If you don't have multiple IP's then that rules out 1-to-1 NAT.

I do have multiple IP's but I wanted to start on a less complex 1 however it seems like i bit more than i can chew on this one so i am just gonna remove the port-forwarding and use local ip over vpn.

What I do want to do is allow different VPN users access to different machines, the way I want to achieve it is by creating multiple VPN instances each with a different ip range and sort the access in custom iptables rules.

It's pretty straight forward to set this up but there is nothing to stop the vpn user to change the port they connect to and be on a different ip range. The only way around this I can see is to create a different cert and key for each vpn instance. The question is would the clearos web portal be able to manage this (add user to specific vpn instance and generate user certs for that instance) if not how would I create them manually (the vpn cert/key for the vpn instance and the user certs)?