Firewall bug OR(more likely) what haven't I ticked

I have installed OpenVPN which is working if I only want to talk to the router. To talk to the LAN devices I need to setup zone forwarding, so I added the following to /etc/config/firewall

config forwarding
        option dest 'lan'
        option src 'vpnserver'

config forwarding
        option dest 'vpnserver'
        option src 'lan'

I thought that this should allow the vpnserver to forward to the lan and the opposite. It didn't work and looking at the iptables rules although it has added some new chains for forwarding they are never referenced. So the forwarding from the vpnserver zone to the lan zone is not happening.

Is there something else I need to do to enable this, or am I missing the points of zones?

Cheers Mat.

How is your vpnserver zone defined?

The zones in question are below:

config zone
        option name 'vpnserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpnserver'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

How is the vpnserver network (config interface vpnserver in /etc/config/network) defined?

For the networks I'm trying to forward across:

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ipv6 '0'

config interface 'vpnserver'
        option proto 'none'
        option ifname 'ovpns0'
        option auto '1'

Do you seee any references to ovpns0 in iptables-save | grep ovpns0 ? What is reported by ifstatus vpnserver ?

ifstatus vpnserver, fails:

Interface vpnserver not found

iptables-save | grep ovpns0, fails, there are no results.

Maybe try an ifup -a to apply your network config and check for syntax errors with uci show network >/dev/null

Some files for investigations:

iptables-save

# Generated by iptables-save v1.4.21 on Thu Apr 26 15:03:47 2018
*nat
:PREROUTING ACCEPT [748:236397]
:INPUT ACCEPT [569:223246]
:OUTPUT ACCEPT [155:11237]
:POSTROUTING ACCEPT [6:578]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpnserver_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpnserver_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpnserver_postrouting - [0:0]
:zone_vpnserver_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -p tcp -m mac --mac-source 78:E4:00:B6:9D:DF -m recent --rcheck --hitcount 1 --name lexie_counter --mask 255.255.255.255 --rsource -m tcp --dport 80 -j DNAT --to-destination 192.168.1.50
-A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A MINIUPNPD -p tcp -m tcp --dport 27587 -j DNAT --to-destination 192.168.1.50:32400
-A MINIUPNPD-POSTROUTING -s 192.168.1.50/32 -p tcp -m tcp --sport 32400 -j MASQUERADE --to-ports 27587
-A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.1/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.50/32 -p tcp -m tcp --dport 7890 -m comment --comment "!fw3: Soccer-Red (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.188.75/32 -p tcp -m tcp --dport 1022 -m comment --comment "!fw3: SSH (reflection)" -j DNAT --to-destination 192.168.1.1:22
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.188.75/32 -p tcp -m tcp --dport 7890 -m comment --comment "!fw3: Soccer-Red (reflection)" -j DNAT --to-destination 192.168.1.50:7890
-A zone_vpnserver_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpnserver_rule
-A zone_vpnserver_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpnserver_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 1022 -m comment --comment "!fw3: SSH" -j DNAT --to-destination 192.168.1.1:22
-A zone_wan_prerouting -p tcp -m tcp --dport 7890 -m comment --comment "!fw3: Soccer-Red" -j DNAT --to-destination 192.168.1.50:7890
COMMIT
# Completed on Thu Apr 26 15:03:47 2018
# Generated by iptables-save v1.4.21 on Thu Apr 26 15:03:47 2018
*mangle
:PREROUTING ACCEPT [14069:5784402]
:INPUT ACCEPT [3626:1345264]
:FORWARD ACCEPT [10420:4436608]
:OUTPUT ACCEPT [2625:734828]
:POSTROUTING ACCEPT [13037:5171020]
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Apr 26 15:03:47 2018
# Generated by iptables-save v1.4.21 on Thu Apr 26 15:03:47 2018
*filter
:INPUT ACCEPT [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpnserver_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpnserver_rule - [0:0]
:input_wan_rule - [0:0]
:lexie - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpnserver_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpnserver_dest_ACCEPT - [0:0]
:zone_vpnserver_forward - [0:0]
:zone_vpnserver_input - [0:0]
:zone_vpnserver_output - [0:0]
:zone_vpnserver_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m mac --mac-source 78:E4:00:B6:9D:DF -j lexie
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A MINIUPNPD -d 192.168.1.50/32 -p tcp -m tcp --dport 32400 -j ACCEPT
-A lexie -m limit --limit 1/min --limit-burst 1 -m recent --set --name lexie_counter --mask 255.255.255.255 --rsource
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> vpnserver" -j zone_vpnserver_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpnserver_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpnserver_rule
-A zone_vpnserver_forward -m comment --comment "!fw3: forwarding vpnserver -> lan" -j zone_lan_dest_ACCEPT
-A zone_vpnserver_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpnserver_forward -m comment --comment "!fw3" -j zone_vpnserver_dest_ACCEPT
-A zone_vpnserver_input -m comment --comment "!fw3: user chain for input" -j input_vpnserver_rule
-A zone_vpnserver_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpnserver_input -m comment --comment "!fw3" -j zone_vpnserver_src_ACCEPT
-A zone_vpnserver_output -m comment --comment "!fw3: user chain for output" -j output_vpnserver_rule
-A zone_vpnserver_output -m comment --comment "!fw3" -j zone_vpnserver_dest_ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_DROP -i eth1 -m comment --comment "!fw3" -j DROP
COMMIT
# Completed on Thu Apr 26 15:03:47 2018

