OpenVPN traffic from behind Server to one of two remote endpoints doesn't route

overand

All firewall/gateway systems are using pfSense 1.2.3-RELEASE.

OpenVPN server at "home office" - 172.16.0.0/24 (In a CARP setup, incidentally, but running on master)

OpenVPN client at "remote office 1" - 10.2.105.0/24

OpenVPN client at "remote office 2" - 172.31.2.0/24 (also in a CARP setup, running on master)

Setup is PKI, all tunnels establish properly.  OpenVPN server itself can ping / connect to everything as-expected, but clients at "home office" behind the pfSense box can't communicate with clients at "remote office 2"

Routes appear to be built correctly.  Each "client-specific configuration" is set as I believe is correct - 'remotesite1' ID on server with "iroute 10.2.105.0 255.255.255.0" and "remotesite2" with "iroute 172.31.2.0 255.255.255.0"

Routes, visible with netstat -rn - direct attached devices and unrelated routes / interfaces removed.

Home Office (server)

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            X.X.X.1        UGS        0    66465  fxp0
10.2.105.0/24      10.222.58.2        UGS        0    10554  tun0
10.222.58.0/24    10.222.58.2        UGS        0        0  tun0
10.222.58.2        10.222.58.1        UH          3        0  tun0
127.0.0.1          127.0.0.1          UH          0        0    lo0
172.16.0.0/24      link#9            UC          0        0  vlan1
172.31.2.0/24      10.222.58.2        UGS        0        0  tun0

Remote 1

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            y.y.y.193      UGS        0 321579527  vlan0
10.2.105.0/24      link#4            UC          0        0  fxp3
10.2.105.1        10.2.105.1        UH          0        0  carp1
10.222.58.1/32    10.222.58.9        UGS        0        0  tun0
10.222.58.9        10.222.58.10      UH          2        0  tun0
127.0.0.1          127.0.0.1          UH          0        0    lo0
172.16.0.0/24      10.222.58.9        UGS        0    9976  tun0

Remote 2

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            z.z.z.49      UGS        0    56180    em1
10.222.58.1/32    10.222.58.5        UGS        0        0  tun0
10.222.58.5        10.222.58.6        UH          2        0  tun0
127.0.0.1          127.0.0.1          UH          0        0    lo0
172.16.0.0/24      10.222.58.5        UGS        0        0  tun0
172.31.2.0/24      link#1            UC          0        0    em0

–--

Behavior when  pinging from workstations to remote-2 sites from behind the home-office is to get NATed out rather than routed.

i.e. if I traceroute -n, I get my first hop as my WAN-side (public IP) Gateway.

I do have 'auto-generated VPN rules' disabled on the server, but the tun0 firewall rules are 'allow all out' - i even set it to 'allow all' to test.

I can provide openVPN configs if it's helpful, but I've compared remote 1 and remote 2- the config files are identical.

Server is dual-WAN, though I have 'local wan2 ip' in my custom options on the server.