Mikrotik is one of my favorite routing and MPLS platforms for doing lab and small ISP work. This one is pretty darned easy if you’re willing to use self-signed certificates, and pretty trivial to add legitimate certificates if you are so inclined.

/certificate add name=ca common-name=ca key-usage=key-cert-sign,crl-sign
/certificate sign ca ca-crl-host=10.255.255.4 name=ca
/certificate export-certificate ca
/certificate add name=gw-dsl common-name=gw.yourcompany.com
/certificate add name=vpnclient1 common-name=client1
/certificate sign gw-dsl ca=ca name=gw.yourcompany.com
/certificate sign vpnclient1 ca=ca name=client1
/ip pool add name=ovpn-pool range=10.2.98.2-10.2.98.19
/ppp profile add name=ovpn local-address=10.2.98.1 remote-address=ovpn-pool
/ppp secret add name=buraglio profile=ovpn password=ExamplePasswordDude
/interface ovpn-server server set enabled=yes certificate=server auth=sha1 cipher=aes256 port=1194 netmask=24 require-client-certificate=yes mode=ip
/certificate export-certificate client1  export-passphrase=ExamplePasswordDude

Largely based on this example