Setting up a dedicated VPN VLAN

Through help on here I have now got my OpenVPN configured and running. I also used the following link (although I dont use Nord) to create my Lan Interfaces and Firewall Zones.

But what I really want to do is leave my default WAN traffic alone but be able to specify which devices on my network I want to pass through a specific VPN and then the WAN connection. I have googled and read a lot on here and there is a lot of information to take in (and indeed different ways it appears).

Can anyone give me a very high level noob pointers to this please. It would be appreciated,

Here you are!

So go easy on me I am trying to understand some of the terminology here.

I've created an OpenVPN instance called VPN_General and it connects fine i.e starts
I've created a network interface called VPNGEN interfaced to tun0
I've created a firewall zone called VPNgen and allowed forward from source zone lan:

the VPNGEN interface comes back with a 'Error: Network device is not present'

Is this correct and what are my next stages please.

Let's see what might be the problem.
Please post here the output of the following command, copy and paste the whole block:

uci show network;uci show wireless; \
uci show firewall; uci show dhcp; \
ip -4 addr ; ip -4 ro ; ip -4 ru; \
iptables-save; \
head -n -0 /etc/firewall.user; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

Please use "Preformatted text </>" for logs, scripts, configs and general console output.

There doesn't seem to be any tunnel interface. Are you certain that the OpenVPN starts without errors?
Can you check the logs for any referral to OpenVPN?
Post also the VPN configuration.
You may want to edit your previous post and cover the wifi keys, public IP addresses and MAC addresses.

Ooops I see what you mean!!! Resubmiited...

BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 19.07-SNAPSHOT, r10591-2155e94d4b
 -----------------------------------------------------
root@xxxx:~# uci show network;uci show wireless; \
> uci show firewall; uci show dhcp; \
> ip -4 addr ; ip -4 ro ; ip -4 ru; \
> iptables-save; \
> head -n -0 /etc/firewall.user; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='xxxx'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.0.1'
network.lan.dns='8.8.8.8 8.8.4.4'
network.wan=interface
network.wan.ifname='eth1.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth1.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5t'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.@switch_vlan[1].vid='2'
network.@route[0]=route
network.VPNgen=interface
network.VPNgen.proto='none'
network.VPNgen.ifname='tun0'
network.VPNgen.delegate='0'
network.VPNgen.auto='1'
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.channel='36'
wireless.radio0.hwmode='11a'
wireless.radio0.path='soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
wireless.radio0.htmode='VHT80'
wireless.radio0.country='DE'
wireless.radio0.legacy_rates='1'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.macaddr='xxx'
wireless.default_radio0.ssid='xxx'
wireless.default_radio0.encryption='psk-mixed'
wireless.default_radio0.key=''
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.hwmode='11g'
wireless.radio1.path='soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
wireless.radio1.htmode='HT20'
wireless.radio1.country='DE'
wireless.radio1.legacy_rates='1'
wireless.radio1.channel='9'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.network='lan'
wireless.default_radio1.mode='ap'
wireless.default_radio1.macaddr='xxx'
wireless.default_radio1.ssid='xxx'
wireless.default_radio1.encryption='psk-mixed'
wireless.default_radio1.key=''
wireless.radio2=wifi-device
wireless.radio2.type='mac80211'
wireless.radio2.channel='36'
wireless.radio2.hwmode='11a'
wireless.radio2.path='platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
wireless.radio2.htmode='VHT80'
wireless.radio2.disabled='1'
wireless.default_radio2=wifi-iface
wireless.default_radio2.device='radio2'
wireless.default_radio2.network='lan'
wireless.default_radio2.mode='ap'
wireless.default_radio2.ssid='OpenWrt'
wireless.default_radio2.encryption='none'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].src_dport='xxx'
firewall.@redirect[0].dest_ip='xxx'
firewall.@redirect[0].dest_port='xxx'
firewall.@redirect[0].name='xxx'
firewall.@zone[2]=zone
firewall.@zone[2].name='VPNgen'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='VPNgen'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='VPNgen'
firewall.@forwarding[1].src='lan'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 82.3.237.117/24 brd 82.3.237.255 scope global eth1.2
       valid_lft forever preferred_lft forever
default via 82.3.237.1 dev eth1.2 proto static src xxx xxx/24 dev eth1.2 proto kernel scope link src xxx
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.8.3 on Wed Oct 16 11:21:59 2019
*raw
:PREROUTING ACCEPT [129473:114112214]
:OUTPUT ACCEPT [37170:3669901]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Wed Oct 16 11:21:59 2019
# Generated by iptables-save v1.8.3 on Wed Oct 16 11:21:59 2019
*nat
:PREROUTING ACCEPT [26110:4084943]
:INPUT ACCEPT [14227:868595]
:OUTPUT ACCEPT [1210:83522]
:POSTROUTING ACCEPT [40:2399]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_VPNgen_postrouting - [0:0]
:zone_VPNgen_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_VPNgen_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_VPNgen_postrouting
-A zone_VPNgen_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.3/32 -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: TheArchers (reflection)" -j SNAT --to-source 192.168.0.1
-A zone_lan_postrouting -s 192.168.0.0/24 -d 192.168.0.3/32 -p udp -m udp --dport 8080 -m comment --comment "!fw3: TheArchers (reflection)" -j SNAT --to-source 192.168.0.1
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.0.0/24 -d xxx/32 -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: xxx (reflection)" -j DNAT --to-destination xxx
-A zone_lan_prerouting -s 192.168.0.0/24 -d xxx/32 -p udp -m udp --dport 8080 -m comment --comment "!fw3: xxx (reflection)" -j DNAT --to-destination xxx
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: TheArchers" -j DNAT --to-destination 192.168.0.3:8080
-A zone_wan_prerouting -p udp -m udp --dport 8080 -m comment --comment "!fw3: TheArchers" -j DNAT --to-destination 192.168.0.3:8080
COMMIT
# Completed on Wed Oct 16 11:21:59 2019
# Generated by iptables-save v1.8.3 on Wed Oct 16 11:21:59 2019
*mangle
:PREROUTING ACCEPT [129476:114112334]
:INPUT ACCEPT [24416:1676088]
:FORWARD ACCEPT [97795:109425518]
:OUTPUT ACCEPT [37189:3674805]
:POSTROUTING ACCEPT [134160:113061855]
-A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone VPNgen MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Oct 16 11:21:59 2019
# Generated by iptables-save v1.8.3 on Wed Oct 16 11:21:59 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_FWVPNgen_forward - [0:0]
:zone_FWVPNgen_input - [0:0]
:zone_FWVPNgen_output - [0:0]
:zone_VPNgen_dest_ACCEPT - [0:0]
:zone_VPNgen_dest_REJECT - [0:0]
:zone_VPNgen_forward - [0:0]
:zone_VPNgen_input - [0:0]
:zone_VPNgen_output - [0:0]
:zone_VPNgen_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_VPNgen_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_VPNgen_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_VPNgen_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_VPNgen_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_VPNgen_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_VPNgen_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_VPNgen_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_VPNgen_forward -m comment --comment "!fw3" -j zone_VPNgen_dest_REJECT
-A zone_VPNgen_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_VPNgen_input -m comment --comment "!fw3" -j zone_VPNgen_src_REJECT
-A zone_VPNgen_output -m comment --comment "!fw3" -j zone_VPNgen_dest_ACCEPT
-A zone_VPNgen_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to VPNgen forwarding policy" -j zone_VPNgen_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Oct 16 11:21:59 2019
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
lrwxrwxrwx    1 root     root            16 Oct 11 15:31 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Oct 16 11:20 /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Oct 16 11:20 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==

==> /tmp/resolv.conf <==

==> /tmp/resolv.conf.auto <==

OVPN config

remote xxxxx 1194 udp
nobind
dev tun

# Options
remote-cert-tls server
client
comp-lzo
persist-key
persist-tun
verb 3

# Crypto
cipher AES-128-GCM
auth SHA256
auth-user-pass VPN_General.auth

# Cert
<ca>
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxxxx
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

