yep, zones are configured correctly
I see this on wan interface
root@LEDE:~# tcpdump -n -i eth0 port 1195
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:39:47.385896 IP 192.168.0.6.33398 > 169.50.128.202.1195: UDP, length 177
21:39:48.385995 IP 192.168.0.6.33398 > 169.50.128.202.1195: UDP, length 177
21:39:49.386074 IP 192.168.0.6.33398 > 169.50.128.202.1195: UDP, length 177
21:39:50.386167 IP 192.168.0.6.33398 > 169.50.128.202.1195: UDP, length 177
21:39:51.386310 IP 192.168.0.6.33398 > 169.50.128.202.1195: UDP, length 177
21:39:52.386367 IP 192.168.0.6.33398 > 169.50.128.202.1195: UDP, length 177
21:39:53.737018 IP 169.50.128.202.1195 > 192.168.0.6.33398: UDP, length 113
21:39:58.390217 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 86
21:39:58.690783 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 98
21:39:58.691565 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 94
21:39:58.692124 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 250
21:39:58.998419 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 1128
21:39:58.998589 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 1116
21:39:58.998592 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 346
21:39:58.999042 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 94
21:39:59.007241 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 94
21:39:59.303278 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 1128
21:39:59.303919 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 511
21:39:59.604711 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 94
21:39:59.608992 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 149
21:39:59.609825 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 581
21:39:59.916449 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 365
21:39:59.919780 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 94
21:40:00.387422 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 128
21:40:00.687775 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 94
21:40:00.687778 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 262
21:40:00.691599 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 94
21:40:01.387392 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:02.387413 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:03.387504 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:04.387586 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:05.387672 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:06.387777 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:07.387852 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:08.387991 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:09.388078 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:10.388177 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:10.689114 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 113
21:40:11.388276 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:12.388379 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:13.388479 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
but no response to the pings inside tun0
21:23:04.937377 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id 37392, seq 819, length 64
21:23:05.938077 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id 37392, seq 820, length 64
21:23:06.938428 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id 37392, seq 821, length 64
21:23:07.939179 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id 37392, seq 822, length 64
full report
root@LEDE:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.81.1.241 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 eth0
10.81.0.1 10.81.1.241 255.255.255.255 UGH 0 0 0 tun0
10.81.1.241 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.81.1.241 128.0.0.0 UG 0 0 0 tun0
169.50.128.202 192.168.0.254 255.255.255.255 UGH 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.38.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
.
root@LEDE:~# ifconfig
eth0 Link encap:Ethernet HWaddr B8:27:EB:29:03:0C
inet addr:192.168.0.6 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::ba27:ebff:fe29:30c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10372 errors:0 dropped:0 overruns:0 frame:0
TX packets:10814 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1222814 (1.1 MiB) TX bytes:3159396 (3.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:256 errors:0 dropped:0 overruns:0 frame:0
TX packets:256 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:49111 (47.9 KiB) TX bytes:49111 (47.9 KiB)
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.81.1.242 P-t-P:10.81.1.241 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1804 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:151089 (147.5 KiB)
wlan0 Link encap:Ethernet HWaddr B8:27:EB:7C:56:59
inet addr:192.168.38.1 Bcast:192.168.38.255 Mask:255.255.255.0
inet6 addr: fe80::ba27:ebff:fe7c:5659/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1352 (1.3 KiB)
.
root@LEDE:~# tcpdump -n -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
21:39:16.382038 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id
37392, seq 1790, length 64
21:39:17.382379 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id
37392, seq 1791, length 64
21:39:18.382715 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id
37392, seq 1792, length 64
.
