Also, would chacha20 with poly1305 be better to use on a pi? And if so, what is the best ec curve to use when creating the certificates using easy-rsa? They don't seem to be options when I list available ec curves using [...]
I believe there are two questions here intertwined.
The easy-rsa (please ensure you use easy-rsa 3 for the latest EC stuff to function, or another CA tool like XCA) is one thing and the certificate requirements are mostly "whatever your OpenSSL can deal with". These things relates to what is handled by the OpenVPN control channel traffic. To control the ciphers there is the --tls-cipher and --show-tls options. But you very seldom need to tweak this setting, as both the local and remote OpenVPN instance will negotiate the best cipher both sides supports. Pretty much a standard TLS handshake, so the control channel utilizes asymmetric encryption (pirvate/public keys) to establish a communication channel for the control messages.
The tunnelled network traffic is a different side of things. If both sides runs OpenVPN 2.4, there is a limited type of negotiation of the --cipher option. To enlist all supported ciphers, you can use --show-ciphers. By default, if both sides run v2.4, the server expects the client to support and switch to AES-256-GCM. There is no EC cipher support on the data channel, and the data channel is symmetric (using a shared secret between the local and remote instance).
So to bind these two things together. The control channel is used to derive a shared secret, where this happens over a TLS enabled communication channel. For v2.4, this is also where the server tells the client which cipher it wants the client to use. Once that is done, the shared secret and cipher parameters is activated and network traffic will now be passed over the data channel using these options - where the encryption is symmetric. And at regular intervals (unless disabled, default is 1 hour) this symmetric encryption key is rotated and replaced with a new one.
And a final word about easy-rsa and the CA side of this. You don't need to use easy-rsa, but it is one of more tools which works fine. But DO NOT
save the CA private key on any Internet connected device or host. If someone manages to grab that file, it is fairly trivial to issue new certificates without your knowledge. And this can be used to both act as a server or connecting to your own server as a valid client (couple these two together, and you have a "perfect" setup for a MITM attack, where the attacker can access the tunnelled traffic in clear text). So put your CA on a device not directly connected on the Internet, preferably on an offline device only to be activated when you need to do CA operations.
If a kitten would be killed each time any one reads the various blog posts on the Internet where the CA is configured and installed on the OpenVPN server ... there would not be any kittens left in this world. Seriously. This is the most common error and misguided advices on OpenVPN on the interwebs, because those who wrote it obviously have not understood the full security impact of their "nice howto". So, if you do put your CA on the OpenVPN server ... think about those cute kittens.