pfSense

I think you should consider separating different OpenVPN tunnels as different interfaces in firewall_rules.php.

Right now, as a workaround to assign rules to a specific OpenVPN tunnel, proper source or destination have to be defined in the rules. However it would be much more clear to consider each OpenVPN tunnel as a separate interface (like it already happens on the OS side) because often each VPN tunnel requires its own policy.
I understand this would be more difficult for IPsec Phase 2s as encryption is handled in the kernel and all the packets pop out from enc0, but it would be nice if the same was done for IPsec as well.