OpenVPN was choosen to facilitate road-warrior login over secure channels. Therefor a CA is created which can issue and sign certificates for clients. Ofcause commercial certificates can be used too.
To install the server follow ref. 1. This also covers the use of easy-rsa. Easy-rsa used to be installed together with OpenVPN up to version 2.2 but it seems to be automaticcally installed nowadays. If not installed together with OpenVPN in /etc/openvpn, look for the scripts in /usr/share/easy-rsa. Later on the directory structure was modelled after ref. 2. The server configuration file in both references is nearly the same. Only neccessary changes in the example config were made. It was decided to use a routed setup using tun0 and TCP, not UDP. Road-warrior clients will be given an address in a private subnet: 10.8.0.0/24. The local lan is 192.168.10.0/24.Behind one client is another subnet: 192.168.0.0/24