To set up a site-to-site (aka net-to-net or lan-to-lan) OpenVPN connection, you have several things you must consider.
Skip this if you just want to get it set up.
Basically, the client is very similar to a Road Warrior client, except that all authentication is done automatically, without human intervention. The set up is a little more complex, since we use two certificates to verify we are talking to the right machines, and a shared key to ensure initial secure communication.
To initiate the conversation, the client contacts the server on a specific (generally UDP) port. The router then knows which OpenVPN server to point to based on that. OpenVPN can have several virtual servers running on one router, similar to having multiple web sites on one web server.
The client has a certificate (which was generated by the server) by which it identifies itself (user certificate). The server identifies itself via a server certificate, which is signed by the CA (Certificate of Authority) on the server. Thus, you must copy the the CA's certificate to the client so it knows how to verify that. So, the initial conversation is the client saying “hey, I'm joe, and here is my certificate” and the server replying with “oh, I'm mary, and here is my certificate.” Thus, they begin to establish trust in each other.
Once trust is established, the server and client agree on secure communication based on TLS shared keys, an encryption algorithm and an authentication digest algorithm. Both sides must be set up the same on these.
This all happens very fast, at the beginning of the session, then traffic begins to flow. The client and server will renegotiate the secure communication regularly so traffic is less likely to be decrypted (decryption is much easier with a larger set of messages with the same keys).
So, when we create this linkage, we must create a certificate for both the client and the server, and a way of verifying it. Then, we need to agree on a shared key for encryption, and the algorithms used to secure future communications.
When you press save, it should immediately try to connect to the server. If you do not get a connection, check the logs on both client and server.
I had an issue where my tunnel network was using a /24 network and OpenVPN on opnSense was assigning one pair of IP's to the master router and a different set to the client router. It was causing weird behavior where I could ping the LAN behind the master router from the client router, but not from the LAN behind the client router. There were also log entries stating that the BSD route command was failing.
In my case, I simply went into the configuration on both master and client and changed the tunnel network to /30 (just changed /24 to /30, saved and restarted). It gave both routers the same pair, and everything worked from there.