Most of the documentation for setting up OpenVPN suggest adding the TUN device to either the LAN or WAN firewall zone. Wouldn't it be better to set up the VPN as it's own firewall zone and then configure a forwarding as needed?
I'm trying to set up a site to site VPN allowing all the clients to communicate with each other. Most to the documentation seems geared towards run all traffic through the VPN.
It depends on the use case. If the vpn server is supposed to extend the lan, it makes sense to add it in the lan zone. If the vpn client provides internet, it makes sense to add it in the wan zone. If, however, the vpn provides internet and you also need a killswitch, then adding it in a different zone is a good idea.
Adding the vpn in the lan interface is a good idea here. However not all traffic needs to go through the vpn, only the interesting traffic.
I understand that the VPN server can be treated as being "secure" (assuming you trust everyone you give log in details to) and therefore part of LAN and a Client could be LAN or WAN depending on how it's used.
The Firewall documentation seems to suggest a device shouldn't be added to a zone:
"Avoid using device if you have already defined network . Using network is preferable in general unless the interface is undeclared"
I did see something about that in the documentation (see link at bottom). I'm still not 100% sure what netifd is...
I'm going to go read the documentation of netifd again, but anything you can do to expand your answer would be appreciate