172.17.1.27 is a Server on the IPsec-Side, not an OVPN-client.
Why did this appear as src on the ovpns1 Interface...

Sorry, this was indeed maybe a bit too precautious.
I just dislike showing IP patterns, sorry about that.

The ports are actually all over the place and quite interesting.
Some of the dst ports in those logs are dynamic ports from ongoing connections.
Hence my idea about it being about asymetrical routing and splitted sessions.

As a test, I created a floating any-rule and set the state type to "none".
After that, all those deny-entries changed to accept, but the issue still persists for the clients.

About your other questions:

All 172.19.X.X Clients are OVPN-Users connecting to the pfSense to access any other part of the network (Those other parts are the networks 172.17.X.X/172.18.X.X)
There is no server or anything else in the cloud for the user to access, just this pfSense.

Which services do the VPN clients access?

• Everything from HTTPS, SMB to RDP or DNS. UDP does currently work, TCP does not.

Is the access routed to the site?

• All internal traffic is routed to the site and from there to its destination.
• External Web-traffic is not handled by the OVPN.

Are the connections natted?

• There is no NAT used internally. But the IPsec is built on the Port forwarding of the Cloud-Hoster.

If there is anything else I should paste in here, please tell me.
Do you need a copy of "Diagnostics/Routes" for further understanding?

Thank you for your help!

Without any clue of your network, IPSec and OpenVPN setup and the routing table of pfSense it's hard to say, what's going wrong.

Which services do the VPN clients access?
Is the access routed to the site? Are the connections natted?

I think this might have something to do with asymetric routing, because a lot of posts with similar errors go in the same direction. But I am wondering how, as this setup shouldn't be able to loop in any way.