While running 25.1, I had a 'legacy' OpenVPN server setup. When I set this up, the firewall automagically had the 'OpenVPN' rule set, which worked well for creating rules to grant access from VPN Users to stuff on the LAN.
I disabled the 'legacy' server, then setup a new server in the 'Instances' part of OpenVPN setup. I was able to connect to it just fine, but was not able to access anything. The firewall 'Live view' log didn't show any evidence of the packets I was sending over the OpenVPN tunnel. It's almost as if they didn't exist, or were on some unassigned interface.
SO - I completely deleted the 'legacy' OpenVPN server, but had the same issue.
I then upgraded to 25.7. No change, I still have this issue. I noticed that the OpenVPN server interface was ovpns2 (probably because it existed at the same time the legacy server did), so I deleted the OpenVPN server instance, and then re-created it. It is now using ovpns1, but the firewall OpenVPN rule set still isn't 'in effect' on packets sent over the VPN tunnel.
What must I do to make this work? Do I need to assign the ovpns1 to an 'interface' under System? If so, why does the firewall automatically have the OpenVPN rule set? Does the firewall need some 'trigger' to re-scan the interfaces and associate ovpns1 with the OpenVPN rule set?
I figured this out.
Upon examining the log on my VPN client, I noticed that VPN keepalives were failing, and the client was reconnecting over and over (with some time in between each attempt). So - turns out I was using a connection profile from my previous OpenVPN configuration, and not the 'new' one I had just setup. Something about the configuration was slightly different, requiring me to import a new connection profile using the Client Export function in OPNsense. once I did that, packets show up in the firewall log and the OpenVPN rule set is working.