pfSense

Ref forum: https://forum.pfsense.org/index.php?topic=73727.0
The 2.1.1 code in /etc/inc/filter.inc filter_nat_rules_generate has code to not generate NAT rules to any "ovpn" interface:
Line 1679 (as at time of posting):
foreach ($FilterIflist as $if => $ifcfg) {
if (substr($ifcfg['if'], 0, 4) == "ovpn")
continue;
...

But /usr/local/www/firewall_nat_out.php at line 83 'case "advancedoutboundnat":' does its own code to generate a first set of manual rules when the user changes from Automatic to Manual and presses Save. This code has nothing special to exclude "ovpn" and so it generates NAT rules to NAT out of any interface that has a gateway.

See Bug #1216 for where this exclusion of NAT out on OpenVPN was introduced.

The master (2.2) code has re-engineered this stuff. It looks like it excludes "ovpn" when generating the first set of manual rules, and also when making automatic NAT rules at run-time in filter.inc - at least the behavior is consistent.

The behavior should be made consistent in 2.1.1 - but actually it seems reasonable to me that an OpenVPN that has been assigned to its own interface and has a gateway set should have automatic NAT done on the way out, it is likely to be a genuine way out to the internet?

Anyway, I think I have given enough info here. It needs a design decision as to which way to go to make it consistent.