The fact of the matter is that there are no typos anywhere. The problem is in the RRAS service on Server 2. It is not clear why he does not want to natit traffic.

tracert where shuts up? Are there pings before 172.16.11.11?

And how is NAT configured on Server 2. If you send traffic from User 2 using RRAS to Server 2, you actually hide the 172.17.0.0/16 network from the 172.16.12.0/24 and 172.16.11.0/24 networks. Those. if you and User 1 will be sent to IP from 172.17.0.0, then the packet will arrive there 172.16.12.2 <-> 172.17.0.2, because routing between servers, and Server 2 knows its network, therefore it will push the packet according to the on-link route. But back, when User 2 answers, Server 2 will intercept his packet and NAT will replace the source address with the server address. And now look at the request 172.16.12.2 <-> 172.17.0.2, and the response 172.16.11.11 <-> 172.16.12.2. Of course, the response request will not be processed, because. User 1 will not understand what it is the answer to.
Total: Neither RRAS nor VPN has anything to do with it. The problem is in the concept. Either you need to do Network<->Network routing, or configure NAT on Server 2 to forward ports, and push them to the client's IP (User 2), well, address accordingly to IP Server 2 (which is the end of the OpenVPN tunnel), but I would do The first option is simpler, more flexible and more logical. The OpenVPN settings here, in general, do not matter, it would be better if they brought the RRAS settings.

why do you need NAT?
1. configure for user2 issuance of a subnet from user1, it is better to do this through ccd.