For running 3rd party VPN Client solution, there is 2 ways to accomplish. By using NAT and Routed-IP Pool.
You can refer to this blog about 3rd party remote access VPN solution on the logic and design reference. https://aws.amazon.com/blogs/networking-and-content-delivery/scale-remote-access-vpn-on-aws/
For your case it seems you want to use Routed-IP-Pool, but there is no way to steer traffic to your VPN instance, you need Transit Gateway to help. Check out the details from the above blog.
If you only need to allow VPN client to initiate traffic to the internet and access AWS internal resource, you can simply try to use source-NAT method on your VPN instance, all client traffic are source-NATed to pfsense ENI in public subnet. For VPC traffic routing point of view, it only sees the traffic from the pfsense ENI (including source-NATed client traffic).
VPC subnet routing.Accepted Answerasked 7 months ago
How Instances in Private subnet can connect to Internet with NAT InstanceAccepted Answerasked 2 months ago
The route for the VPC not showing in iproute2 when a subnet has different maskAccepted Answerasked 8 months ago
Routing network traffic between two EC2 instances in the same subnet to a firewall appliance in another VPCAccepted Answerasked 8 months ago
Unable to connect to EC2 instance in private Subnetasked a year ago
EC2 instance in private subnet shows IPv4 address of NAT instanceasked 3 years ago
Can't Get Inter-Subnet Routing Working with DMVPN Using Cisco Routerasked 10 months ago
Middlebox routing - VPN clientsasked 6 months ago
Placing a Bastion in a Private Isolated Subnetasked 8 months ago
Forward the traffic between two instanceasked 8 months ago