4 SSID just 2 VPN

Hello, I know it will be a bit complicated and my English is not the best but I will try to describe what I want to achieve. So my plan is to have 4 SSIDs, 2 at 2.4 Ghz and 2 at 5 Ghz.

  • HomeFi
  • HomeFiVPN
  • HomeFi5
  • HomeFi5VPN

So the goal is that when they connect to the HomeFi and HomeFi5 SSIDs, there should be no VPN, just the traditional network. However, on the HomeFiVPN and HomeFi5VPN networks, whatever device I connect with should connect to the VPN network.

I am very much a beginner, please keep this in mind. What I have done so far.

  • I have the 4 SSIDs
  • I installed OpenVPN and the connection is set up.
  • My VPN provider is ProtonVPN

I know this is not much, but I have been trying for more than a week, tried many things and I simply can’t do it, is it even possible to do this?

Thank you for any help.

Model Xiaomi Redmi Router AX6000 (stock layout)
Architecture ARMv8 Processor rev 4
Firmware Version
OpenWrt SNAPSHOT r24198-1998027d7c / LuCI Master git-23.292.78363-ee6a4da
Kernel Version 5.15.135

2 Likes

thanks for the suggestion
I have installed this before but could not use it.
As I said before, I recently started using openwrt and I am a very beginner, amateur.
If you could provide a step-by-step description, that would be great.

You would not need PBR, as long as any device from a certain local zone should get forwarded to a certain WAN zone.

To do, create an additional VPNLAN zone and VPNLAN interface for this VPN use case. My guess is, you already have an OpenVPN interface and an OpenVPN-WAN-zone in place:
E.g. use the existing LAN interface and LAN zone as template and then add forwards to the zones such that:

  • HomeFi(5)-Wifis ----(linked to)-----> LAN-interface (which is in LAN zone) -----(which has zone forward link to)---->WAN-zone
  • HomeFi(5)VPN-Wifis ----(linked to)-----> new VPNLAN interface (which gets put in a new VPNLAN zone) ----(which has zone forward link to)---> OpenVPN-WAN-zone

The outcome is kind of like 2 logically separated router instances on the same physical hardware.

(remember, to have duplicates of the needed firewall rules as well, where needed)

PSA: the pbr README now has a section for Instructional Videos.

2 Likes

I got your description (I think it's accurate)
but I found that if I turn on the VPN
192.168.10.1 (VPNLAN interface) interface
then it will also be activated on the traditional 192.168.1.1 interface,
so it won't be the same as having two different networks on one device.

What could I have messed up?

Thanks.

Did you disable gateway redirection?

https://docs.openwrt.melmac.net/pbr/#OpenVPNtunnelconfiguredwith.ovpnfile

2 Likes

maybe you have unwanted redundant config mappings.

might be easier, to check this in the config files, to get a better overview.

  • ensure non-overlapping subnets
  • check that each interface is assigned to a single zone
  • check that the port to vlan mappings dont have redundancies to other interfaces
  • check the vlan to interface mappings
  • check that there is no unwanted forwards or firewall rules between zones
1 Like

I used the option you suggested, using several methods
but both "lan" and "VPNLAN" have VPN

# ==============================================================================
# Copyright (c) 2023 Proton AG (Switzerland)
# Email: contact@protonvpn.com
#
# The MIT License (MIT)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR # OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
# ==============================================================================

# If you are a paying user you can also enable the ProtonVPN ad blocker (NetShield) or Moderate NAT:
# Use: "dCDexj3jhrkj3rfgGDyc+f1" as username to enable anti-malware filtering
# Use: "dCDexj3jhrkj3rfgGDyc+f2" as username to additionally enable ad-blocking filtering
# Use: "dCDexj3jhrkj3rfgGDyc+nr" as username to enable Moderate NAT
# Note that you can combine the "+nr" suffix with other suffixes.

client
dev tun
proto udp

remote 146.70.185.820 80
remote 37.221.172.200 5060
remote 146.70.252.28 5060
...
remote 37.19.100.16 5060
server-poll-timeout 20

remote-random
resolv-retry infinite
nobind

cipher AES-256-GCM

setenv CLIENT_CERT 0
tun-mtu 1500
mssfix 0
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass /etc/openvpn/proton.auth
pull-filter ignore "redirect-gateway"
fast-io

script-security 2
up /etc/openvpn/client.sh
down /etc/openvpn/client.sh

<ca>
-----BEGIN CERTIFICATE-----
MIIFnTCCA4WgAwIBAgIUCI574SM3Lyh47GyNl0WAOYrqb5QwDQYJKoZIhvcNAQEL
BQAwXjELMAkGA1UEBhMCQ0gxHzAdBgNVBAoMFlByb3RvbiBUZWNobm9sb2dpZXMg
QUcxEjAQBgNVBAsMCVByb3RvblZQTjEaMBgGA1UEAwwRUHJvdG9uVlBOIFJvb3Qg
Q0EwHhcNMTkxMDE3MDgwNjQxWhcNMzkxMDEyMDgwNjQxWjBeMQswCQYDVQQGEwJD
SDEfMB0GA1UECgwWUHJvdG9uIFRlY2hub2xvZ2llcyBBRzESMBAGA1UECwwJUHJv
dG9uVlBOMRowGAYDVQQDDBFQcm90b25WUE4gUm9vdCBDQTCCAiIwDQYJKoZIhvcN
QxnPPRgyTi0zVOAj1ImsRilauY8Ddm5dQtd8qcApoz6oCx5cFiiSQG2uyhS/59Zl
z8eSPr50u+l9vEKsKiNGkJTdlWjoDKZM2C15i/h8Smi+PdJlx7WMTtYoVC1Fzq0r
aCPDQl18kspu11b6d8ECPWghKcDIIKuA0r0nGqF1GvH1AmbC/xUaNrKgz9AfioZL
MP/l22tVG3KKM1ku0eYHX7NzNHgkM2JKnBBannImQQBGTAcvvUlnfF3AHx4vzx7H
ahpBz8ebThx2uv+vzu8lCVEcKjQObGwLbAONJN2enug8hwSSZQv7tz7onDQWlYh0
El5fnkrEQGbukNnSyOqTwfobvBllIPzBqdO38eZFA0YTlH9plYjIjPjGl931lFAA
IRC8u5O672r7cHS+Dtx87LjxypqNhmbf1TWyLJSoh0qYhMr+BbO7+N6zKRIZPI5b
MXc8Be2pQwbSA4ZrDvSjFC9yDXmSuZTyVo6Bqi/KCUZeaXKof68oNxVYeGowNeQd
g/znAgMBAAGjUzBRMB0GA1UdDgQWBBR44WtTuEKCaPPUltYEHZoyhJo+4TAfBgNV
HSMEGDAWgBR44WtTuEKCaPPUltYEHZoyhJo+4TAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4ICAQBBmzCQlHxOJ6izys3TVpaze+rUkA9GejgsB2DZXIcm
4Lj/SNzQsPlZRu4S0IZV253dbE1DoWlHanw5lnXwx8iU82X7jdm/5uZOwj2NqSqT
bTn0WLAC6khEKKe5bPTf18UOcwN82Le3AnkwcNAaBO5/TzFQVgnVedXr2g6rmpp9
gdedeEl9acB7xqfYfkrmijqYMm+xeG2rXaanch3HjweMDuZdT/Ub5G6oir0Kowft
lA1ytjXRg+X+yWymTpF/zGLYfSodWWjMKhpzZtRJZ+9B0pWXUyY7SuCj5T5SMIAu
VTWz/QQTU8oJewGFipw94Bi61zuaPvF1qZCHgYhVojRy6KcqncX2Hx9hjfVxspBZ
DrVH6uofCmd99GmVu+qizybWQTrPaubfc/a2jJIbXc2bRQjYj/qmjE3hTlmO3k7V
EP6i8CLhEl+dX75aZw9StkqjdpIApYwX6XNDqVuGzfeTXXclk4N4aDPwPFM/Yo/e
KnvlNlKbljWdMYkfx8r37aOHpchH34cv0Jb5Im+1H07ywnshXNfUhRazOpubJRHn
bjDuBwWS1/Vwp5AJ+QHsPXhJdl3qHc1szJZVJb3VyAWvG/bWApKfFuZX18tiI4N0
EA==
-----END CERTIFICATE-----
</ca>

