pfSense

this is bug

from https://openvpn.net/community-resources/controlling-a-running-openvpn-process/:
client-config-dir — This directive sets a client configuration directory, which the OpenVPN server will scan on every incoming connection, searching for a client-specific configuration file (see the the manual page for more information). Files in this directory can be updated on-the-fly, without restarting the server. Note that changes in this directory will only take effect for new connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a currently connected client (or one which has disconnected, but where the server has not timed-out its instance object), kill the client instance object by using the management interface (described below). This will cause the client to reconnect and use the new client-config-dir file.

I see that after clicking “save” the files in the csc directory have changed,
But clients get outdated CSO values before restarting OpenVPN server

tested on pfSense 2.4.4-p3 and 2.5.0.a.20200310.1958

If we are rewriting the files and OpenVPN isn't re-reading them when the client connects, there isn't much else we can do here. Assuming the client is actually reconnecting and not picking up the settings (try kicking them off manually instead of initiating a client reconnection)

If it's a bug in OpenVPN, it needs replicated in OpenVPN directly (outside of pfSense) and reported upstream.

no such issue on 2.4.5-p1 and the latest 2.5

this seems to be fixed in OpenVPN 2.4.9