I think in addition to the above policy you need a second one to
accept
all traffic destined to tun+. Put tun+ in a zone, then add that zone the
egress-zones set. Make sure this new policy has a higher precedence
(lower priority value) than the one above.
Thanks for the insights, I'll try that. Nice that you're bringing in the fix to
v0.9.5 :)
I'm not familiar with setting the zone for a tun0 device. Currently the tun0 interface
has no zone assigned to it (not even the default). I currently run openvpn directly as
part of a script so that I can easily change the destination ip address (along with
changing the firewall just before hand to allow only that address). I'm not that
familiar with using network manager (either gui or client) for openvpn connections. Doing
some brief digging I've found that I can set the zone using
nmcli connection modify tun0 connection.zone myzone
but this probably isn't the preferred approach since the tun0 device only lasts within
the openvpn session.
Should I just delve into using network manager proper for the openvpn client connections,
saving the configuration (and zone setting)? Does anyone have any useful links to give an
introduction to using it (for use in a scripting with changing destination ip addresses)?