Access Server has two frontends that run atop of what is essentially the OSS version.
One FE is for users. They can login, setup MFA, download the bundled OVPN Access Server client for every desktop and mobile OS under the sun, as well as different ovpn profiles with certs, auto login, etc from a browser. Basically, it’s an easy way to get users up and running, self provisioning, etc.
CE leaves all this config to you, the admin, as well as distributing an OVPN client to machines, configuring auth, distributing user-specific certs if you go that route. Same for MFA. You willuse MFA and certs. Unless you want the potential of experience ala Colonial Pipeline. Both OSS and AS versions support TOTP-based MFA and cert-based auth. Can do RADIUS easily in AS. Forgot how to co dig it in OSS/CE version.
All the aforementioned user FE is configured in the second, admin FE. You can do all of the same config you have available in community, as well as some addition stuff specific to the Access Server. CA signed certs, etc.
I do not like the new subscription model for AS, but if it keeps the two free users, it’s an easy to setup and use OVPN server and client. Scaling to medium-sized business user numbers, it gets stupid expensive.
For a similar and more reasonably priced OVPN-based, user-friendly VPN, checkout Pritunl. Better feature set than OVPN, but max $70/mo for the full enterprise version, including OAuth2, Yubikey support, the works.