Gateway groups are ignored if you use policy based routing in combination with an OpenVPN connection

[RichardEb]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

Gateway groups are ignored if you use policy based routing (firewall rule) in combination with an OpenVPN connection. I want to route all of my internet traffic via an VPN-Provider (e.g. Surfshark, ProtonVpn, ...): I have two VPN connections (legacy client) with the "Don't pull routes" option checked. If I use them individually in a firewall rule the traffic is sent via the VPN, but if I group them together in a gateway group and use that group in the firewall rule, the traffic seems to be routed via the WAN interface and not via any of the OpenVPN connections. I found serveral reports of this issue on the internet, but unfortunately no explanation or solution.

To Reproduce

Steps to reproduce the behavior:

1. Create a legacy OpenVPN client connection to a VPN provider (e.g. Surfshark)
2. Check the "Don't pull routes" option
3. Manually create the Outbound NAT rules for this OpenVPN connection
4. Create a Gateway group with the VPN-Connection as Tire 1 and WAN as Never
5. Create a firewall rule that should route the traffic via the GW-Group
6. Check your public IP address. It's the WAN IP instead of the VPN-IP

Expected behavior

Data is routed via the GW-Group via the VPN.

Environment

OPNsense 24.1.8-amd64 FreeBSD 13.2-RELEASE-p11 OpenSSL 3.0.13