Restricting LAN devices access to (local) WAN for openVPN/TOR setup

Hi all! I have been trying to get the following setup to work but think I am stuck and would be thankful for some help:

router (untrusted, isp)
-openWRT_0 (provides internet access only through vpn0 via wan facing untrusted router, provides lan access)
--A (lan0)
--hypervisor (lan0, proxmox hosting {B,openWRT_1,openWRT_2,C,D})
---B (lan0)
---openWRT_1 (tor)
----C (owrt_1-lan, only inet access through tor)
---openWRT_2, (vpn1)
----D (owrt_2-lan, only inet access through vpn1)

C and D are the only devices that do not have an IP in a physical network as they are behind openWRT_1/2 on their respective LAN side. (sorry if the formatting turned out confusing)


  • A and B are only able to access the public internet through vpn0
  • C is only able to access the public internet through tor
  • D is only able to access the public internet through vpn1


  • C and D are able to ping A and B (via their IPv4 addresses in lan0, i.e. WAN net of openWRT_1,2), but they should only be allowed to reach the internet through tor or vpn1 respectively.

My guess is that there are easy ways to do this by routing and/or firewall configuration, but I have failed to find or rather understand what the correct settings are.
(Tried it in Network>Firewall>Traffic Rules and Network>Firewall>General Settings>Zones as well as by trying to adopt from forum posts like Help creating a firewall to block traffic to IP range . Guides I used to set up the openWRT routers:
openvpn: )

Any help or direction you can point me to would be very appreciated, thank you and openWRT has been a joy so far.

Want to create shoddy diagrams in a hurry, just like I do?

What are the contents of /etc/config/network and /etc/config/firewall?