Ok... after many coffees and a lot of tcpdump I rewrote the pf.conf. Everything works fine.
set limit table-entries 300000
table <bruteforce> persist
table <rompi> persist \
file "/home/luca/zone/xxx.zone"
table <lan_cli> persist { 192.168.10.0/24 }
table <vpn_cli> persist { 10.8.0.0/24 }
tcp_srv_in = "{ 22 }"
tcp_srv_out = "{ 22, 80, 443 }"
udp_srv_in = "{ 1194 }"
udp_srv_out = "{ 123, 53 }"
icmp_types = "{ echoreq, unreach, echorep, trace, timex }"
set skip on lo
set block-policy drop
block quick inet6
block quick from <rompi>
block quick from <bruteforce>
match in all scrub (no-df max-mss 1440)
match in log (matches)
match out log (matches)
pass in quick proto tcp from <lan_cli> to port $tcp_srv_in keep state
pass out quick proto tcp from <lan_cli> to port $tcp_srv_out keep state
pass out quick proto udp from <lan_cli> to port $udp_srv_out keep state
pass in quick on re0 inet proto icmp from <lan_cli> to <lan_cli> icmp-type $icmp_types keep state
pass in quick on re0 inet proto icmp from <vpn_cli> to <lan_cli> icmp-type $icmp_types keep state
pass out quick on re0 inet proto icmp from <lan_cli> icmp-type $icmp_types keep state
#SSH
#----------
pass in quick on re0 proto tcp from ! <lan_cli> to port $tcp_srv_in keep state \
(max-src-conn 15, max-src-conn-rate 3/1, overload <bruteforce> flush global)
#OpenVPN
#----------
pass in quick on re0 proto udp from ! <lan_cli> to port $udp_srv_in keep state
#----------------------
#From Tun0 -> 192.168.0.0/16
pass in quick on tun0 from <vpn_cli> to <lan_cli> keep state
pass out quick on re0 from <vpn_cli> to <lan_cli> nat-to (re0) keep state
pass in quick on tun0 inet proto icmp from <vpn_cli> to <lan_cli> icmp-type $icmp_types keep state
pass out quick on tun0 inet proto icmp from <lan_cli> to <vpn_cli> icmp-type $icmp_types keep state
pass out keep state
block drop all