Nested VPN Tunnel / How to Strictly Lockdown the Firewall?

Hey masters and novices.

I need advice to add these firewall rules.
Please give instructions on how to add them with LUCI interface for ease of use because I will probably enable/disable or tweak the rules later on.


  1. PC (IP: can only connect to PC'S VPN SERVER (IP: UDP
  2. ROUTER (IP: can only connect to ROUTER'S VPN SERVER (IP: UDP
  3. ROUTER can also connect to ISP to get it's IP as usual. (default port 68 allow rule enough?)

EVERYTHING ELSE including NTP, ping, trace etc will be blocked.
Unless you think there's something absolutely required that I'm missing.

Bump. Please help!

Bumptyy :frowning: !!!

VPN typically depends on NTP which expects working DNS.
So, we do not restrict the router's own traffic, but only its clients.
You can create a separate firewall zone for the VPN interface.
Replace the LAN to WAN forwarding with LAN to VPN.
Also implement split-DNS to avoid DNS leak.

Do you mean it shouldn't work without NTP client? Because it has been working for me. I don't know if it can cause any harm to use it without ntp. But I can still enable it and open port 123 for NTP on WAN if that's necessary.

I already have a seperate firewall zone for VPN and already replaced LAN-WAN with LAN-VPN forwarding.
But I still need a way to configure the firewall for them.

Without NTP, the time sooner or later becomes out of sync leading to a deadlock.
This often happens at startup on embedded systems which have no RTC.

OpenWrt has an NTP server built in (but disabled by default). You could allow the PC to the local router NTP but not general NTP on the Internet.