Post your server1.conf and client1.conf.

Several things going on:

1.  200+ machines, with 12 - 10/100 switches (they still make these?), your network was saturated before you even began ....  Gigabit layer 3 switches with separate vlans would've helped, but would've been a lot of work and expensive.

2.  200.200.200.x is publicly rotatable... should have used a reserved range

3.  With that many guests, should have run PFsense on bare metal.

Post a network map, your server.conf's, your routing table and firewall rules and lets take a look.

You shouldn't of had to create any rules... especially on the WAN side... the wizard should've taken care of that.  Do this on both sides:

On the wan tab, pick a protocol, don't add both (unless you have a specific need for TCP, use UDP)... and the destination should be "WAN address":

UDP|*| *| WAN address | 1194 (OpenVPN)| *

On the OpenVPN tab, change your protocol to any:

*| *| *| *| *| *   

Just out of curiosity, what's with the funky port?

[LAN 10.0.0.0/8]

pfSense box: WAN 172.16.63.120/16   (static address from our internal office LAN), Gateway 172.16.63.1 (a Fortinet Firewall)
                   LAN  10.0.0.0/8  (the LAN for all the datacenter servers), Gateway 10.0.0.1

Is this a typo?  I thought this was changed to 10.0.0.0/9?

So, I'm not sure if you're specifically not answering the question or if I'm not being direct enough when I ask for the subnet mask.  For instance, when you say:

10.1.0.5     ns1   DNS server running on CentOS 6.4
10.1.0.6     ns2   DNS server running on CentOS 6.4
10.2.1.193 - 199  several servers all running CentOS 6.4 working as web-, database- and application servers
10.2.1.129 - 135  several servers all running Windows 2012 woring as AD, RDS and other Windows servers

You still have not given us the masks for the servers you are trying to reach.   You've given us the mask for the host machine, but not each guest.  Double check the mask on each guest and report back.

It would also be helpful if you provided a network map, so we can see how things are physically connected.  Also, where are you testing from?

Your firewall log is interesting.  You shouldn't be getting blocks between 10.1.0.5 and 10.0.2.128 because they are on the same LAN... that traffic should not be hitting the firewall.  Just another reason to double check connections and masks.

Don't know if you can list them per se, but you will see messages like this in the system logs:

May 20 16:43:56   php: /index.php: Successful webConfigurator login for user 'admin' from 10.0.50.6
May 20 16:43:56   php: /index.php: Successful webConfigurator login for user 'admin' from 10.0.50.6

Actually no.  but we seem to get more new information with every post

You said you couldn't ping a device with an IP of 10.2.1.199....  I am asking what that is and where that device is located... (physical machine, vm, router, etc?) ... and what is the subnet mask configured on that device?

What is the subnet mask of 10.2.1.199?  And where is it located on the network?

[Tunnel Settings]

Yes, this is not making sense.

You said your network is now 10.0.0.0/9, so why are you pushing routes to 10.2.1.0/24, 10.0.0.0/24 and 10.1.0.0/24?  Those are all inside of 10.0.0.0/9... you've got something mixed up.  Give us a network map, so we can see how you're connected and what you're trying to accomplish.

If your LAN is truly 10.0.0.0/9 then in your VPN config, under Tunnel Settings, your Local Network should only read 10.0.0.0/9.... does it?

If so, we should see this in your server1.conf -> push "route 10.0.0.0 255.128.0.0" but we don't.

Also, you are using split tunnel, so why are you pushing google's DNS to your clients?  And your DNS servers are also inside your LAN, so I'm not sure why you're pushing those out either.

It sounds like it's telling you everything you need to know.

Do you have UPNP enabled?

Services -> UPnP & NAT-PMP:

Enable UPnP & NAT-PMP
Allow UPnP Port Mapping

Care to share?

server1.conf is located in /var/etc/openvpn

post your server1.conf and firewall rules from openvpn tab.

A network map will also be helpful.

Is the VM bridged or NAT'd?