Clustered openVPN with DCO fails

[rac-HH]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

I configured a new openVPN instance with DCO on a 24.7.9_1 single node test system. After all tests I configured the same vpn instance on our productive 24.10.1 cluster. Client can connect, but there is no data traffic and the client reconnect after ping-restart timeout.

Further tests:

• Switching to TUN on client/server works
• changeing the server IP in the client config to the WAN IP of the active node works (with DCO)
• changeing the server IP in the client config to the Cluster IP of the active node fails as described above (with DCO)

I see ACK network pakets in the opnSense firewall from the servers the client tries to connect, but it seems they don't leave the server through the vpn data tunnel.

To Reproduce

Steps to reproduce the behavior:

1. Setup opnSense cluster with two network ports each and CARP IP for WAN/LAN
2. Create opnVPN instance with DCO
3. Make client export
4. connect from a client

Expected behavior

• Access from client to LAN.
• Stable client connection without VPN restart after every ping-restart timeout.

Describe alternatives you considered

Workarounds (with loss of throughput or functional degration):

• Switching the client configuration to the WAN IP of the active node.
• Switching the server to non-DCO.

Environment

OPNsense 24.10.1 (amd64).