This is some really strange behavior, but you can try to somewhat mitigate it:
move your VPN server to Localhost interface (bind to localhost) and NAT needed port from WAN interface.

Same as you grant any other access in pfSense.

Go to Firewall > rules > OpenVPN and modify the allow-any-to-any rule. As source enter the VPN tunnel subnet and at destination the host address you want to allow the access.
If you provide DNS to the VPN clients, you have also to add rule for DNS access.

You can use Services Watchdog for pfsense services monitoring, if are having openvpn hang problems, the proccess still is there but unresponsive like a zombi and service chekers does not work, try removing openvpn pluging from main dashboard.
https://forum.pfsense.org/index.php?topic=116670.0

@Derelict:

Internal LAN is a /16, so something like 10.123.0.0/16, default (LAN) DHCP pool is 10.123.100.0/24 (which can talk to everything else, say, 10.123.1.x just fine), and the OpenVPN pool is 10.123.200.0/24. Once I'm properly off-site where I can test I'll re-check the VPN clients are getting the default gateway.

Yeah you need to set your OpenVPN pool/tunnel network to something OUTSIDE your LAN subnet to have any prayer of being able to route to it. Or, more accurately, to have a prayer of anything on LAN being able to route back.

(Sorry for the delay in replying.) That was the key, once I changed the OpenVPN pool to not be a sub-set of the LAN, all is well. There was a bit of a red herring in testing as the main target I was using is an L3 switch that (understandably) doesn't allow management traffic from a different subnet.

Thanks again, and next time I have a question I'll try and get second set of eyes sanity check first.

Disabling negate rules on both sides of the VPN in System>Advanced>Firewall & NAT fixed the issue as policy routing was not being applied properly.

Thanks to PiBa-NL in ##pfsense on freenode!

You may set up 2 separate OpenVPN servers for your user groups which use different tunnel subnets, or you may also do this with only 1 server and configure "client specific overrides" to allocate certain virtual IPs to specific users.

Hero Member you are! Thank you very much!

Stuff to read:
https://community.openvpn.net/openvpn/wiki/Hardening

And here under > Hardening OpenVPN Security <
https://openvpn.net/index.php/open-source/documentation/howto.html

As stated, yes. On a different UDP port. Most would use 1195.

Use something outside that subnet for the tunnel network and put 10.10.0.0/16 in the Local Networks on the server.

THX!!

well to me its pretty easy ;)  If you have any questions just ask.  Connecting to a openvpn as is pretty easy.  Is that what your running on your ec2?

Thank you!

Maybe this will help:

NAT
Hybrid Outbound NAT rule generation.

Firewall
Be sure to enable TCP/UDP (ICMP or whatever you need) traffic on OpenVPN interface.
Allow same outgoing traffic from VPN subnet.

So much fun!

This is old but the concepts should still apply.

https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1

What's different about these specific users?  Are hey going through a proxy?  What's in your OpenVPN log at the time that these folks get disconnected?  If nothing relevant, edit your OpenVPN config to increase the verbosity form the default (1) to something larger and then test again.

Figured it out.  After drawing out the path and dumping down the troubleshooting, my mistake became pretty clear.

Between my desk and the remote site sits 3 firewalls.  The one closest to me was preventing the outbound port.  I thought that I put in a rule to allow that but in checking it realized that had it turned around.

The posts DID help because you made it very clear this was pretty straightforward.  Thanks again!

Dude can not figure out what?? How to create a nat?  I gave you pictures showing the nat..

What is the network you are using as your openvpn tunnel?  What network your using on your lan?  You create a outbound nat using your LAN interface where the source is your tunnel network is your dest is your LAN network.. And your nat interface would be your LAN interface..

It is actually like 10 seconds to setup..  Switch to hybrid mode and then create your nat..  If you give me remote access to your system I could set it up sure.. If I break something its on you..  I gave you a picture and instructions now.  Here is another picture of the actual nat page

My networks are most likely different than yours - you have to put int he networks your using for your vpn tunnel network and what your using on your lan network..

natfromvpntolan.jpg
natfromvpntolan.jpg_thumb

This is solved

as I noted above, I was missing the firewall rule that the wizard was to create.  I suspect that I didn't check the two boxes to make my rules, bonehead move!

Since I was not sure what to do to manually create the rules, I reran the wizard, exactly as I wanted, except on another port. I then edited the rule created to reflect the port I wanted.

That's all it took!

You watched the wrong Youtube manuals!
You're missing an outbound NAT rule for the VPN.

First go to Interfaces > (assing), go down to "Available network ports" and select your OpenVPN client from the dropdown (e.g. ovpnc1) and hit the Add at the right. Then click on the new interface to open the settings and check Enable, enter a description and save it.

Then go to Firewall > NAT > Outbound, select "Hybrid Outbound NAT" and hit Save.
Add a new rule, select the VPN interface which you have added above, at sourve enter your LAN network, leave the other options at their defaults, enter a description if you want and save it.

Now the internet access should work.