Log file shows:

Wed Oct 16 12:19:17 2019 daemon.notice openvpn(VPN_General)[10789]: OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Oct 16 12:19:17 2019 daemon.notice openvpn(VPN_General)[10789]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Wed Oct 16 12:19:17 2019 daemon.notice openvpn(VPN_General)[10789]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Oct 16 12:19:17 2019 daemon.notice openvpn(VPN_General)[10789]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Oct 16 12:19:22 2019 daemon.err openvpn(VPN_General)[10789]: RESOLVE: Cannot resolve host address: xxxx:1194 (Try again)

I tried pinging the original host address after noticing this error and it wouldnt ping so I changed it to one that does put I still get the error. Tried it a few times and seem to get some success:

Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: UDP link local: (not bound)
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: UDP link remote: [AF_INET]xxx
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: TLS: Initial packet from [AF_INET]xxx, sid=29ded650 87e5281c
Wed Oct 16 12:24:05 2019 daemon.warn openvpn(VPN_General)[11570]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: VERIFY OK: depth=1, C=SE, ST=CA, L=Stockholm, O=PrivateVPN, CN=PrivateVPN CA, name=PrivateVPN, emailAddress=support@privatvpn.se
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: VERIFY KU OK
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: Validating certificate extended key usage
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: VERIFY EKU OK
Wed Oct 16 12:24:05 2019 daemon.notice openvpn(VPN_General)[11570]: VERIFY OK: depth=0, C=SE, ST=CA, L=Stockholm, O=PrivateVPN, CN=PrivateVPN, name=PrivateVPN, emailAddress=support@privatvpn.se
Wed Oct 16 12:24:07 2019 daemon.warn openvpn(VPN_General)[11570]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1550', remote='link-mtu 1570'
Wed Oct 16 12:24:07 2019 daemon.warn openvpn(VPN_General)[11570]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-GCM', remote='cipher AES-256-CBC'
Wed Oct 16 12:24:07 2019 daemon.warn openvpn(VPN_General)[11570]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
Wed Oct 16 12:24:07 2019 daemon.warn openvpn(VPN_General)[11570]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Wed Oct 16 12:24:07 2019 daemon.notice openvpn(VPN_General)[11570]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Oct 16 12:24:07 2019 daemon.notice openvpn(VPN_General)[11570]: [PrivateVPN] Peer Connection Initiated with [AF_INET]185.41.242.67:1194
Wed Oct 16 12:24:08 2019 daemon.notice openvpn(VPN_General)[11570]: SENT CONTROL [PrivateVPN]: 'PUSH_REQUEST' (status=1)
Wed Oct 16 12:24:08 2019 daemon.notice openvpn(VPN_General)[11570]: AUTH: Received control message: AUTH_FAILED
Wed Oct 16 12:24:08 2019 daemon.notice openvpn(VPN_General)[11570]: SIGTERM[soft,auth-failure] received, process exiting```

I 'may' have resolved the OpenVPN connection at least. Like a true numpty I have been using the syntax:

username xxxxxxxxx
password xxxxxxxxx

in the auth file referred to above. When I edited out username and password I appear to have lost connection (I am remoting in) and now cant reconnect which sort of says the VPN is workin (I also use a dynamic DNS)

Now on to the next stage when I get home!

Nope it doesn't conclude the session establishment process. You'll see the message Initialization Sequence Completed when everything works fine.
Check the .auth file that it has correct user-pass inside. Also use full path for the filename, in case it is not in the same working directory of the OpenVPN process.

Our posts must have overlapped trendy. I was using the incorrect syntax in the AUTH file I think

Alright, let us know how it looks when you get home.

OpenWRT works and the tun0 interface shows activity.

Now I need to alloy dynamic DNS to function i.e. remote connection AND only allow the devices I specify to go through the VPN. I'm assuming as it stands at the moment that when enabled all traffic will be using the VPN. Is that correct?

