pfSense

Will try this again and it is NOT a config issue

I have 2 openvpn clients on my server 1 running with tun as device and 1 running with tap as device,

traffic coming from the outside to example port 53 using tun is routed correctly back over the openvpn client,

traffic coming from the outside to example port 53 using tap is routed over the default route and not the interface it is coming from, the only way I have found is to use redirect-gateway def1
this will create a route in the top of the routing table with 0.0.0.0/1 (tap gateway), but that should not be needed as traffic should be routed back over the same interface as it came in on.

And before you close it and say it will follow the route or reply-to rule then I can say it does not

from rules.debug:
pass out route-to ( ovpnc2 88.80.28.129 ) from 88.80.yyy.xxx to !88.80.28.128/25 keep state allow-opts label "let out anything from firewall host itself"

PRQTUNNEL = "{ ovpnc2 }"
pass in quick on $PRQTUNNEL reply-to ( ovpnc2 88.80.28.129 ) inet proto icmp from any to any keep state label "USER_RULE"
pass in quick on $PRQTUNNEL reply-to ( ovpnc2 88.80.28.129 ) inet proto tcp from any to $mail port $mail_server flags S/SA keep state label "USER_RULE: NAT ACCESS TO MAIL SERVER"
pass in quick on $PRQTUNNEL reply-to ( ovpnc2 88.80.28.129 ) proto { tcp udp } from any to 10.19.2.10 port 53 keep state label "USER_RULE: NAT DNS in PRQTUNNEL"

according to the first rule all trafic from 88.80.yyy.xxx should go to 88.80.28.129 that does work for out going traffic

according to the 3 pass in rules with reply-to ovpnc2 88.80.28.129 traffic comming in with that rule should go out over 88.80.28.129 that does not happen, it goes out over default gateway and that will never be a config issue.