Hi Michael,
if you did generate the client on the server it should appear in the WUI of the FW rules on the server, if you added some “Static IP address pools” it should appear as “OpenVPN clients:” if you use the “Dynamic OpenVPN IP address pool” it should appear as “OpenVPN networks:” <-- in that case all clients will have the same rule, if you don´t want it in that way use the first option.
In both cases the “Source” is then the client whereby you would only need to give him the destination in your green LAN.
Some FW hints: If you use a “Blocked” “Default firewall behaviour” you need to set one ACCEPT rule. If you have an “Allowed” “Default firewall behaviour” you would need one ACCEPT rule and after that an DROP or even REJECT rule for the OpenVPN network/clients to prevent other traffic.
Maybe I was not clear in my explanation: I want to create the rule on the client and not on the server (e.g. the users on the server should connect to the service that resides behind on the client )
If you have on both sides IPFire, a quick explain how your firewall works should help. N2N can be NATed like RW´s within the same rule for the preceding router. Dynamic IPs (DDNS?) can also be used for both so am currently not sure where your problem is. A advantage might be to firewall both sides via WUI on a N2N connection in my opinion…