I think you can, on the server side by using their certificate common name (CN) and the CCDs configuration files.
Excerpt From: Keijser, Jan Just. “OpenVPN Cookbook - Second Edition”
When a client connects to the server with its certificate and with the certificate’s common name client1, the OpenVPN server checks whether there is a corresponding client configuration file (also known as a CCD file) in the client-config-dir directory. If it exists, it is read in as an extra set of options for that particular client.
The client configuration file contains a single line, ifconfig-push 10.200.0.7 10.200.0.7, which instructs the OpenVPN server to push the client IP address 10.200.0.7 to this particular client.
Therefore, you can do what it is described here, meaning setting different policies for different clients. You could create CCDs for each IOT machine based on the common name in their certificate and give them a specific set of IP address. Then, you just write firewall rules specific for those IP address.
For example, if my client certificate is iOS.p12, with this command I can find the common name (CN) field
openssl x509 -subject -noout -in iOS.p12
Enter pass phrase for PKCS12 import pass phrase:
CN = iOS
then, I can create a file
ccd/iOS which contains the following line:
ifconfig-push 10.1.4.37 10.1.4.37
and iOS appliance will get
10.1.4.37 as an IP address. You do that for all of your IOT machines. Then, as suggested by @disturbeddragon, you enter all those addresses in a group. That group becomes the
Source field of a rule, or set of rules, of your IPFire web user interface firewall.
Assigning a specific IP address to a client can be done also simply by using IPFire Web User Interface when creating a client certificate, by taking advantage of using a pool of static IPs.
The use of CCDs is also documented in the wiki.