Openwrt remote access with vpn

Hello,

I've recently installed openwrt on my TP-Link (Archer C7) rooter and i've internet access by a dongle usb connected to this rooter. On my private lan are connected some PCs, my phone, a yunohost server and i try to manage a domoticz server.
My problem is all these devices are reachable from my private lan but not from remote access outside my lan.
I try to manage ports forwarding to solve this problem but without success for instance. I use LUCI which is, for me, more simple than UCI command.
I've read a lot of topics on the forum and internet but i do not understand all the explanations. Is there anybody to help me please ?

My first question is : with my vpn installed (openvpn client) and assuming all the traffic goes trough the vpn, when i make some ports forwarding, the source must be the openvpn zone or the wan zone ?
Second question : what is the difference between ports forwarding and traffic rules, they seem to be equivalent to manage the traffic.

Here is my /etc/config/firewall:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'openvpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'tun0'
	option masq '1'
	option mtu_fix '1'
	list network 'openvpn'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'openvpn'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'openvpn'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'openvpn'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'openvpn'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'openvpn'
	option proto 'icmp'
	option family 'ipv6'
	option target 'ACCEPT'
	list src_ip 'fe80::/10'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'openvpn'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'openvpn'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'openvpn'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'openvpn'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Liaison_ippi'
	option src 'wan'
	option src_dport '5061'
	option dest_ip '192.168.1.176'
	option dest_port '5061'

config rule
	option name 'Liaison_ippi'
	option dest 'lan'
	list dest_ip '192.168.1.176'
	option target 'ACCEPT'
	option src 'wan'
	option src_port '5061'
	option dest_port '5061'

config forwarding
	option src 'lan'
	option dest 'openvpn'

config redirect
	option target 'DNAT'
	option name 'DNS'
	option src 'openvpn'
	option src_dport '53'
	list proto 'tcp'
	list proto 'udp'
	option dest 'lan'
	option dest_port '53'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SSH_ynh'
	option src 'openvpn'
	option src_dport '18'
	list proto 'tcp'
	option dest_ip '192.168.1.122'
	option dest_port '18'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP_ynh'
	option src 'openvpn'
	option src_dport '8080'
	option dest_ip '192.168.1.122'
	option dest_port '80'

config redirect
	option target 'DNAT'
	option name 'HTTPS_ynh'
	option src 'openvpn'
	option dest 'lan'
	option dest_ip '192.168.1.122'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '8443'
	option dest_port '443'

config redirect
	option target 'DNAT'
	option name 'SSH_wrt'
	list proto 'tcp'
	option src 'openvpn'
	option src_dport '22'
	option dest_ip '192.168.1.1'
	option dest 'lan'
	option dest_port '22'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP_wrt'
	option src 'openvpn'
	option src_dport '80'
	option dest_ip '192.168.1.1'
	option dest_port '80'

config redirect
	option target 'DNAT'
	option name 'HTTPS_wrt'
	option src 'openvpn'
	option src_dport '443'
	option dest_ip '192.168.1.1'
	option dest 'lan'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '443'

config redirect
	option target 'DNAT'
	option name 'openvpn'
	option src 'openvpn'
	option src_dport '1194'
	option dest_ip '192.168.1.1'
	option dest 'lan'
	option dest_port '1194'

Regards

Usually, your port forwards are coming in from the wan zone. This of course requires that you have a public IP on your wan.

Most VPNs do not have inbound port forwarding. Some VPNs do have these services, but unless you've specifically picked a service provider for this reason (and subscribed to that option accordingly), you probably don't have this feature.

Meanwhile, if you're running an OpenVPN client to connect to (and send your traffic through) another VPN endpoint (such as a commercial VPN provider), you will need to use Policy Based Routing to ensure that the responses from the port forwards are routed appropriately back out to the interface that was used for the inbound connection (i.e. usually the wan).

Port forwarding is a specific type of traffic rule. It generally applies to masqueraded zones/interfaces where you have a single IP address on the upstream network (i.e. wan) and a private network the router behind it. This allows you to forward traffic that is initiated from a remote machine on the upstream (i.e. internet) to your public IP such that it reaches a specific host on the private network behind your router. This is necessary because the RFC1918 addresses that will be assigned to hosts on your private network are not routable on the internet, so there is no other way for a remote host to specify which host they are trying to reach behind your router.

Port forwards can actually be created by "traffic rules," but the port forwarding configuration option greatly simplifies it.

Traffic rules, beyond the port forwards, can be used in a number of ways including for inbound connections to the router itself or for inter-network allow/deny at any level of granularity as required by a specific set of goals.

I am running an OpenVPN client with a config file (.ovpn) from a commercial VPN provider. So i have installed Policy Based Routing. I don't understand exactly all the config but i do it. The service say it is running but now ... How can i manage routing policies : from pbr service or trough the firewall (traffic rules and ports forwarding).
I want just a remote ssh/http access to my openwrt router and the devices behind the router (a yunohost server, a SIP phone trough an ATA Grandstream, may be later a Domoticz server).
I can join these devices locally but not from internet (from my Android phone (4G) for example).

I'm sorry for these stupid questions but i'm not an expert and i really need help to configure Openwrt/Openvpn.

Regards,
Georges

You start with disabling the default route via the VPN by adding to the VPN config:
pull-filter ignore "redirect-gateway"
This frees up the WAN so that you can port forward into your router from outside.

Next you use a PBR rule to direct whatever clients or interface you want to use the VPN tunnel as described in the guide: