ExpressVPN, Firewall routing configuration

Installing and Using OpenWrt Network and Wireless Configuration
1

I need some assist in routing the firewall from the 'wan' which acts as an Access-Point via the 'VPN' to the 'lan', which connects to the Ethernet port endpoints (currently one, but plan to add more in future).

The routing of ExpressVPN via OpenVPN has been configured correctly (verified via traceroute), so, the 'wan' to 'VPN' works. Now, need to bridge the 'VPN' to 'lan' part.

Tried some forward routing rules but, they do not work, for the endpoint access on the browser or ping.

The current configuration as it stands from the network and firewall files.

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc7:38b8:8234::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ip6assign '60'
	option netmask '255.0.0.0'
	option ipaddr '10.1.1.1'

config device 'lan_eth0_dev'
	option name 'eth0'
	option macaddr '88:d7:f6:a8:0f:e8'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config device 'wan_eth1_dev'
	option name 'eth1'
	option macaddr '88:d7:f6:a8:0f:ec'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'wwan'
	option proto 'dhcp'

config interface 'VPN'
	option proto 'none'
	option ifname 'tun0'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'VPN'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option output 'ACCEPT'
	option network 'VPN'

config forwarding
	option dest 'VPN'
	option src 'wan'

zones
zones1137×262 28.5 KB

interfaces_masked
interfaces_masked1147×707 103 KB

Credits to Unable to run OpenVPN on a TP-LINK Archer C7 v2 Router for help.

2

@mozhaaak Helpful suggestion, but it doen't seem to work.

3

This should be LAN to VPN:

uci set firewall.@forwarding[-1].src="lan"
uci commit firewall
/etc/init.d/firewall restart