usr/local/etc/openvpn/server/ca.crt
   </ca>
   <cert>
   content of /usr/local/etc/openvpn/server/issued/client.crt
   </cert>
   <key>
   content of /usr/local/etc/openvpn/server/private/client.key
   </key>
   <tls-auth>
   content of /usr/local/etc/openvpn/server/ta.key
   </tls-auth>
   key-direction 1

Optional: (Enable Radius Authen)

1. Install OpenVPN Radius Plugin
   cd /usr/ports/security/openvpn-auth-radius
   make install clean
2. Copy Sample plugin configure to OpenVPN configuration directory
   cp /usr/local/share/examples/openvpn-auth-radius/radiusplugin.cnf /usr/local/etc/openvpn/server
3. Edit /usr/local/etc/openvpn/server/radiusplugin.cnf. Find OpenVPNConfig and set to
   OpenVPNConfig=/usr/local/etc/openvpn/server/server.conf
   and bottom, find server { and change the port, IP and secret phase to
   server
   {
    # The UDP port for radius accounting.
   acctport=1813
    # The UDP port for radius authentication.
   authport=1812
    # The name or ip address of the radius server.
   name=IP-or-hostname.of.your.radius
    # How many times should the plugin send the if there is no response?
   retry=1
    # How long should the plugin wait for a response?
   wait=1
    # The shared secret.
   sharedsecret=secret-phase-for-free-radius
   }
4. Edit Openvpn config file (server.conf). Add the following to the end of file
   plugin /usr/local/lib/radiusplugin.so /usr/local/etc/openvpn/server/radiusplugin.cnf
5. Edit Client ovpn file and add the following line
   auth-user-pass