You might have read my two posts concerning Belgian eID authentication with OpenVPN. ([1] and [2] .
There was a thing that bothered me: The pkcs11-id (eg: "Axalto/Belgium eID/6CFF2491AB111E14/BELPIC (Basic PIN)/02") that is hardcoded in the configuration file. To solve this issue I wrote a patch for OpenVPN (v2.1_rc7).

In short this is what I do:
- New pkcs11-match variable in the openvpn.conf. This is the substring of the key-id you want to match. It works with a 'first match wins' principle.
- options.c => I add the variable and the checks, as it's either pkcs11-id or pkcs11-match
- ssl.c => if pkcs11_match is set, do the checks and give error if necessary. Store the key-id in options->pkcs11_id.
- pkcs11.c => I copy-pasted some code of the find-pkcs11-ids(), refactored it and added a check for the substring.

This enables people to:
- deploy the same configuration on different computers
- log-in to the tunnel with different cards on the same machine. (different users that share the same computer)
With eID's the key-id contains similar characteristics. where 'BELPIC\x20\x28Basic\x20PIN\x29/02' is the end of the Authentication key.

Unfortunately some don't see the advantage of including this in the tree as the cvs/svn already contains code for certificate selection. But this certificate selection needs an extra UI (graphical or whatever).