Ok, as an FYI I got this setup, its quite nice, I had to add a few 
parameters to openvpn, although for testing I just overrode everything.

1) Create ccd directory

mkdir /var/db/ccd

2) Create iroutes for each "common name", as defined in TLS, client

echo "iroute 10.2.0.0 <http://10.2.0.0> 255.255.255.0 <http://255.255.255.0>" 
> /var/db/ccd/China

3) Copy openvpn binary

cp /usr/local/sbin/openvpn /usr/local/sbin/openvpn_real

3) Upload wrapper script:

#!/bin/sh
/usr/local/sbin/openvpn_real \
--daemon \
--user nobody \
--group nobody \
--verb 1 \
--writepid /var/run/ovpn_srv.pid \
--dev tun0 \
--port 5000 \
--local vpn.yorkion.com.hk <http://vpn.yorkion.com.hk> \
--client-to-client \
--max-clients 25 \
--server 172.16.2.0 <http://172.16.2.0> 255.255.255.128<http://255.255.255.128>\
--ca /var/db/ovpn_ca_cert.pem \
--cert /var/db/ovpn_srv_cert.pem \
--key /var/db/ovpn_srv_key.pem \
--dh /var/db/ovpn_dh.pem \
--cipher BF-CBC \
--ping 15 \
--push "ping 15" \
--ping-restart 240 \
--push "ping-restart 120" \
--ping-exit 600 \
--push "ping-exit 600" \
--client-config-dir /var/db/ccd \
--route 10.2.0.0 <http://10.2.0.0> 255.255.255.0 <http://255.255.255.0> \
--route 192.168.1.0 <http://192.168.1.0> 255.255.255.0<http://255.255.255.0>\
--persist-tun


The client is on DSL in China, so have to up the ping parameters a bit.

Any suggestions? I might work on updating the m0n0wall php if no one else 
is, its been a while since the last beta.

-- 
Steve-o