-config redirect
-option name ssh
-option src wan
-#uncomment the 2 lines for security of using a non-standard port
-# and comment out the 22 port line
-# option src_dport 63321
-option src_dport 22
-option dest_ip 192.168.1.2
-option dest lan
-# option dest_port 22 # already default
+# # from https://wiki.openwrt.org/doc/uci/firewall
+# # todo: not sure if /etc/init.d/network needs restarting.
+# # I did, and I had to restart the vpn afterwards.
+# # This maps a uci interface to a real interface which is
+# # managed outside of uci.
+# v cedit /etc/config/network <<'EOF' ||:
+# config interface 'tun0'
+# option ifname 'tun0'
+# option proto 'none'
+# EOF
+# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+# config openvpn my_client_config
+# option enabled 1
+# option config /etc/openvpn/client.conf
+# EOF