So I have several openvpn interfaces on the firewall in question, let's say
ovpnc1 10.172.192.3/24 (the address being pushed by the server)
ovpns2 172.28.1.1/30 (being chosen by me)
So no I have the necessity to do SNAT on ovpnc1, because there is not necessarily a return route on the other side, but the only interface I can choose is "openvpn" and the only mode it goes to is:
nat on openvpn inet from any to <SOME NETWORK> -> (openvpn:0) port 1024:65535 round-robin
That means it chooses the 172.28.1.1 address in 50% of cases, so it works half of the time. I can statically SNAT this, but there is no guarantee the address I'm being pushed is static.
Surely there's some way to do this I haven't found?
For nat and routing purposes you need to assign an interface to the respective OpenVPN instance.
To do so, go to Interfaces: Assignments. At "Assign a new interface" select ovpnc1 and state a description like remoteX.
Open the interface settings and enable it.
Then you can specify the interface in an SNAT rule and it gives you a specific alias for the interface address for the translation.
Thanks, that worked.