;D
OK, got no responses or help but I found a way to make it work.
Since I didn't get any direction from those in the know, I'm surprised that I didn't even get a single response to this thread… oh well. - PLEASE let me know if there is any problem anyone can see with going about this in the way that I have.
What I wanted was to get the newer 2.1 RC version of the OpenVPN daemon on a pfSense 1.2.3 RC2 nano embedded installation.
First off - I started with a fresh install of pfSense 1.2.3 RC2 nano (August 31st snapshot) and installed the OpenVPN Enhancements 1.0 package to get additional options in the web config that I wanted. I then completed the OpenVPN configuration and verified that I had a working tunnel with certificate authentication.
Then I completed the following:
1. SSH to firewall
a. access shell
b. exec /etc/rc.conf_mount_rw to remount root filesystem as read-write mode.
c. exec pkg_add -r openvpn-devel (this took a while)
d. exec /etc/rc.conf_mount_ro to remount root filesystem back to read-only mode.
2. Reboot firewall (don't know if this should be needed but my web console stopped responding until I did this)
3. SSH to firewall
a. access shell
b. exec openvpn --version to verify that I now have OpenVPN 2.1 RC15 installed.
4. From pfSense webConfig
a. Now OpenVPN service fails to start - checked logs and found that an additional security option was needed for custom scripting.
i. Added --script-security 2; to the custom options text-box in OpenVPN config page.
b. Verified that daemon starts and tunnel again works.
-- Now - finally for the option I wanted to use.
5. Again from pfSense webConfig OpenVPN config page.
a. Add the additional custom configuration to the text-box.
i. Added --port-share 10.255.255.10 443;
(Line now reads: --script-security 2; --port-share 10.255.255.10 443;)
b. Saved configuration. (this should cause the OpenVPN process to reload it's config)
6. Testing:
a. Pointed web browser to https://my-external-ip and successfully was passed to my web server content
b. Used my external test client and connected to my-external-ip port 443 with no changes to my configuration except the port number.
Success! I now have an embedded pfSense firewall with a single external IP and am sharing TCP:443 between OpenVPN and my web service without having to use an additional system as I was previously.
Granted to all that noticed - The 2.1 RC15 version of OpenVPN is Pre Release Code and they say not to use it for production environments. Saying that I have used the 2.1 RC train for quite some time on my home network without any issues whatsoever - including this port-share option.
Again - if you know of ANY reason why what I did was against best practices please let me know!
One caveat I can see is that I'm now using the openvpn-devel package - if I use a pfSense package in the future that re-installs or upates the 'openvpn' package it may overwrite my daemon binaries in which case I'd have to reinstall the openvpn-devel package. Other than that I'm using the standard pfSense / OpenVPN Enhancements 1.0 configuration methods so I think I'll be safe.
I hope my spending time on this helps someone else down the line. I'm sure this method could be used for other services as well.
As I understand it in fact one could install any FreeBSD package they wanted as long as they configure that package to not need read-write access to the root filesystem and understand that /var will be cleaned when the system reboots. To get around this one might be able to use cheap USB storage or network storage for stateful storage for non-critical services... I digress - I'm sure someone has a thread on that elsewhere on this site.