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
6acef03f62675b4b1bbd03e53b187727
423cea742242106cb2916a8a4c829756
3d22c7e5cef430b1103c6f66eb1fc5b3
e17beaac23b5f03b10b868d53d03521d
8ba115059da777a60cbfd7b2c9c57472
78a15b8f6e68a3ef7fd583ec9f398c8b
d4735dab40cbd1e3c62a822e97489186
c30a0b48c7c38ea32ceb056d3fa5a710
0c0b6080f56309192ab5aacd4b45f55d
a61fc77af39bd81a19218a79762c3386
2df55785075f37d8c71dc8a42097ee43
344739a0dd48d03025b0450cf1fb5e8c
16672ea16c012664f8a9f11255518deb
-----END OpenVPN Static key V1-----
</tls-crypt>





your screenshots give some clues:

  • in WAN zone, remove interface OpenVPN from its covered network, only have WAN and WAN6 there
  • in OpenVPN zone, make sure that the interface OpenVPN is listed in its covered networks (and no other interfaces)
  • in VPNLAN zone, in its allow forward to destination zones, make sure to have zone OpenVPN (and no other zone)

Your zone forwards looks rather untouched, you might want to read some zone and forward doc, to get an understanding, what it is used for. It helps a lot, if you understand, what that is doing.

if it still does not work after these changes, rather post the content of the network and firewall config file, instead of screenshots.

Thank you for all the help and sorry for being such an amateur, I am clueless.

login as: root
root@192.168.1.1's password:


BusyBox v1.36.1 (2023-10-09 21:45:35 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.0, r23497-6637af95aa
 -----------------------------------------------------
root@OpenWrt:~# vi /etc/config/firewall
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'VPNLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'br-VPNLAN'
        list network 'VPNLAN'

config zone
        option name 'OpenVPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'OpenVPN'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'emby'
        option family 'ipv4'
        option src 'wan'
        option src_dport '8096'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'emby'
        option src 'wan'
        option src_dport '8920'
        option family 'ipv4'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'VPNLAN'
        option dest 'wan'

config rule
        option name 'test'
        option src 'lan'
        option dest 'wan'
        option target 'ACCEPT'
        list src_mac 'D4:DA:21:0B:5B:3F'
        option src_port '1194'
        option dest_port '1194'
        option enabled '0'

- /etc/config/firewall 171/171 100%
login as: root
root@192.168.1.1's password:


BusyBox v1.36.1 (2023-10-09 21:45:35 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.0, r23497-6637af95aa
 -----------------------------------------------------
root@OpenWrt:~# vi /etc/config/network
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdef:0789:857d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'br-VPNLAN'
        option type 'bridge'
        list ports 'lan1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'VPNLAN'
        option proto 'static'
        option device 'br-VPNLAN'
        option ipaddr '192.168.15.1'
        option netmask '255.255.255.0'
        option ip4table 'pbr_OpenVPN'
        option ip6table 'pbr_OpenVPN'

config device
        option name 'wan'
        option macaddr '24:cf:24:1d:6f:82'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username 'XYZ'
        option password 'XYZ'
        option ipv6 'auto'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'OpenVPN'
        option proto 'none'
        option device 'tun0'
        option auto '0'

config route
        option interface 'VPNLAN'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option gateway '192.168.1.1'
        option table '100'

- /etc/config/network 64/64 100%

ok, trying my best for next round:

1.change 'wan' to 'OpenVPN' in:

config forwarding
option src 'VPNLAN'
option dest 'wan'

such that it becomes:

config forwarding
option src 'VPNLAN'
option dest 'OpenVPN'