root@LEDE:~# tcpdump -n -i eth0 port 1195
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:39:47.385896 IP 192.168.0.6.33398 > 169.50.128.202.1195: UDP, length 177
21:39:48.385995 IP 192.168.0.6.33398 > 169.50.128.202.1195: UDP, length 177
21:39:49.386074 IP 192.168.0.6.33398 > 169.50.128.202.1195: UDP, length 177
21:39:50.386167 IP 192.168.0.6.33398 > 169.50.128.202.1195: UDP, length 177
21:39:51.386310 IP 192.168.0.6.33398 > 169.50.128.202.1195: UDP, length 177
21:39:52.386367 IP 192.168.0.6.33398 > 169.50.128.202.1195: UDP, length 177
21:39:53.737018 IP 169.50.128.202.1195 > 192.168.0.6.33398: UDP, length 113
21:39:58.390217 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 86
21:39:58.690783 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 98
21:39:58.691565 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 94
21:39:58.692124 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 250
21:39:58.998419 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 1128
21:39:58.998589 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 1116
21:39:58.998592 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 346
21:39:58.999042 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 94
21:39:59.007241 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 94
21:39:59.303278 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 1128
21:39:59.303919 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 511
21:39:59.604711 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 94
21:39:59.608992 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 149
21:39:59.609825 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 581
21:39:59.916449 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 365
21:39:59.919780 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 94
21:40:00.387422 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 128
21:40:00.687775 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 94
21:40:00.687778 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 262
21:40:00.691599 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 94
21:40:01.387392 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:02.387413 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:03.387504 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:04.387586 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:05.387672 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:06.387777 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:07.387852 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:08.387991 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:09.388078 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:10.388177 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:10.689114 IP 169.50.128.202.1195 > 192.168.0.6.41596: UDP, length 113
21:40:11.388276 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:12.388379 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:13.388479 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:14.388561 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:15.388643 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
21:40:16.389079 IP 192.168.0.6.41596 > 169.50.128.202.1195: UDP, length 177
root@LEDE:~# openvpn --version
OpenVPN 2.4.4 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
[MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc.
root@LEDE:~# cat /var/etc/openvpn-expressvpn.conf
auth-nocache
client
fast-io
nobind
no-replay
persist-key
persist-tun
pull
tls-client
auth SHA512
auth-user-pass /etc/openvpn/userpass.txt
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
cipher AES-256-CBC
comp-lzo yes
dev tun
dh dh1024.pem
key /etc/openvpn/client.key
key-direction 1
keysize 256
port 1195
proto udp
rcvbuf 524288
remote netherlands-amsterdam-2-ca-version-2.expressnetw.com
remote-cert-tls server
reneg-sec 0
sndbuf 524288
tls-auth /etc/openvpn/tlsauth.key
tun-mtu 1500
verb 3
LOGS
Sun Jan 14 20:48:00 2018 daemon.warn openvpn(expressvpn)[3953]: WARNING:
Ignoring option 'dh' in tls-client mode, please only include this in your
server configuration
Sun Jan 14 20:48:00 2018 daemon.warn openvpn(expressvpn)[3953]: WARNING:
--keysize is DEPRECATED and will be removed in OpenVPN 2.6
Sun Jan 14 20:48:00 2018 daemon.warn openvpn(expressvpn)[3953]: WARNING:
--no-replay is DEPRECATED and will be removed in OpenVPN 2.5
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: OpenVPN
2.4.4 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
[MH/PKTINFO] [AEAD]
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: library
versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Sun Jan 14 20:48:00 2018 daemon.warn openvpn(expressvpn)[3953]: WARNING:
You have disabled Replay Protection (--no-replay) which may make OpenVPN
less secure
Sun Jan 14 20:48:00 2018 daemon.inf logread[238]: failed to send log data
to 192.168.0.11:514 via udp
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: Outgoing
