I have a IPSEC connexion beetwen two pfsense as below.

LAN1 (192.168.17.0/24)–---pFsense1 ----ipsec------ pFsense2--------LAN2 (10.3.4.0/20).

I added a OpenVPN connexion to my first LAN1, in the network (192.168.18.0/24).
My topology works well, with my mobile I can reach the 10.3.4.X devices through the OpenVPN and IPSEC tunnel.

My question is about to isolate the OpenVPN client.
For exemple, toto1 get a Ip adress on the OpenVPN and can reach only the 10.3.4.Y devices...
At long term, I will have more than 300 users, and I cannot juste use firewall rules...I need a scalable solution to do that.
Moreover, the users cannot ping others users even in the same subnet

So my questions :

How to isolate OpenVPN networks ? Iptables ?
How can I log the users ? LDAP ? VLAN ?

Thanks you for your time, your reflexion and your proposition.

Sorry for my english.

A+