-# default is 250, but my switch wants a high static address by default,
-# and I don't need that many, so lets just reduce it.
-sed -ri 's/^(.*option limit ).*/\1100/' /etc/config/dhcp
+v /etc/init.d/openvpn start
+v /etc/init.d/openvpn enable
+
+
+# setup to use only vpn in 5 ways:
+# set lan forward to vpn instead of wan,
+# disable wan masquerade,
+# set the default for outgoing to reject,
+# open wan port 1194 and 22 (ssh is too useful),
+# setup port forwardings to use vpn.
+firewall_restart=false
+# https://wiki.openwrt.org/doc/uci
+if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
+ # default is wan
+ # https://wiki.openwrt.org/doc/uci
+ v uci set firewall.@forwarding[0].dest=vpn
+ uci commit firewall
+ firewall_restart=true
+fi
+
+wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
+w="firewall.@zone[$wan_index]"
+if [[ $(uci get $w.masq) == 1 ]]; then
+ v uci set $w.masq=0
+ uci commit firewall
+ firewall_restart=true
+fi
+
+if [[ $(uci get $w.output) != REJECT ]]; then
+ v uci set $w.masq=REJECT
+ uci commit firewall
+ firewall_restart=true
+fi
+
+if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
+ # default is wan
+ v uci set uci set firewall.@forwarding[0].dest=vpn
+ uci commit firewall
+ firewall_restart=true
+fi
+
+
+# from https://wiki.openwrt.org/doc/uci/firewall
+# todo: not sure if /etc/init.d/network needs restarting.
+# I did, and I had to restart the vpn afterwards.
+# This maps a uci interface to a real interface which is
+# managed outside of uci.
+cedit /etc/config/network <<'EOF' ||:
+config interface 'tun0'
+ option ifname 'tun0'
+ option proto 'none'
+EOF
+
+
+
+# each port forward needs corresponding forward in the vpn server
+cedit /etc/config/firewall <<'EOF' || firewall_restart=true
+config zone
+ option name vpn
+ list network 'tun0'
+ option input REJECT
+ option output ACCEPT
+ option forward REJECT
+ option masq 1
+
+config rule
+ option dest wan
+ option target ACCEPT
+ option dest_port '1194 22'