Before anything else post again the following:

ip -4 addr ; ip -4 ro ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet xx.xx.xx.xx/24 brd xx.xx.xx.xx scope global eth1.2
       valid_lft forever preferred_lft forever
25: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet xx.xx.xx.xx/26 brd xx.xx.xx.xx scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via xx.xx.xx.xx dev tun0
default via xx.xx.xx.xx dev eth1.2 proto static src xx.xx.xx.xx
xx.xx.xx.xx/24 dev eth1.2 proto kernel scope link src xx.xx.xx.xx
128.0.0.0/1 via xx.xx.xx.xx dev tun0
xx.xx.xx.xx via xx.xx.xx.xx dev eth1.2
xx.xx.xx.xx/26 dev tun0 proto kernel scope link src xx.xx.xx.xx
xx.xx.xx.xx/24 dev br-lan proto kernel scope link src xx.xx.xx.xx
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Oct 11 15:31 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root             0 Oct 16 11:20 /tmp/resolv.conf
-rw-r--r--    1 root     root           149 Oct 16 12:23 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==

==> /tmp/resolv.conf <==

==> /tmp/resolv.conf.auto <==
# Interface lan
nameserver 8.8.8.8
nameserver 8.8.4.4
# Interface wan
nameserver xx.xx.xx.xx
nameserver xx.xx.xx.xx
search cable.virginmedia.net

As it stands now, all your traffic goes through the VPN tunnel. Therefore you can use the rules I posted earlier to classify traffic that should go via the regular ISP.
Regarding DynDNS, is the IP you got in trun0 interface public or private?

So could make the following change:

config rule
        option in 'lan'
        option src '192.168.0.3'
        option lookup '100'

config route
        option interface 'vpngen'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

Would that just route any traffic from a device that I have setup with a static ip of 192.168.0.3 through the VPN or am I missing something?

And if I invoke OpenVPN and the VPN interface how do I get round my dynamic dns issue?

And as for being public or private the ip is from a subscribed service (no-ip) so I have Dynamic DNS running to make any ip changes that may occur and I access a PC on my home LAN via a port forwarding rule

When the OpenVPN tunnel is up, all traffic goes through the tunnel by default. The rule above is correct, but pointless.
You need to change the route command to use the wan interface, rather than the vpngen, for the devices you want to use the regular internet connection.

You didn't answer me if the IP you have on VPN tunnel interface is public or private (10.x.y.z, 172.16-31.x.y, 192.168.x.y).

no-ip gives you a name that is bound to the dynamic public IP that your interface has, If you have private IP then it cannot work that simply.

I assume it is public as it currently is 82.x.y.z which will be the one set by the ISP

I have a hostname that I access remotely from which is xxxxx.noip.me and the service does the rest i.e. changes the ip when needed.

So are you saying that you have to live with all traffic going through the OpenVPN tunnel and you have to exclude devices from going through OpenVPN. I only want a couple of devices to go through the VPN and the rest (30+) normal gateway (non VPN).

Would I set up a new network range on top of my current 192.168.0.x, say 192.168.1.x and set up a rule that excludes everything in the 192.168.0.x/24 range form passing through the VPN but anything a set to a 192.168.1.x address would then go through the VPN? Is my logic right?

This is for the WAN interface and it works fine from what I understand. If your question is whether you can do the same in the OpenVPN tun interface, it depends from the IP that your tun has, private or public. Usually they give private IPs, hence there is no point for dyndns service there or no possibility of port forwarding.

No, you can manipulate that. There is an option in Luci

or edit directly the config file.
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extra#disable_gateway_redirect

That won't be necessary in your case.

Just to note for syntax purpose I'm using 19.07 and Openwrt is configurable in luci via editing the ovpn contents within the gui. and the syntax is route-nopull (and not route_nopull). Just for reference.

So added it and OpenVPN is alive, so is the interface(no RX traffic of course) and I can still remote connect. Many many thanks for your patience trendy. It is appreciated.

And one last question. Now I am all up and running what is the syntax of the rule I would setup to say if I am a specific ip address then pass all my traffic through my VPN interface (VPNGEN)