Openvpn which template to use for server

hello, thanks, i want to run openvpn server on my openwrt router.

there are a few templates for the server but not sure which to use for my need?

1. multiple client users
2. each user should be default deny, no access to internal machines.
3. use firewall, to allow a specific user to access a specific machine at a specific port.

That is correct but I would use WireGuard, much easier to setup especially for what you want (client access by their IP address):
https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior

general server:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

thanks much for the suggestion, but i am asking only about openvpn.

i am switching away from opnsense, they have a great openvpn road warrior setup.
including "Multi Factor Authentication ( Client Certificate + Password + OTP )"
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

that is what i am trying to replicate in openwrt.

so, i wanted to know which openvpn server configuration template is the closest to my use-case?
i think, but now sure, to choose "Server configuration for a routed multi-client VPN" ?

Yes that is the one, good luck with it.
But it sure is a lot of work, you need ccd files per client and the password plugin.

Yes the "routed multi client" is this use case.

I don't know if OpenVPN has strict enforcement of user's IPs like Wireguard's allowed_ips mechanism does. If you're going to use a source IP based firewall to separate different classes of users on the same interface, you have to be sure that a malicious user can't elevate their privilege by changing the IP on their end.