OpenVPN client (instances): VIP as source address - how to S-NAT OpenVPN client

[viragomann]

I'm running a 25.4 installation in the cloud. The VM has a dedicated public WAN interface IPv4, but I want to use an "elastic IP" (x.y.z.125) for the outbound traffic.
So the outbound NAT is in hybrid mode and I've created rules for all internal network and the loopback subnet to translate the source address to x.y.z.125.

This works well for all outbound traffic, even IPSec on OPNsense itself, but the rule is completely ignored by OpenVPN client instances (legacy and new).

In the legacy client settings there is an option to state a certain interface IP though, which would work, but in new instances this option is sadly missing.

As I want to migrate a client to a new instances type, I'm wondering if there is any way to use a certain VIP as source address instead of the primary interface address.
The outbound NAT rule doesn't work. I also tried to add a rule for 127.0.0.0/8 with no avail. Even if I switch the outbound NAT into manual mode and there is no rule with the primary interface IP as NAT address, OpenVPN uses it.

[viragomann]

I even did some testing on this and I came up with the idea to use the WAN interface address as source in outbound NAT rule. With this the rule is applied as expected then. So obviously the OpenVPN client instance basically uses the (WAN) interface address as source.

That seems not clear to me, however, and should be mentioned in the docs, but found nothing there. I'd expected, that services running on OPNsense itself use the loopback address and I already had an outbound NAT rule for it in place.