I wanted to report a configuration and documentation issue with OpenVPN. This applies to the latest FW RUT9XX_R_00.06.06.1 in my RUT950, but i guess it is valid for any RUT device using the same FW.
The issue is that the firewall zoning in the FW is expecting a specific name for the OpenVPN TUN devices: they should be called tun_*, since the devices tun0/1/2/3 are reserved for the hotspot functionality. In fact adding a clean client or server configuration via the RUTxxx GUI uses the TUN devices "tun_c_<CLIENTNAME>" and "tun_s__<SRV_NAME>" which is fine. If you end up configuring OpenVPN with tun0, you will have a hard time understanding why NOTHING works! (pings to the other end of the tunnel fail, the connection is interrupted every few minutes due to no pings received...)
One part of the problem is that you are allowed to upload your own OpenVPN config file (and the default in OpenVPN is to use tun0). There is no word about this in the Wiki documentation, while it should in fact be written with big red letters! Even better: make the FW check the OpenVPN device and reject the setup if the naming is wrong.
The second problem I hit, is that if you first configure your OpenVPN client by uploading your own config file, and then switch back to the assisted GUI configuration, the configuration will still use "tun0" as device! No clue how or why it happens, but i ended up with tun0 having configured my client via the GUI form. I had to _delete_ the client, and add a new one to get the default device naming tun_c_XXXX! This should be fixed in the FW, IMHO.
I am obviously not the only one hitting this, see also e.g. the question 12603/openvpn-firewall