OpenVPN: how is it tunneled?

I installed OpenVPN (OpenSLL+LuCI interface). Uploaded the OVPN file and put the username and password.
I was able to Start it and it connected.
However clients were not able to access anything online.

I noticed in some instructions that I need to create a new interface with Protocol unmanaged assigned to a new physical interface. It was also required to create a new firewall zone, and forward LAN to this new firewall zone.

Now it works.

The sentence above is where I'm having difficulty understanding.

I kind of understand that we need to forward LAN to a separate interface instead of WAN, since it is a VPN. However, nowhere I informed that this separate interface is bound to OpenVPN. It's a dummy, unmanaged, interface. Shouldn't OpenVPN provide an interface where I forward LAN requests to?
Also, why a new firewall zone is necessary? Is it because for each interface I need an assigned firewall?

I appreciate some explanation about the need to create interface and firewall for OpenVPN, and how traffic goes through VPN even though I never marked anything labeled as VPN/OpenVPN.

Thank you!

What new physical interface, it doesn't happen to be the openvpn tunnel interface?

BTW you don't need a new zone. Why can use the wan zone if you don't want to trust any hosts on the VPN network.

How do I know what is the OpenVPN tunnel interface? In the list it never showed it.
I had to create a new interface called vpntunnel, select protocol unmanaged, type interface "tun0" (had to type, to add it to the list).

EDIT: I just happened to notice that "tun0" is the name of the VPN interface. However, it is strange that I had to manually type it - shouldn't it be listed as an interface since installation of OpenVPN? I thought tun0 was just a random/custom name.

OpenVPN creates the tun0 interface after it starts. Basically a tun interface is a way for a userspace program like OpenVPN to send packets in/out of the kernel's networking infrastructure on an Ethernet-like interface.

OpenVPN controls the name since it is the program that tells the kernel to create a tunnel interface. tun0 is its default name but you can change it in OpenVPN configuration.

1 Like

It's the "dev" line that specifies the name. If you use the standard "tun" value, it will try tun0 and if that's busy, it will keep generating names until one is free to be used.

You can force the name in that same line for example to get tun5, you can do something like:

dev tun5
proto ...