I'd say the pfsense box is more secure than a consumer router. There's not much to worry about because until you set up port forwards then all traffic coming in to your WAN interface is blocked. Anyway, a hacker can't exploit a system just because it has an open port, the port has to be connected to something and that something has to be exploitable. If you're running a web server then you're going to get constant attacks from script kiddies and bots but as long as you keep everything up to date it's not really anything to worry about.
So I don't think there's much risk setting up your pfsense box as the DMZ. Things like games and bittorrent and stuff like that which needs an open port can't really be hacked, it's really only things like web servers and mail servers, stuff like that. If you do want to run a web server then do what I do and put it in a separate VLAN with strict rules. The ideal way to set it up would be to forward the ports to the computer (so for a web server this is TCP 80 and 443), this will also create an allow rule on the WAN interface. Then on the web server's VLAN you'd make a rule allowing it to access the internet with your allow to not local rule, if your dad's network is a part of the local alias then this rule will allow the web server to access the internet but not your local network or your dad's network, this way if it were to get hacked then they wouldn't be able to attack other computers on either your network or your dad's. Then you'd make a rule on your local networks allowing them to access the webserver on TCP port 80 and 443. The idea behind this kind of set up is that you open a port from the internet to a separate network, and then you access this network from your trusted network. So you have Trusted network - firewall - DMZ - firewall - Internet.
Do you want to set up pfsense as a VPN server or VPN client? Setting it up as a server is pretty straight forward, as a client is a little tricky. I'll run through the set up for using it as a server, or atleast i'll try to remember.
First thing you need to do is set up certificates. Go to system > cert manager. You should be on the CA tab, create a new CA, change the method to 'create an internal certificate authority' and fill out the details, you can just make stuff up for this but the descriptive name and common name should be the same.
Once you've made the CA go to the certificates tab, you'll need to make a certificate for the openvpn server. Create a new certificate and choose 'create an internal certificate' for the method. For the certificate authority choose the one you just created. for the certificate type choose server certificate. Fill out all the other details like you did for the CA.
Okay, so lets assume you have a CA called VPN-CA, and server certificate called VPN-cert.
Go to system > user manager. You'll need to create users for each vpn client. Create a new users, put in the name and password, you don't need to give them any permissions, check the box that says 'click to create a user certificate'. It'll ask you for a name, put in something like user-cert and choose the CA you created (VPN-CA for example) as the certificate authority then click save. Do this for each user you want to add.
Now go to VPN > OpenVPN and it should open on the server tab. Create a new Server.
Use these settings:
Server Mode: Remote access (SSL/TLS +User auth)
Backend for authentication: Local database
Protocol: UDP
Device Mode: Tun
Interface: WAN
Local port: 1194 (Use whatever you like here, 1194 is the default. If you want to get past a firewall that won't let you connect to a VPN server you can use 443 here, but you won't be able to use this port for a webserver as well as for the VPN server).
Description: Whatever you like
TLS Authentication: Check both boxes
Peer certificate authority: VPN-CA (or whatever you named the CA you created)
Peer ceretificate revocation list: None (unless you create a revocation list, then put that in here)
Server certificate: VPN-Cert (or whatever you named the server certificate you created)
DH parameter length: 1024
Encryption algorithm: AES-128-CBC (you can use a higher bit encryption if you like but it will be slower)
Hardware crypto: No hardware crypto acceleration (unless you have it)
Certificate depth: One (client+server)
Strict user/CN matching: Unchecked
IPv4 tunnel network: Put the subnet for the VPN network here in CIDR format for example: 10.1.4.0/24
IPv6 tunnel network: Leave blank unless you need it.
Redirect gateway: I have this unchecked and it works fine, so leave it as unchecked.
IPv4 local networks: Put in the subnets of the local networks you want to be able to access from the VPN, for example 10.1.1.0/24,10.1.2.0/24 etc. This isn't the firewall rule, this just creates the routes, you can put in all your networks here and then use the firewall to control access of you want.
IPv6 local networks: same as above, only use if you need it
Concurrent connections: put in whatever limit you want on the number of concurrent connections.
Compression: Checked
Type-of-service: Up to you, pretty sure this allows QoS to work on the encrypted traffic.
Inter-client communication: Enable if you want clients to be able to access each other, you'll want this for games.
Duplicate connections: enable if you want to be able to connect using the same username from different devices at the same time.
Dynamic IP: checked
Address pool: checked
Topology: I have this unchecked and it works, but I only have one client.
DNS Default Domain: Enable if you want to use a domain name, use your DDNS address if you want or leave it disabled.
DNS servers: put in the first address of the subnet you chose for the VPN network, so if you have 10.1.4.0/24 as the subnet then put 10.1.4.1 for the DNS server, this will use pfsense's DNS server, you could also use the google DNS servers if you wanted but your local DNS server will work fine.
NTP servers: Enable if you want to set a NTP server.
now click save and it should work. Check that it has made the allow rule on the wan connection, it should do it automatically but if it hasn't then create a rule on the WAN interface to allow UDP any to WAN address port 1194 (or whatever port you decided to use).
If you have the openvpn client export utility package installed then you can go to the client export tab and export a preconfigured config file for each user, or you can just connect manually using the same settings.