2.in the VPNLAN zone, remove the following bold printed line (linking the zone to the interface via the already present "list network..." is sufficient:

config zone
option name 'VPNLAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'br-VPNLAN'
list network 'VPNLAN'

such that it becomes:

config zone
option name 'VPNLAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'VPNLAN'


3.remove that route, the previous mentioned forwarding should be enough (192.168.1.1 would also be not what you want):

config route
        option interface 'VPNLAN'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option gateway '192.168.1.1'
        option table '100'

4.keep a copy, but for now, just remove the 2 lines with pbr-rules. If everything works out, you do not need policy based routing to statically forward a complete zone to another zone. And lets avoid for now that this have negative side effects, so remove it for now

config interface 'VPNLAN'
option proto 'static'
option device 'br-VPNLAN'
option ipaddr '192.168.15.1'
option netmask '255.255.255.0'
option ip4table 'pbr_OpenVPN'
option ip6table 'pbr_OpenVPN'

I made the suggested changes and then restarted the router.
I noticed two things:

  • If the VPN is turned on, none of the SSIDs provide internet.
  • If the VPN is switched off, the traditional SSID provides internet,
    but there is no internet under the HomeFiVPN SSIDs either.

however, I think we are on the right track,
there is probably always a VPN connection on the VPN-SSID
it just doesn't allow data traffic for some reason.

EDIT:
there was a mistake
after I set the
network - firewall - Zones - wan - Advanced settings - Covered devices
at the point "tun0" there was already internet even with the VPN connection.

Unfortunately, however, with both the traditional and the VPN SSID
the VPN network was active.

my guess would be, your WAN zone currently has both the OpenVPN interface and WAN interface in it (if so, remove the OpenVPN interface from the WAN zone)

Rather use cat network and cat firewall to display them , then repost both (the previous posts seem incomplete)

1 Like





cat firewall

login as: root
root@192.168.1.1's password:


BusyBox v1.36.1 (2023-10-09 21:45:35 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.0, r23497-6637af95aa
 -----------------------------------------------------
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list device 'tun0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'VPNLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'VPNLAN'

config zone
        option name 'OpenVPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'OpenVPN'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'emby'
        option family 'ipv4'
        option src 'wan'
        option src_dport '8096'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'emby'
        option src 'wan'
        option src_dport '8920'
        option family 'ipv4'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'VPNLAN'
        option dest 'OpenVPN'

config rule
        option name 'test'
        option src 'lan'
        option dest 'wan'
        option target 'ACCEPT'
        list src_mac 'D4:DA:21:0B:5B:3F'
        option src_port '1194'
        option dest_port '1194'
        option enabled '0'

root@OpenWrt:~#

cat network

login as: root
root@192.168.1.1's password:


BusyBox v1.36.1 (2023-10-09 21:45:35 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.0, r23497-6637af95aa
 -----------------------------------------------------
root@OpenWrt:~# /etc/config/network
-ash: /etc/config/network: Permission denied
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdef:0789:857d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'br-VPNLAN'
        option type 'bridge'
        list ports 'lan1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'VPNLAN'
        option proto 'static'
        option device 'br-VPNLAN'
        option ipaddr '192.168.15.1'
        option netmask '255.255.255.0'

config device
        option name 'wan'
        option macaddr '24:cf:24:1d:6f:82'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username 'XYZ'
        option password 'XYZ'
        option ipv6 'auto'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'OpenVPN'
        option proto 'none'
        option device 'tun0'
        option auto '0'
root@OpenWrt:~#

firewall: the bold printed needs to be removed:

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list device 'tun0'


firewall: to add:

config zone
option name 'OpenVPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'OpenVPN'
option masq '1'
option mtu_fix '1'


I never used OpenVPN on OpenWRT. My guess was, you used as reference:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci
Not sure, if I missed something in that doc.

If the VPN chain does not work, you could try this variant (at least it is shown in that doc):
firewall:

config zone
option name 'VPNLAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun0'

instead of:

config zone
option name 'VPNLAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'VPNLAN'