Your guest network -> VPN_FW needs forward set to accept.
The second part will be policy based routing. According to a quick search luci-app-mwan3 should provide a gui for this. You guest traffic has to use VPN_FW as default route but everything else needs to use wan. luci-app-mwan3 (luci-part for mwan3) should be able to do this. I can try this in a few hours.
mwan3 is basically right for the job but will not work with OpenVPN because it is not handled by netifd. So you are out of luck for this part.
OpenVPN and OpenWRT/LEDE have never been good friends and in my opinion it will never change.
After re-reading the documentation i should have found a far simpler version for your requirements. It basically means creating the routes for the VPN using a script instead of letting OpenVPN do it.
Found a solution:
Remove mwan3 as it may interfere with this.
opkg remove luci-app-mwan3 mwan3
add to /etc/config/network
config route 'vpn_unreachable'
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option metric '20'
option table '103'
option type 'unreachable'
config rule
option priority '1030'
option in 'guest_turris'
option dest '0.0.0.0/0'
option lookup '103'
config rule
option priority '1035'
option in 'guest_turris'
option dest '0.0.0.0/0'
option action 'unreachable'
add to your openvpn-config
route_noexec
route_up '/root/openvpn-setup-script'
down '/root/openvpn-setup-script'
script_security 2
# script_security 2 may already be
# up and down may also be there but if it is update-resolv-conf then remove it.
# setting your nameserver to the vpn one is a bad idea. inverse leak of information.
# better set the DNS of the provider or some generic one like the google ones on the guest interface as custom DHCP setting
/root/openvpn-setup-script
#!/bin/sh
table="table 103"
unreachable="unreachable"
metric="metric 10"
case $script_type in
route-up)
unreachable=""
via="via $route_vpn_gateway"
#via="via $route_vpn_gateway dev $dev"
src="src $ifconfig_local"
;;
*)
via=""
src=""
;;
esac
ip route replace $unreachable default $via $table $src $metric
What it does
The rules say everything from interface guest_turris should use routing table 103 and if there is no match then the destination is unreachable. The static route does the same.
noroute_exec in the openvpn-config makes OpenVPN not set up the routes for the VPN but only give them to the script. The script simply takes the default gateway and adds it to table 103. When the link goes down then the script replaces this route with an unreachable one. Deleting it would also work but keeping the unreachable one around feels safer.
I made the changes but i still can’t access the internet over the guest. Eventually i have a wrong Config. Now the VPN also doesn’t work when i do the Normal Lan threw VPN.
Does the /root/openvpn-setup-script needs other Read/Write/Execute rights?
root@turris:~# ls -l /root/openvpn-setup-script
-rw-r–r-- 1 root root 326 Oct 15 08:22 /root/openvpn-setup-script
warning openvpn(protonvpn)[1879]: WARNING: Failed running command (–route-up): could not execute external program
chmod a+x /root/openvpn-setup-script should help with this
If it still does not work afterwards please post the output of ip rule show
The rest seems okay.
This is expected as the script did not run and route_noexec disables automatically adding routes.
Side note for everyone using this on other OpenWRT/LEDE devices: If you do not want to lose your settings then move the script to /etc/openvpn/ and add /etc/openvpn/ to the file list to /etc/sysupgrade.conf
I changed the Permission and made a Reboot. I still can’t access the Internet threw the Guest / VPN Network.
root@turris:~# ip rule show
0: from all lookup local
1030: from all iif br-guest_turris lookup 103
1035: from all iif br-guest_turris unreachable
32766: from all lookup main
32767: from all lookup default
root@turris:~# ls -l
-rwxr-xr-x 1 root root 326 Oct 15 08:22 openvpn-setup-script
It should be in the OpenWRT and LEDE wiki but it is not. It is also not fully featured. It will only work with all-or-nothing default routing to one gateway ip. If OpenVPN pushes multiple routes to different gateways it will break.
And there is some doc missing how to setup dnsmasq to hand out a different nameserver to the guest network.