Control Channel Authentication: Using 512 bit message hash 'SHA512' for
HMAC authentication
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: Incoming
Control Channel Authentication: Using 512 bit message hash 'SHA512' for
HMAC authentication
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: TCP/UDP:
Preserving recently used remote address: [AF_INET]169.50.128.202:1195
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: Socket
Buffers: R=[163840->327680] S=[163840->327680]
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: UDP link
local: (not bound)
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: UDP link
remote: [AF_INET]169.50.128.202:1195
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: TLS:
Initial packet from [AF_INET]169.50.128.202:1195, sid=b5efa1ec fd95292c
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: VERIFY
OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: VERIFY
KU OK
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]:
Validating certificate extended key usage
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: ++
Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web
Server Authentication
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: VERIFY
EKU OK
Sun Jan 14 20:48:00 2018 daemon.notice openvpn(expressvpn)[3953]: VERIFY
OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1562-1a,
Sun Jan 14 20:48:01 2018 daemon.info logread[238]: Logread connected to
192.168.0.11:514
Sun Jan 14 20:48:01 2018 daemon.warn openvpn(expressvpn)[3953]: WARNING:
'link-mtu' is used inconsistently, local='link-mtu 1598', remote='link-mtu
1606'
Sun Jan 14 20:48:01 2018 daemon.inf logread[238]: failed to send log data
to 192.168.0.11:514 via udp
Sun Jan 14 20:48:01 2018 daemon.warn openvpn(expressvpn)[3953]: WARNING:
'no-replay' is present in local config but missing in remote config,
local='no-replay'
Sun Jan 14 20:48:01 2018 daemon.warn openvpn(expressvpn)[3953]: WARNING:
'mtu-dynamic' is present in remote config but missing in local config,
remote='mtu-dynamic'
Sun Jan 14 20:48:01 2018 daemon.notice openvpn(expressvpn)[3953]: Control
Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit
RSA
Sun Jan 14 20:48:01 2018 daemon.notice openvpn(expressvpn)[3953]:
[Server-1562-1a] Peer Connection Initiated with
[AF_INET]169.50.128.202:1195
Sun Jan 14 20:48:02 2018 daemon.inf logread[238]: Logread connected to
192.168.0.11:514
Sun Jan 14 20:48:02 2018 daemon.notice openvpn(expressvpn)[3953]: SENT
CONTROL [Server-1562-1a]: 'PUSH_REQUEST' (status=1)
Sun Jan 14 20:48:02 2018 daemon.inf logread[238]: failed to send log data
to 192.168.0.11:514 via udp
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]: PUSH:
Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option
DNS 10.81.0.1,route 10.81.0.1,topology net30,ping 10,ping-restart
60,ifconfig 10.81.1.242 10.81.1.241'
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]: OPTIONS
IMPORT: timers and/or timeouts modified
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]: OPTIONS
IMPORT: --ifconfig/up options modified
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]: OPTIONS
IMPORT: route options modified
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]: OPTIONS
IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]: Outgoing
Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]: Outgoing
Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]: Incoming
Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]: Incoming
Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]: TUN/TAP
device tun0 opened
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]: TUN/TAP
TX queue length set to 100
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]:
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]:
/sbin/ifconfig tun0 10.81.1.242 pointopoint 10.81.1.241 mtu 1500
Sun Jan 14 20:48:03 2018 daemon.notice netifd: Interface 'expressvpn' is
enabled
Sun Jan 14 20:48:03 2018 daemon.notice netifd: Network device 'tun0' link
is up
Sun Jan 14 20:48:03 2018 daemon.notice netifd: Interface 'expressvpn' has
link connectivity
Sun Jan 14 20:48:03 2018 daemon.notice netifd: Interface 'expressvpn' is
setting up now
Sun Jan 14 20:48:03 2018 daemon.notice netifd: Interface 'expressvpn' is
now up
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]:
/sbin/route add -net 169.50.128.202 netmask 255.255.255.255 gw
192.168.0.254
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]:
/sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.81.1.241
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]:
/sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.81.1.241
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]:
/sbin/route add -net 10.81.0.1 netmask 255.255.255.255 gw 10.81.1.241
Sun Jan 14 20:48:03 2018 daemon.notice openvpn(expressvpn)[3953]:
Initialization Sequence Completed
Sun Jan 14 20:48:03 2018 user.notice firewall: Reloading firewall due to
ifup of expressvpn (tun0)