Of the new features in TomatoVPN 1.23vpn3.0000, the new client-specific options feature may be overshadowed by the more visible GUI overhaul and server status AJAX display. However, it is the feature I'm personally most excited about, so I thought I'd post to shed some light on it.
Using this option, you can have full bidirectional site-to-site TLS VPNs with no Custom Configuration or init scripts.
Selecting this option displays a table where you fill in the Common Name (from when you generated the TLS certificates), subnet (optional), and netmask (optional). If you fill in the subnet and netmask of the client, your server LAN will be able to communicate with your client LAN whenever it's connected (be sure not to choose the NAT option on the client router). Without this, you're stuck with just client->server communication.
If you also select the "Allow Client<->Client" option, another checkbox appears in the table that, when selected, allows other clients (or client LANs) to communicate with this client LAN. So, now you can have multiple sites all connected together with communication between any of them as desired.
An "allow only these clients" option is also present. With this selected, clients that aren't in the table are not allowed to connect. If you want to allow a client that doesn't have a LAN behind it (or you don't want to allow access to it), just put it in the table and leave the subnet/netmask blank.
With these options, this release removed the biggest limitation that's been present since the first release: having the VPN limited to client-initiated connections.
Feedback on this new feature is, of course, welcome and appreciated.