/etc/config/firewall


config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '1022'
	option dest_ip '192.168.1.1'
	option dest_port '22'
	option name 'SSH'

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'tcpudp'
	option dest_port '1194'

config zone
	option name 'vpnserver'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'vpnserver'
	option forward 'ACCEPT'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '7890'
	option dest_port '7890'
	option name 'Soccer-Red'
	option dest_ip '192.168.1.50'

config forwarding
	option dest 'lan'
	option src 'vpnserver'

config forwarding
	option dest 'vpnserver'
	option src 'lan'

/etc/config/network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'auto'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'

ifconfig

br-lan    Link encap:Ethernet  HWaddr 5A:EF:68:A5:FB:BA  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::58ef:68ff:fea5:fbba/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8522 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8064 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4957073 (4.7 MiB)  TX bytes:1993587 (1.9 MiB)

eth0      Link encap:Ethernet  HWaddr 5A:EF:68:A5:FB:BA  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11253 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12661 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532 
          RX bytes:5285859 (5.0 MiB)  TX bytes:2853266 (2.7 MiB)
          Interrupt:35 

eth1      Link encap:Ethernet  HWaddr 58:EF:68:A5:FB:BA  
          inet addr:192.168.188.75  Bcast:192.168.188.255  Mask:255.255.255.0
          inet6 addr: fe80::5aef:68ff:fea5:fbba/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8301 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7325 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532 
          RX bytes:2270377 (2.1 MiB)  TX bytes:4679826 (4.4 MiB)
          Interrupt:37 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:32 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:2883 (2.8 KiB)  TX bytes:2883 (2.8 KiB)

ovpns0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.200.1  P-t-P:192.168.200.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:832 errors:0 dropped:0 overruns:0 frame:0
          TX packets:518 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:62181 (60.7 KiB)  TX bytes:87482 (85.4 KiB)

wlan0     Link encap:Ethernet  HWaddr 5A:EF:68:A5:FB:BC  
          inet6 addr: fe80::58ef:68ff:fea5:fbbc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2083 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:713119 (696.4 KiB)

wlan1     Link encap:Ethernet  HWaddr 5A:EF:68:A5:FB:BB  
          inet6 addr: fe80::58ef:68ff:fea5:fbbb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5765 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5953 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1234289 (1.1 MiB)  TX bytes:1502227 (1.4 MiB)

No errors from either ifup -a or uci show network. Although there is nothing in uci show network about the vpn interface?

uci show network

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='auto'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth1'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth1'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6'

Your /etc/config/network indeed contains no trace of the vpnserver interface. You can bypass /etc/config/network entirely though and change your firewall zone declaration from option network vpnserver to option device ovpns0 - this way it will bypass netifd and use the interface directly.

I have this working now. In the end I purged from the config files anything to do with OpenVPN and started again. In my first run through I must have missed something or made a type...

Anyway thanks for the help.